Beyond good ol’ Run key, Part 122

November 9, 2019 in Anti-Forensics, Autostart (Persistence)

This is another quickie: there is an established process for using the OCSetup program that is available on a couple of Windows versions. When this tool is executed it checks a number of Registry entries which it then interprets, and executes programs (.exe) or installers (.msi, .msp) listed under these entries.

The entries of interest are as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\<ComponentName>\CustomSetup = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\<ComponentName>\Component = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\\PatchFiles = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\\CustomSetup = <file>

DeXRAY 2.17 update

November 9, 2019 in Batch Analysis, DeXRAY, Software Releases

This is a minor update that fixes an odd bug. When I published the 2.16 I fixed a bug in VBN file recovery. I simply commented out an old code that didn’t work and added one that does work. It turns out that disabling that old code breaks a recovery process of some other VBN files.

I didn’t have a chance to look at what causes it, but I am releasing a version that simply recovers quarantined files using 2 approaches simultaneously, and saves the attempts to 2 different .out files. One of them should always work…

You can find the latest version of DeXRAY here.

If you come across files that DeXRAY cannot decrypt please let me know.