1/ Interesting technique used by #Ratty sample for distribution of malicious JAR(zip) appended to MSI— Securityinbits (@Securityinbits) June 12, 2020
So when the OS sees jar ext it executes jre to handle the file, but unique about zip files are read from bottom to top so jar is executed instead of msi file, details below https://t.co/3u7487kUZy pic.twitter.com/jZw9s07X5z
#Avaddon #ransomware uses simple anti-debugging IsDebuggerPresent API to check for debugger.— Securityinbits (@Securityinbits) June 9, 2020
It uses GetUserDefaultLCID & GetKeyboardLayout API to check for local identifiers that are not Russian(0x419h), Ukrainian(0x422h) etc.
As RaaS programs cannot target victims in the CIS pic.twitter.com/O4dhj9XOVe
One of the way you can use to #Deobfuscate VBScript is to replace the eval with Wscript.Echo and execute using cscript#Malware #MalwareAnalysis pic.twitter.com/GzCdRspfBY— Securityinbits (@Securityinbits) May 30, 2020