Category Archives: Living off the land

Lolbins for connoisseurs… Part 3

Posted on by

I love exploring unexplored software paths. And not necessarily on the assembly level – and that’s because often… it’s not even necessary. They often lead me to some really weird places f.ex. discovering a software that reads a memory address from a specific environmental variable to execute code from that location, or learning that some unhappy devs at AMD or Microsoft sometimes get a bit annoyed, or that many people do stackoverflow when they code, and that many ‘secrets’ can be found in binaries, if you know what to look for….

It’s the simple findings like this that led me to coining what I called The law of a threat hunter, which states:

For every two most distant technologies there exist a developer that will bring them together.

Developers out there do lots of very weird stuff, and more often than not – they make some really hard-to-explain choices – in the end producing monsters that we (‘the cyber folk’) need to deal with (aka ‘assess their maliciousness’), on regular basis.

This post is about yet another case like this…

There is a software called DepthAI. When you install it, you will obviously get all the files required for the software to run, plus a bonus – a full blown copy of PortableGit installed in %LOCALAPPDATA%\Programs\DepthAI\PortableGit directory.

The binaries installed include the whoami, yay! And this is where you will find it:

  • %LOCALAPPDATA%\Programs\DepthAI\PortableGit\usr\bin\whoami.exe

plus, there are lots of other useful lolbinish tools, too:

  • %LOCALAPPDATA%\Programs\DepthAI\PortableGit\mingw64\bin\curl.exe
  • %LOCALAPPDATA%\Programs\DepthAI\PortableGit\mingw64\bin\openssl.exe
  • %LOCALAPPDATA%\Programs\DepthAI\PortableGit\mingw64\bin\xz.exe

plus many others…

Dependencies is what matters these days and we have seen their power with log4j vulnerability, as well as in a cases of many other supply chain attacks, backdoored npm packages and python libraries.

Anytime we think that we are installing a trusted, often single-vendor, even single-vendor and monolith application, in reality… we don’t know what we are doing… We actually apply less and less scrutiny to this process. It’s really terrifying. And mind you, this is not an inflammatory post — it’s a sad realization that the control of what is running on our devices has been taken from us away long time ago, same as the notion of ‘owning anything’, let it be hardware or software.

And here’s the thing… Fravia did say one thing before he died:

Two other possible parachutes are knowing how to reverse engineer software (whose role in our societies and their petty censorships and sniffing attempts is bound to increase dramatically), and a sound learning of more than “just that one” foreign language. These “parachutes” could allow many readers to (maybe) fall on their feet.
Good luck anyway. I do wish all the best to anyone with a brain.

Be curious about the software you run. Be curious about the hardware you run that software on. Break it all apart. And share. Remember that trivial things like lolbin discoveries are just a side effect of your actions. You are pursuing not only the knowledge, but even moreso – the knowing…

Lolbins for connoisseurs… Part 2

Posted on by

It may sound a bit counterintuitive, but some very known lolbins often make it to places that no one ever thought would be possible…

Continuing the topic I started a few days earlier, today I will explore a few more ‘popular’ lolbinish executables that you may find ‘legitimately’ present in the environments:

InstallUtil

  • %Program Files%\Celceo SystemAI\InstallUtil.exe
  • %Program Files%\TSS\Auto Mail Sender Birthday Edition\InstallUtil.exe
  • %Program Files%\TSS\Auto Mail Sender Standard Edition\InstallUtil.exe
  • %Program Files%\TSS\WinExt\InstallUtil.exe

RegAsm

  • %Program Files%\ApexSQL\ApexSQLDiff2012\RegAsm.exe
  • %Program Files%\AUDIOzilla\RegAsm.exe
  • %Program Files%\Common Files\Multilizer\NET\1.1\RegAsm.exe
  • %Program Files%\Common Files\Multilizer\NET\2.0\RegAsm.exe
  • %Program Files%\Common Files\Multilizer\NET\4.0\RegAsm.exe
  • %Program Files%\ExeShield\regasm.exe
  • %Program Files%\iOpus\iMacros\RegAsm.exe

ping

  • %Program Files%\Stellar Migrator for MS Exchange\Ping.exe
  • %Program Files%\Stellar Phoenix Mailbox – Exchange Desktop\Ping.exe
  • %Program Files%\Stellar Phoenix Repair for SQLite\Ping.exe
  • %Program Files%\Stellar Phoenix Windows Backup Recovery\Ping.exe

Update_Execute

  • %Program Files%\Diashow XL\Update_Execute.exe
  • %Program Files%\E-Mail-Converter\Update_Execute.exe
  • %Program Files%\FotoArchiv XL\Update_Execute.exe
  • %Program Files%\FotoWorksXL2013\Update_Execute.exe
  • %Program Files%\FreeFotoWorks2013\Update_Execute.exe
  • %Program Files%\HomepageFIX2013\Update_Execute.exe
  • %Program Files%\MailFinder\Update_Execute.exe
  • %Program Files%\MailOut\Update_Execute.exe
  • %Program Files%\MEDIA Revolution\Update_Execute.exe
  • %Program Files%\NewsletterDesigner\Update_Execute.exe
  • %Program Files%\OnlineGalerie\Update_Execute.exe
  • %Program Files%\profiSUBMIT\Update_Execute.exe
  • %Program Files%\Slideshow XL\Update_Execute.exe

the latter allows you to execute any program of your choice via proxy f.ex.:

Update_Execute.exe c:\windows\notepad.exe

runxx.exe (same as above, plus, more persistent)

  • c:\drivers\keyb\dritek2007\runxx.exe
  • c:\drivers\keyboard\dritek2000\InstPack\runxx.exe
  • c:\drivers\keyboard\drtk2001\runxx.exe
  • c:\drivers\keyboard\dtk30005\runxx.exe
  • c:\drivers\keyboard\lm2003\InstPack\runxx.exe
  • c:\drivers\keyboard\lm3002\runxx.exe
  • c:\drivers\keyboard\lm3003\runxx.exe
  • c:\drivers\keyboard\lm3004\InstPack\runxx.exe
  • c:\drivers\keyboard\lm3004\runxx.exe
  • c:\drivers\keyboard\lm3005\runxx.exe
  • c:\Drivers\Launch_Manager\runxx.exe
  • c:\drivers\launchmanager\dritek2001\InstPack\runxx.exe
  • c:\drivers\launchmanager\dt2000\InstPack\runxx.exe
  • c:\drivers\launchmanager\dt2002\runxx.exe
  • c:\drivers\LM\2002\InstPack\runxx.exe
  • c:\drivers\hotkeys\runxx.exe

instmsia.exe

  • %Program Files%\Firmware Update\All_Package\instmsia.exe
  • C:\Drivers\7. Alcor CardReader Driver\instmsia.exe
  • c:\drivers\Alcor Card Reader Driver\instmsia.exe
  • c:\drivers\bluetooth\bc621500\Win32\instmsia.exe
  • c:\drivers\bluetooth\bc621500\Win64\instmsia.exe
  • c:\drivers\bluetooth\w6104600\Win32\instmsia.exe
  • c:\drivers\bluetooth\w6104600\Win64\instmsia.exe
  • c:\Drivers\Bluetooth\Win32\instmsia.exe
  • c:\Drivers\Bluetooth\Win64\instmsia.exe
  • c:\drivers\bt\6015600\Win32\instmsia.exe
  • c:\drivers\bt\6015600\Win64\instmsia.exe
  • c:\drivers\bt\6208500\Win32\instmsia.exe
  • c:\drivers\bt\6208500\Win64\instmsia.exe
  • c:\drivers\bt\bc5104500\Win32\instmsia.exe
  • c:\drivers\bt\bc5104500\Win64\instmsia.exe
  • c:\drivers\bt\bc6202600\Win32\instmsia.exe
  • c:\drivers\bt\bc6202600\Win64\instmsia.exe
  • c:\drivers\bt\bc6208800\Win32\instmsia.exe
  • c:\drivers\bt\bc6208800\Win64\instmsia.exe
  • c:\drivers\bt\bc6209600\Win32\instmsia.exe
  • c:\drivers\bt\bc6209600\Win64\instmsia.exe
  • c:\drivers\bt\bc6209700\Win32\instmsia.exe
  • c:\drivers\bt\bc6209700\Win64\instmsia.exe
  • c:\drivers\bt\bt520500\Win32\instmsia.exe
  • c:\drivers\bt\bt520500\Win64\instmsia.exe
  • c:\drivers\bt\Win32\instmsia.exe
  • c:\drivers\bt\Win64\instmsia.exe
  • c:\drivers\Card Reader Driver\instmsia.exe
  • c:\drivers\cardreader\instmsia.exe
  • c:\Drivers\Others\Bluetooth\Win32\instmsia.exe
  • c:\Drivers\Others\Bluetooth\Win64\instmsia.exe
  • C:\DRIVERS\WIN\MULTICARD\instmsia.exe
  • c:\pnp\bluetooth\instmsia.exe
  • c:\pnp\GOB\instmsia.exe
  • c:\pnp\mobo\Chipset\INSTMSIA.EXE
  • c:\pnp\mobo\INSTMSIA.EXE
  • c:\pnp\raid\INSTMSIA.EXE
  • c:\pnp\video\instmsia.exe
  • C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win32\instmsia.exe
  • C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win64\instmsia.exe
  • C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win32\instmsia.exe
  • C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win64\instmsia.exe
  • C:\SWTOOLS\DRIVERS\LMBC\6jwa11ww\ATTplgin\instmsia.exe
  • C:\SWTOOLS\DRIVERS\LMBC\7twa71ww\ATTplgin\instmsia.exe

instmsiw.exe

  • %Program Files%\Droppix\Droppix Recorder 2.x\Droppix Recorder\InstMsiW.Exe
  • %Program Files%\Firmware Update\All_Package\instmsiw.exe
  • c:\drivers\11. TV Tuner (Geniatech,Yuan,AverMedia) for 32-bit Windows\Yuan\MC163\Win832\instmsiw.exe
  • c:\drivers\11. TV Tuner (Geniatech,Yuan,AverMedia) for 32-bit Windows\Yuan\MC907\Win832\instmsiw.exe
  • c:\drivers\15. TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\1.0.6.8051\Win832\instmsiw.exe
  • c:\drivers\15. TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\1.0.6.8051\Win864\instmsiw.exe
  • C:\Drivers\7. Alcor CardReader Driver\instmsiw.exe
  • c:\drivers\Alcor Card Reader Driver\instmsiw.exe
  • c:\drivers\bluetooth\bc621500\Win32\instmsiw.exe
  • c:\drivers\bluetooth\bc621500\Win64\instmsiw.exe
  • c:\drivers\bluetooth\w6104600\Win32\instmsiw.exe
  • c:\drivers\bluetooth\w6104600\Win64\instmsiw.exe
  • c:\Drivers\Bluetooth\Win32\instmsiw.exe
  • c:\Drivers\Bluetooth\Win64\instmsiw.exe
  • c:\drivers\bt\6015600\Win32\instmsiw.exe
  • c:\drivers\bt\6015600\Win64\instmsiw.exe
  • c:\drivers\bt\6208500\Win32\instmsiw.exe
  • c:\drivers\bt\6208500\Win64\instmsiw.exe
  • c:\drivers\bt\bc5104500\Win32\instmsiw.exe
  • c:\drivers\bt\bc5104500\Win64\instmsiw.exe
  • c:\drivers\bt\bc6202600\Win32\instmsiw.exe
  • c:\drivers\bt\bc6202600\Win64\instmsiw.exe
  • c:\drivers\bt\bc6208800\Win32\instmsiw.exe
  • c:\drivers\bt\bc6208800\Win64\instmsiw.exe
  • c:\drivers\bt\bc6209600\Win32\instmsiw.exe
  • c:\drivers\bt\bc6209600\Win64\instmsiw.exe
  • c:\drivers\bt\bc6209700\Win32\instmsiw.exe
  • c:\drivers\bt\bc6209700\Win64\instmsiw.exe
  • c:\drivers\bt\bt520500\Win32\instmsiw.exe
  • c:\drivers\bt\bt520500\Win64\instmsiw.exe
  • c:\drivers\bt\Win32\instmsiw.exe
  • c:\drivers\bt\Win64\instmsiw.exe
  • c:\drivers\Card Reader Driver\instmsiw.exe
  • c:\drivers\cardreader\instmsiw.exe
  • c:\Drivers\Others\Bluetooth\Win32\instmsiw.exe
  • c:\Drivers\Others\Bluetooth\Win64\instmsiw.exe
  • c:\drivers\TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\MC163\Win832\instmsiw.exe
  • c:\drivers\TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\MC907\Win832\instmsiw.exe
  • C:\DRIVERS\WIN\LANASIX\instmsiw.exe
  • C:\DRIVERS\WIN\MULTICARD\instmsiw.exe
  • c:\pnp\bluetooth\instmsiw.exe
  • c:\pnp\Cardreader\instmsiw.exe
  • c:\pnp\GOB\instmsiw.exe
  • c:\pnp\mobo\Chipset\INSTMSIW.EXE
  • c:\pnp\mobo\INSTMSIW.EXE
  • c:\pnp\raid\INSTMSIW.EXE
  • c:\pnp\video\instmsiw.exe
  • C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win32\instmsiw.exe
  • C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win64\instmsiw.exe
  • C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win32\instmsiw.exe
  • C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win64\instmsiw.exe
  • C:\SWTOOLS\DRIVERS\FPR\LZ4GO2A2_64\instmsiw.exe
  • C:\SWTOOLS\DRIVERS\LMBC\6jwa11ww\ATTplgin\instmsiw.exe
  • C:\SWTOOLS\DRIVERS\LMBC\7twa71ww\ATTplgin\instmsiw.exe

regsvr32

  • %Program Files%\3D Active Button Magic\REGSVR32.EXE
  • %Program Files%\3D Button API\REGSVR32.EXE
  • %Program Files%\Active DJ Studio\REGSVR32.EXE
  • %Program Files%\Active MIDI DJ Console\REGSVR32.EXE
  • %Program Files%\Active Sound Editor\REGSVR32.EXE
  • %Program Files%\Active Sound Recorder\REGSVR32.EXE
  • %Program Files%\Active Sound Studio\Active Sound Editor\REGSVR32.EXE
  • %Program Files%\Active Sound Studio\Active Sound Recorder\REGSVR32.EXE
  • %Program Files%\Active Waveform Analyzer\REGSVR32.EXE
  • %Program Files%\Blue Squirrel\Spam Sleuth Lite\regsvr32.exe
  • %Program Files%\Firmware Update\All_Package\program files\HP\Button Manager\Hestia\regsvr32.exe
  • %Program Files%\Firmware Update\All_Package\program files\HP\Button Manager\regsvr32.exe
  • %Program Files%\VoIP SIP Client SDK\files_for_redistribution\ActiveX\regsvr32.exe

ffmpeg

Not a hacking utility, but may come handy:

  • %Program Files%\AnvSoft\Any Video Converter Professional\gnu\ffmpeg.exe
  • %Program Files%\AnvSoft\Any Video Converter\ffmpeg.exe
  • %Program Files%\AnvSoft\Any Video Converter\gnu\ffmpeg.exe
  • %Program Files%\Any Video Recorder\ffmpeg.exe
  • %Program Files%\Aura4You\Aura Video Converter Professional\gnu\ffmpeg.exe
  • %Program Files%\BlazeVideo\BlazeDVD 6.1\ffmpeg.exe
  • %Program Files%\ClipGrab\ffmpeg.exe
  • %Program Files%\CodedColor\ffmpeg.exe
  • %Program Files%\Convertilla\ffmpeg.exe
  • %Program Files%\Diashow XL\LibAV\ffmpeg.exe
  • %Program Files%\DVD Photo Slideshow Professional\gnu\ffmpeg.exe
  • %Program Files%\DVD Shrink\ffmpeg.exe
  • %Program Files%\DVD to iPad Converter\ffmpeg.exe
  • %Program Files%\DVDVideoSoft\Free Audio Editor\ffmpeg.exe
  • %Program Files%\DVDVideoSoft\Free YouTube Download\ffmpeg.exe
  • %Program Files%\DVDVideoSoft\Free YouTube To MP3 Converter\ffmpeg.exe
  • %Program Files%\FotoArchiv XL\LibAV\ffmpeg.exe
  • %Program Files%\Freemake\COM\1.1\ffmpeg.exe
  • %Program Files%\Icecream Slideshow Maker\ffmpeg.exe
  • %Program Files%\Kastor Free Video Converter\ffmpeg.exe
  • %Program Files%\KooRaRoo Media Free\ffmpeg.exe
  • %Program Files%\MediaHuman\Audio Converter\ffmpeg.exe
  • %Program Files%\Nuclear Coffee\ConvertVid\ffmpeg.exe
  • %Program Files%\Nuclear Coffee\VideoGet\ffmpeg.exe
  • %Program Files%\pazera-software\FLV_to_AVI_Converter\tools\FFmpeg\ffmpeg.exe
  • %Program Files%\pazera-software\MKV_to_AVI_Converter_32\tools\FFmpeg\ffmpeg.exe
  • %Program Files%\pazera-software\MOV_to_AVI_Converter\tools\FFmpeg\ffmpeg.exe
  • %Program Files%\pazera-software\MP4_to_AVI_Converter\tools\FFmpeg\ffmpeg.exe
  • %Program Files%\pazera-software\MP4_to_MP3_32bit\tools\FFmpeg\ffmpeg.exe
  • %Program Files%\RadioBOSS\Plugins\ffmpeg.exe
  • %Program Files%\Slideshow XL\LibAV\ffmpeg.exe
  • %Program Files%\SmartDVDCreatorPro\ffmpeg.exe
  • %Program Files%\SmartDVDCreator\ffmpeg.exe
  • %Program Files%\Socusoft\Socusoft 3GP Photo Slideshow\gnu\ffmpeg.exe
  • %Program Files%\Socusoft\Socusoft iPod Photo Slideshow\gnu\ffmpeg.exe
  • %Program Files%\Sothink HD Movie Maker\Encoder\ffmpeg.exe
  • %Program Files%\Sothink Movie DVD Maker\Encoder\ffmpeg.exe
  • %Program Files%\Sothink Video Converter\Encoder\ffmpeg.exe
  • %Program Files%\Sothink Video Encoder for Adobe Flash\Encoder\ffmpeg.exe
  • %Program Files%\SourceTec\Sothink Movie DVD Maker\Encoder\ffmpeg.exe
  • %Program Files%\Stellar Phoenix Video Repair\ffmpeg.exe
  • %Program Files%\YouTube Song Downloader\ffmpeg.exe

and there is more VNC as well:

vncviewer

  • %Program Files%\CrossLoop\vncviewer.exe
  • %Program Files%\Hammer Software\MetaLAN Administrator 2\VNC\TightVNC3\vncviewer.exe
  • %Program Files%\RealVNC\VNC4\vncviewer.exe
  • %localappdata%\CrossLoop\vncviewer.exe

winscp

  • %Program Files%\Lauyan\TOWeb V6\tools\winscp\WinSCP.exe

downloader (note, all of these may require additional analysis):

  • %Program Files%\Auslogics\Driver Updater\Downloader.exe
  • %Program Files%\BSC Designer\update\Downloader.exe
  • %Program Files%\Defender Pro Driver Control\Downloader.exe
  • %Program Files%\Download Master\downloader.exe
  • %Program Files%\Fake Voice 7.0\7.0.0.0\downloader.exe
  • %Program Files%\Fake Webcam 7.4\7.4.0.0\downloader.exe
  • %Program Files%\IDA\downloader.exe
  • %Program Files%\MurGeeMon\Downloader.exe
  • %Program Files%\Virtual Webcam 8.0\8.0.0.0\downloader.exe
  • %Program Files%\Webcam Screen Recorder 7.0\7.0.0.0\downloader.exe
  • %localappdata%\downloader.exe
  • %localappdata%\Temp\hstemp\downloader.exe

javaw

  • %Program Files%\CamShot\jre\bin\javaw.exe
  • %Program Files%\ChequePrinting.net\jre\bin\javaw.exe
  • %Program Files%\ChequeSystem\jre\bin\javaw.exe
  • %Program Files%\EasyBilling\jre\bin\javaw.exe
  • %Program Files%\EditRocket\jre\bin\javaw.exe
  • %Program Files%\Formatic\jre\bin\javaw.exe
  • %Program Files%\OMS\OPhone Desktop Suite\jre\bin\javaw.exe
  • %Program Files%\Ovis\jre7\bin\javaw.exe
  • %Program Files%\PhotoPDF\jre\bin\javaw.exe
  • %Program Files%\PhotoX\jre\bin\javaw.exe
  • %Program Files%\RoboMail\jre\bin\javaw.exe
  • %Program Files%\SmartCalendar\jre\bin\javaw.exe
  • %Program Files%\Sweet Home 3D\jre6\bin\javaw.exe

java

  • %Program Files%\CamShot\jre\bin\java.exe
  • %Program Files%\ChequePrinting.net\jre\bin\java.exe
  • %Program Files%\ChequeSystem\jre\bin\java.exe
  • %Program Files%\EasyBilling\jre\bin\java.exe
  • %Program Files%\EditRocket\jre\bin\java.exe
  • %Program Files%\Formatic\jre\bin\java.exe
  • %Program Files%\OMS\OPhone Desktop Suite\jre\bin\java.exe
  • %Program Files%\Ovis\jre7\bin\java.exe
  • %Program Files%\PhotoPDF\jre\bin\java.exe
  • %Program Files%\PhotoX\jre\bin\java.exe
  • %Program Files%\RoboMail\jre\bin\java.exe
  • %Program Files%\SmartCalendar\jre\bin\java.exe

tar

  • %commonappdata%\CleanMail\tar.exe
  • %Program Files%\Git\usr\bin\tar.exe
  • %Program Files%\Kingo ROOT\tools\tar.exe
  • c:\Program Files (x86)\Common Files\DVDVideoSoft\bin\tar.exe

undelete

  • %Program Files%\Advanced System Optimizer 3\Undelete.exe
  • %Program Files%\CleanGenius 3\UnDelete.exe
  • %Program Files%\Glary Undelete\undelete.exe
  • %Program Files%\Glary Utilities\undelete.exe
  • %Program Files%\LSoft Technologies\Active\@ UNDELETE\Undelete.exe