Posts

Showing posts from February, 2018

你好,2018!

今天是农历大年三十,也是中国的传统节日“除夕”。过了今天,对于我们中国人来说才算是真正来到2018年。
虽说从某种角度上来说,中国的“年味”越来越淡了。餐桌上,更多的人开始低头玩起了手机,抑或是几人一起来一把紧张刺激的moba。只不过对于我们来说,过年,只要聚在一起,便已足够。
=======================
在这里,为了避免0点时祝福被淹没
提前为大家送上新年祝福。
祝loveliver:单抽UR,机票起飞
祝coder:0 error, 0 warning
祝大家:心想事成,万事顺意,狗年旺旺旺!
=======================
也祝我自己,新的一年,UR多多,挖洞多多,抓毒多多~

Malicious Repacked KMSpico

Image
[Imported From X-Sec Blog, just for backup]

KMSpico is a well-known tool to activate Microsoft's product, though it has stopped update already and it's illegal.

And there are lots of repacked version on the Internet, we got a sample which looks a bit more interesting.

This time I want to direct run the sample in Sandboxie.

Like other malicious repacked KMSpico, it drops a malware and run it during installation.

Dropped File Path: "C:\Program Files (x86)\Common Files\InstallShield\Update\ISUSPM.exe"

It's a heavily obfuscated .NET-based malware, but it's not the most important point in this blog post.


SpyShelter told me the setup file wanted to create a schedule task which will use wscript to run an INI file periodically.

So I found the INI file.


It looks like a INI file on the first sight, but did you mention the first 2 characters? There are the beginning of a comment in some of programming languages like C/C++/JavaScript. And it will be "run" perio…