Open MalwareAnalsis opened 3 hours ago
EXP-JEdwards
commented
3 hours ago I love that you analyzed this like this. This should happen as often as possible. Do you happen to have which files/directories these things are happening in? I haven't done digging in awhile, but you inspired me to want to do it. Thank you!
MalwareAnalsis
commented
3 hours ago I love that you analyzed this like this. This should happen as often as possible. Do you happen to have which files/directories these things are happening in? I haven't done digging in awhile, but you inspired me to want to do it. Thank you!
I appreciate your response! During the .msi install there is a .tmp file created within the %PROGRAMFILES%(x86)\Microsoft\Temp\EU784F.tmp\MicrosoftEdgeUpdate.exe directory, (MSI7553.tmp) which is written as a silent /install, during this time it runs MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" as a suspended process so it doesn't trigger any antivirus, that MicrosoftEdgeUpdate.exe then writes the payload which at this point is already within your traffic, at this point check your C:\Program Files (x86)\Microsoft\Temp directory, I would nuke the whole edge update folder, or maybe everything entirely in the C:\Program Files (x86)\Microsoft path. clear your %temp%
You obfuscated and packed this incredibly well, my understanding is you write 4 bytes to a dropped .tmp file to modify your shell calls and inject into the msEdge updater, and have your payload embedded within the msEdge updated to then grab cookies,SSL decryption. Absolutely astonishing that you managed to get so many installs and stars on this project and over 52k slaves on your RAT program, are you able to explain what obfuscation and packing methods you used, I've never seen anything fly under the radar to this extent.