A boringly deep analysis of a very complex VBS Malware dropper A code snippet of the script LOLSnif is a new(ish) variant of the common trojan Ursnif . Here, we take a look at the very complex and heavily encoded/obfuscated script that drops the malicious DLL on the victim machine. Apologies if it gets a bit boring, I’ve crammed in too much stuff here. Feel free to skip sections that are of less interest. It all starts the usual way, phishing email brings in a link that serves the initial script. The script itself has the malware in it, which is dropped on the victim machine on successful execution. This script has a lot of anti-analysis, anti-sandbox features that are clever and heavily encoded which makes them well-hidden. Let’s take a step-by-step look at this malware: There are more than 500 lines of code in the script and most of those lines have thousands of chars in them. This is a very long script, based on those numbers alone. A lot of that is garbage, a...
Malware Analysis for Incident Response