We observed two instances using the same loader but delivering different payloads. This reminds us of some older malware types like PLUGX.
#Notepad++ for mac installation password code
However, the malicious Notepad++ file has additional code that loads an encrypted blob file (config.dat) that decrypts the code and executes it in the memory so it can perform its backdoor routines. These code snippets bear many similarities. The details listed in the file properties of notepad.exe show this: The notepad.exe file’s link to these processes and their functions indicates that the file is a typical backdoor that gets commands from a malicious remote user. Gets a list of currently running processes on either a local or remote machine Gathers operating system configuration information for a local or remote machine, including service pack levels
lists the settings of server and workstation service.enumerates local and global groups in the domain.Performing Root Cause Analysis (RCA) shows that this malicious notepad.exe file has done suspicious actions by calling the following tools:
Based on the telemetry data we obtained, it’s most probably the latter. This was done by either exploiting ntoskrnl.exe or via network shares. The notepad.exe file was dropped through ntoskrnl.exe, short for Windows NT operating system kernel executable.
0 kommentar(er)
