Remote CMD/PowerShell terminal

Description

(Kaspersky) The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware. All the strings and settings were encrypted and obfuscated. Functionality was identified that enables HTTP communication with the C&C server and invokes “processcreate” based on parameters received as a response.

The configuration and strings are encrypted using 3DES and Base64 encoding. Data sent to the C&C server is also encrypted using 3DES and Base64. Different keys are used for local and network encryption.

The malware starts communicating with the C&C server by sending basic information about the infected machine. The C&C server then replies with the encrypted serialized configuration.

The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute scripts/commands and receive the results via HTTP requests.

Names

Name
Remote CMD/PowerShell terminal

Type

Reconnaissance
Backdoor

Information

https://securelist.com/operation-parliament-who-is-doing-what/85237/

Other Information

Uuid

d67dfeb0-ad1f-48f7-ac1e-8d932318b044

Last Card Change

2020-04-20

Threat Intelligence Garden

Explorer

Remote CMD/PowerShell terminal

Remote CMD/PowerShell terminal

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks