|
A week or two ago reader Norris Carden submitted a malicious document. This document is another "sleeper": it waits a couple of minutes before downloading and executing a malicious payload. The trick used here is to start a ping command (from VBA macros) that will take several minutes to execute: cmd.exe /C ping 8.8.8.8 -n 250 > nul This command does 250 pings to Google DNS 8.8.8.8. It will take around 4 minutes and 10 seconds to execute. And after that, the VBA code downloads and executes malware. Didier Stevens |
DidierStevens 162 Posts ISC Handler |
| Reply Subscribe |
Dec 24th 2016 7 months ago |
|
You can explain what's your command .How i can do that.It's is DDOS to google .Tks nice post.
|
DaoTrong 1 Posts Posts |
| Reply Quote |
Dec 25th 2016 7 months ago |
|
what does the time delay buy the actor?
|
TuggDougins 33 Posts Posts |
| Reply Quote |
Dec 25th 2016 7 months ago |
|
Same as the other sleeper I wrote a diary entry for.
Evade detection by time-limited, automatic dynamic analysis. Which can in turn be defeated by killing the ping process. |
DidierStevens 162 Posts Posts ISC Handler |
| Reply Quote |
Dec 25th 2016 7 months ago |
|
just being able to ping or use 8.8.8.8 might be a way for badguys to determine whether an endpoint is outside of a protected network (no IPS, NGFW, etc).
|
Anonymous Posts |
| Reply Quote |
Dec 25th 2016 7 months ago |
|
The VBA code does not check the result of the ping command. It just launches the command with a synchronous call: when the command terminates the VBA code continues to run. Regardless of what the result of the ping command is.
|
DidierStevens 162 Posts Posts ISC Handler |
| Reply Quote |
Dec 25th 2016 7 months ago |
Sign Up for Free or Log In to start participating in the conversation!
