This report analyzes an advanced Trojan dropper exhibiting sophisticated obfuscation techniques, designed to obscure true intentions and evade detection. The report highlights unique memory management and string manipulation strategies employed in the malware. Affected: cybersecurity sector, Windows OS users
Keypoints :
- The Trojan dropper exhibits advanced techniques complicating static analysis.
- It utilizes unique obfuscation methods that go beyond simple encoding mechanisms like base64 or XOR.
- Three categories of obfuscation are identified: hardcoded prefix, hardcoded suffix, and hardcoded without %s.
- Memory allocation is utilized in such a way that is intentionally misleading for analysts.
- Generated random strings are used for creating executable files in temporary directories.
- The malware performs anti-debugging measures and self-deletion after execution.
MITRE Techniques :
- T1056 – Input Capture: The Trojan dropper captures user input by executing commands.
- T1040 – Network Sniffing: Uses network latency commands to send data.
- T1203 – Exploitation for Client Execution: Leverages vulnerabilities in Windows to execute its dropper.
Indicator of Compromise :
- [MD5] A699AFD908E0DEC5C96FF7188450B89F
- [SHA-256] f18631344d6f7fc57fd248edce37baeb11976e315b72b68d48311c406ace3f8c
- [File Name] Verify-TujxgfVN.exe
- [IP Address] 1.1.1.1
- [Command] cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q “%s”
Full Story: https://malwareanalysisspace.blogspot.com/2025/03/the-art-of-deception-deep-dive-into.html