Jump to content
michael.jenkin

Video on fileless malware (Semi Fileless)

Recommended Posts

I thought that this might be of interest. Gets into a deep dive but if this information is not shared out there, none of us will be prepared !

 

https://youtu.be/uUelJ-E2ZwE

 

Share this post


Link to post
Share on other sites

I've had that forfiles thing come up a couple of times now. Took me a couple of hours to find the first time. The only reason I was looking was because Kaspersky kept detecting something and couldn't get rid of it. 

 

Also, I saw you were looking at .jumper files yesterday. I had a site affected by it too. Same thing with the rdp entry. It was a virtual machine so I could just restore it from back up but while they cleaned out vss etc, they uninstalled "process hacker 2" but there were still entries to it being there in the start menu. 

Share this post


Link to post
Share on other sites

Fliptopia ! Sounds like we travel in similar circles.

 

turns out that Jumper is a modification of the Jamper Ransomware. they normally use Process Hacker to kill your AV. 

Share this post


Link to post
Share on other sites

Maybe we do 🙂. I don't generally investigate as deeply as by the time I've found something like this I'm already running late for my next job but I'm always keen to know more. Process Hacker looks like a more capable Process Explorer. I think I'll add that to my toolbox. 

Share this post


Link to post
Share on other sites

I dealt with one of these FORFILES in a registry RUN entry the other day.  It was attempting to run a bunch of stuff thru SYSTEM32 but luckily had admin rights failure.

There was a seemingly random text in the reg entry following the command and initial parameters, it must be some sort of compression of the following parms.

 

Though it seemed to not do anything the System Properties panel stopped working, would just vanish after 2 seconds.  But after I REMed out the command the properties panel was fixed.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×