Hello, welcome to the Tuesday, April 21st, 2020 edition of the Sandinand Storm Center's Stormcast.

My name is Johannes Ulrich.

The time I'm recording from Jacksonville, Florida.

Did he today went back to an earlier diary where he looked at the K-Pot Info Steeler,

and back then he ended up with an obfuscated auto IT script.

Now, today he analyzed this auto IT script in a lot more detail, and a real nice example,

sort of how to go through the different obfuscation steps being used here to actually arrive at the final result.

It's supposed to be executed here.

It all started with what looks like a certificate.

But, well, certificates are really just base 64 encoded data.

And when you decode this particular certificate, you end up with the actual

script that's being executed. But this is not where it stops. This script is heavily off

uscated. And what DDA eventually ended up with was actually some shell code.

And this shell code is then being executed using process hollowing.

Process hollowing is a pretty neat trick to bypass a lot of defensive techniques.

What it basically does is it creates a process in a suspended state,

and then when the memory is unmapped, it just replaces that memory with malicious code.

So this way, essentially, you can sort of swap the memory off a process that's considered

benign that's already running. Now, similar technique actually process injection,

which sort of also basically uses a legitimate process, a process that has already been vetted

in order to execute malicious code. DDA is also pointing out some differences between the static analysis he's doing here

and dynamic analysis in that the mutex being created here by the process usually should

...