Skip to main content


Showing posts from July, 2020

LOLSnif Malware

A boringly deep analysis of a very complex VBS Malware dropper A code snippet of the script LOLSnif  is a new(ish) variant of the common trojan  Ursnif . Here, we take a look at the very complex and heavily encoded/obfuscated script that drops the malicious DLL on the victim machine. Apologies if it gets a bit boring, I’ve crammed in too much stuff here. Feel free to skip sections that are of less interest. It all starts the usual way, phishing email brings in a link that serves the initial script. The script itself has the malware in it, which is dropped on the victim machine on successful execution. This script has a lot of  anti-analysis, anti-sandbox  features that are clever and heavily encoded which makes them well-hidden. Let’s take a step-by-step look at this malware: There are more than 500 lines of code in the script and most of those lines have thousands of chars in them. This is a very long script, based on those numbers alone. A lot of that is garbage, as is common with sc