zip file then decrypts it by using XOR with hardcoded 0x29.įigure 3. The malicious JS code (detected by Trend Micro as Trojan.JS.MSAIHA.A) accesses the URL hxxps//s3-eu-west-1amazonawscom/.ini, and will drop the file as an infection marker instead. From Orca MSI Editor: CustomAction that contains JavaScript The table lists various information such as action, type, source, target, and extended type to provide further details.įigure 2.
The source of the executed code can be a stream from within a particular database, an installed file, or an existing executable. The CustomAction table permits integration of custom code and data into installations. We used the tool Orca MSI Editor, which allows a user to look at how and where files may be delivered, to view the tables and find the script in question in the CustomAction table. MSI file containing JavaScript that appears to be truncated (Installer msiexec.exe itself, however, has its interpreter.)įigure 1. However, the parts of the script were distributed (and truncated, it seems) to other parts of the file and did not directly execute wscript.exe to run them. We discovered JScript/VBScript codes within several samples of malicious *.msi files. Malicious actors can abuse custom actions in these files to execute malicious scripts and drop malware that are either capable of initiating a system shutdown or targeting financial systems located in certain locations. We recently discovered malicious MSI files that download and execute other files and could bypass traditional security solutions. Every package file has a relational-type database that contains instructions and data required to install or remove programs. Windows Installer uses Microsoft Software Installation (MSI) package files to install programs. PDT to amend technical analysis on Avira-related files and include latest statement from Avira
0 kommentar(er)
