![]() ![]() The manifest file located in the resource section, specifically the requestedExecutionLevel property.The tool actually revealed the following modifications: I was not sure how content of the PE resource section could affect behavior of the installer so I used VBinDiff to see the exact difference. The sections were all identical, with exception of the resource section. As binaries were packed with UPX, I unpacked them with the upx tool and compared MD5s of PE sections. Last thing I wanted to do was to disassemble two 7 megabytes PE binaries so I started with simpler checks in order to locate difference(s). ![]() Unsurprisingly, the MD5 hashes of both files were different. In order to validate my VirusTotal finding I downloaded a matching version of Windows installer (3.3.1.2) from the official JXplorer SourceForge repository. However, analyzing the JXplorer binary turned out to be only the first step into the world of backdoored software. I initially planned to keep this write-up short and focus on dissecting suspicious JXplorer binary. Why was it strange? Mostly because I did not expect an installer for a quite popular LDAP browser to create a scheduled task in order to download and execute PowerShell code from a subdomain hosted by free dynamic DNS provider: The file claimed to be an installer for the JXplorer 3.3.1.2, a Java-based “cross platform LDAP browser and editor” as indicated on its official web page. ![]() Recently I was playing with VirusTotal Intelligence and while testing some dynamic behavior queries I stumbled upon this strange PE binary (MD5: 7fce12d2cc785f7066f86314836c95ec). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |