Answer the question
In order to leave comments, you need to log in
How does obfuscated cmd work?
Hello!
Colleagues once again received a letter with a zip-archive about the court order addressed to them (well, or the bill is unpaid, send documents etc). There was an obfuscated cmd inside the archive, what it does is approximately clear from the description on the website of the antivirus manufacturer, another thing is how exactly such code is executed in CMD?
Answer the question
In order to leave comments, you need to log in
Typically, the most common obfuscators use the variable assignment method. Example:
echo off [1]
set [email protected]
%q% hmOP3a=o
%q% gtrY3b=e
%q% ghrEsdfe=f
%q% c7HHiW=c
%q% frUI23=h
%gtrY3b%%c7HHiW%%frUI23 %%hmOP3a% %hmOP3a%%ghrEsdfe%%ghrEsdfe% [2]
The code from the second example is absolutely similar to the code from the first one, but it is hard to read. Additionally, obfuscation can be strengthened by adding transitions by labels. There are also programs that pack the batch file in an copy, but, as a rule, the decrypted batch file is easy to find in one of the temporary folders or in the RAM.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question