Tylous
commented
1 year ago Hi Lee
This is working as intended. All non-binary mode loaders require a DLL. So it builds and then stores the DLL in the file you define in the -O flag so that you can deliver and execute said DLL programmatically. In this case, when that JS file runs it will use msiexec (since you specified it) to run and load the DLL. Scarecrow generates the name randomly based on legitimate DLLs found on any windows system.
Output to the user is incorrect when using the -O option.
Example: ./Scarecrow -I beacon.bin -domain www.cisco.com -Loader msiexec -O msiexec.js
Output shows: Signing combase.dll With a Fake Cert
Kali Linux 2022.3 rolling