I've been poking Microsoft Copilot with a stick. I've made a bunch of posts on it.
This is my dumb notes and/or discussion part 1.
My current machine is Windows 11 but Microsoft Copilot wasn't on the machine, so I installed it from the Microsoft app store. I don't know if the installation process and libraries present from the Microsoft app store are different than the Microsoft Copilot which will come default with Windows 11 in the future.
The installation of Microsoft Copilot introduced some registry artifacts. Notably the introduction of a protocol handler "URL:ms-copilot". It also introduced a bunch of COM component stuff. I haven't played with the Copilot URI.
The registry also introduces a registry key called "Copilot" under HKCU in Software\Microsoft\Windows\Shell. I haven't played with this registry key yet. However, I am going to assume this enables or disables Copilot for the Windows Shell. Mine defaulted to disabled. This is what it looks like:
"IsCopilotAvailable", DWORD, 0x00000000
"CopilotDisabledReason", SZ, "FeatureIsDisabled"
I am going to assume in the future, if Copilot is forced upon you, Copilot can be removed (or disabled) from the Shell from here.
Under HKLM some registry artifacts are present for Windows File Explorer called CopilotFileExplorerMenu. There is also stuff present for Copilot and Microsoft Edge.
HKLM also keys called "WindowsAI". Windows AI has "DisableCocreator", "DisableGenerateFill", "DisableImageCreator", SetCopilotHardwareKey", "TurnOffWindowsCopilot".
I have no idea what Cocreator, ImageCreator, GenerateFill, or CopilotHardwareKey is or what it means. The TurnOffWindowsCopilot key just provides some insights onto how to disable Windows Copilot. However, GenerateFill, Cocreator, and ImageCreator all point to Paint.exe. I'm going to faithfully assume Microsoft has AI stuff in Paint now.
HKLM also has "SystemSettings_DesktopTaskbar_Copilot" and points to "SettingsHandlers_DesktopTaskbar.dll" in System32.
There's a bunch of other Copilot shit too, too much to list, but there's stuff "Personalized Chats", "Copilot Gaming", over 9000 thingies for "Copilot Nudges", and stuff for caching.
Later today, or tomorrow, or whenever I feel like it, I'll talk about the main Copilot.exe binary which is actually a loader (.NET runtime host for custom stuff). The actual stuff for Copilot is Copilot.dll and it's jammed with shit
Copilot has introduced A METRIC SHIT TON of functionality into Windows. There are so many DLLs and EXEs to poke. It is exciting.
This is my dumb notes and/or discussion part 1.
My current machine is Windows 11 but Microsoft Copilot wasn't on the machine, so I installed it from the Microsoft app store. I don't know if the installation process and libraries present from the Microsoft app store are different than the Microsoft Copilot which will come default with Windows 11 in the future.
The installation of Microsoft Copilot introduced some registry artifacts. Notably the introduction of a protocol handler "URL:ms-copilot". It also introduced a bunch of COM component stuff. I haven't played with the Copilot URI.
The registry also introduces a registry key called "Copilot" under HKCU in Software\Microsoft\Windows\Shell. I haven't played with this registry key yet. However, I am going to assume this enables or disables Copilot for the Windows Shell. Mine defaulted to disabled. This is what it looks like:
"IsCopilotAvailable", DWORD, 0x00000000
"CopilotDisabledReason", SZ, "FeatureIsDisabled"
I am going to assume in the future, if Copilot is forced upon you, Copilot can be removed (or disabled) from the Shell from here.
Under HKLM some registry artifacts are present for Windows File Explorer called CopilotFileExplorerMenu. There is also stuff present for Copilot and Microsoft Edge.
HKLM also keys called "WindowsAI". Windows AI has "DisableCocreator", "DisableGenerateFill", "DisableImageCreator", SetCopilotHardwareKey", "TurnOffWindowsCopilot".
I have no idea what Cocreator, ImageCreator, GenerateFill, or CopilotHardwareKey is or what it means. The TurnOffWindowsCopilot key just provides some insights onto how to disable Windows Copilot. However, GenerateFill, Cocreator, and ImageCreator all point to Paint.exe. I'm going to faithfully assume Microsoft has AI stuff in Paint now.
HKLM also has "SystemSettings_DesktopTaskbar_Copilot" and points to "SettingsHandlers_DesktopTaskbar.dll" in System32.
There's a bunch of other Copilot shit too, too much to list, but there's stuff "Personalized Chats", "Copilot Gaming", over 9000 thingies for "Copilot Nudges", and stuff for caching.
Later today, or tomorrow, or whenever I feel like it, I'll talk about the main Copilot.exe binary which is actually a loader (.NET runtime host for custom stuff). The actual stuff for Copilot is Copilot.dll and it's jammed with shit
Copilot has introduced A METRIC SHIT TON of functionality into Windows. There are so many DLLs and EXEs to poke. It is exciting.
π40β€21π«‘4π₯3π’1π€1
vx-underground
Microsoft Copilot has functionality for being banned How do you get banned from Copilot if it's tied to the Operating System? What happens if you're banned from Copilot?
Unless this ban functionality is for detecting if you're banned from something else ... ? Maybe? I don't know. I'm looking at the endpoint stuff and I'm like ???
β€32π€£16π€8π₯°6π’1
I've had a surprising amount of people ask me about Copilot and the stick I'm poking it with. Copilot is a hot topic, so I assume people are genuinely interested in how it works?
I can't really give a good tl;dr because I'm still poking it with a stick. There is a lot of stuff I don't quite understand (as is tradition), so I can only share some of my insights and speculations
Copilot.exe (the main binary) is just a .NET runtime host. MSDN has some articles about it. Basically the .exe you execute does a bunch of fancy shit, it modifies some stuff in the .exe itself (Thread Environment Block) for custom error handling to be all fancy, or whatever. It eventually invokes the Windows Library Core Language Runtime library (libcoreclr) function "coreclr_execute_assembly" and the "real" Copilot runs from Copilot.dll.
Copilot.dll (I'll just call it Copilot, whatever) is a big ass fuck off C#.NET application with what feels like over 9000 dependencies and libraries. It's a big heavy bloated son of a bitch.
Copilot determines the .NET version it's supposed to run on from a JSON file in the current directory titled "runtimeconfig.json".
Copilot uses Microsoft UI Xaml (WinUI 3?) so it is ridiculously heavy and feels like it lags constantly.
Copilot does all AI stuff server side at Microsoft at "copilot-dot-microsoft-dot-com/c/api". It looks* like it authenticates to the Copilot servers using the Microsoft account you make when you first setup Windows 11. It looks like it may also support Apple and Google, but I haven't poked it enough.
Every action taken in Copilot is a "view" and goes through a URI thingy. It's some C#.NET bullshit. I barely understand it. You can easily see all the different "views" and the URI it goes through in Copilot to load different "views" (different parts of Copilot?)
Even simple acts as viewing a different "view", scrolling up to see previous messages sent to Copilot, etc. all go through API requests to Microsoft. It is all stored over on their stuff. Hence, Copilot can feel ridiculously slow when scrolling up to review message history. It goes through stuff like "GetConversationHistoryEndpoint" inside of CopilotNative.Platform (1.25111,85.0 .NETCoreApp, v9.0).
So... anything you do is going to through their web API. It slows things down dramatically. Even renaming a conversation makes a web call.
Also, anytime you send a message to Copilot it goes through a fucking MASSIVE nested procedure that bounces all through all the dependencies. However, this is pretty standard stuff for big .NET applications.
To make a long story short-ish, each message you to Copilot is tokenized (or rather, placed into a "Dictionary"). This dictionary contains the data you're sending and any files you're attaching. Part of this process Copilot makes a very minor attempt at sanitizing data for "anonymity".
Copilot has different stuff in place for removing data and sensitive information but the actual act of sending a message to Copilot only censors file paths from your machine (if you send a file). In other words,
C:\Users\TommyPoop\File.txt
transforms into ..
C:\Users\<redacted>\File.txt
I haven't seen anywhere else where this logic is implemented, but it probably does more stuff somewhere. I doubt they'd include all this PII censoring logic for no reason.
Copilot also has stuff in place for advertisement identifiers, health and fitness, shopping habits, etc. I'm not sure what that's all about. I also see the gaming stuff but I haven't poked that yet either.
Copilot also also has a bunch of stuff for PicassoAI for "PicassoLabs", "PicassoFinance", "PicassoBriefings". I don't know if this is a 3rd party thing or something they made internally. I have no idea what I'm looking at.
Anyway, that is my scattered thoughts on Copilot. It is basically a really, really, really fancy web browser that can only be used to communicate with Microsoft's AI endpoints.
I quickly realized though that if you go to
C:\Windows\System32\drivers\etc\hosts
... and make an entry that makes the Microsoft Copilot AI domain resolve to l
I can't really give a good tl;dr because I'm still poking it with a stick. There is a lot of stuff I don't quite understand (as is tradition), so I can only share some of my insights and speculations
Copilot.exe (the main binary) is just a .NET runtime host. MSDN has some articles about it. Basically the .exe you execute does a bunch of fancy shit, it modifies some stuff in the .exe itself (Thread Environment Block) for custom error handling to be all fancy, or whatever. It eventually invokes the Windows Library Core Language Runtime library (libcoreclr) function "coreclr_execute_assembly" and the "real" Copilot runs from Copilot.dll.
Copilot.dll (I'll just call it Copilot, whatever) is a big ass fuck off C#.NET application with what feels like over 9000 dependencies and libraries. It's a big heavy bloated son of a bitch.
Copilot determines the .NET version it's supposed to run on from a JSON file in the current directory titled "runtimeconfig.json".
Copilot uses Microsoft UI Xaml (WinUI 3?) so it is ridiculously heavy and feels like it lags constantly.
Copilot does all AI stuff server side at Microsoft at "copilot-dot-microsoft-dot-com/c/api". It looks* like it authenticates to the Copilot servers using the Microsoft account you make when you first setup Windows 11. It looks like it may also support Apple and Google, but I haven't poked it enough.
Every action taken in Copilot is a "view" and goes through a URI thingy. It's some C#.NET bullshit. I barely understand it. You can easily see all the different "views" and the URI it goes through in Copilot to load different "views" (different parts of Copilot?)
Even simple acts as viewing a different "view", scrolling up to see previous messages sent to Copilot, etc. all go through API requests to Microsoft. It is all stored over on their stuff. Hence, Copilot can feel ridiculously slow when scrolling up to review message history. It goes through stuff like "GetConversationHistoryEndpoint" inside of CopilotNative.Platform (1.25111,85.0 .NETCoreApp, v9.0).
So... anything you do is going to through their web API. It slows things down dramatically. Even renaming a conversation makes a web call.
Also, anytime you send a message to Copilot it goes through a fucking MASSIVE nested procedure that bounces all through all the dependencies. However, this is pretty standard stuff for big .NET applications.
To make a long story short-ish, each message you to Copilot is tokenized (or rather, placed into a "Dictionary"). This dictionary contains the data you're sending and any files you're attaching. Part of this process Copilot makes a very minor attempt at sanitizing data for "anonymity".
Copilot has different stuff in place for removing data and sensitive information but the actual act of sending a message to Copilot only censors file paths from your machine (if you send a file). In other words,
C:\Users\TommyPoop\File.txt
transforms into ..
C:\Users\<redacted>\File.txt
I haven't seen anywhere else where this logic is implemented, but it probably does more stuff somewhere. I doubt they'd include all this PII censoring logic for no reason.
Copilot also has stuff in place for advertisement identifiers, health and fitness, shopping habits, etc. I'm not sure what that's all about. I also see the gaming stuff but I haven't poked that yet either.
Copilot also also has a bunch of stuff for PicassoAI for "PicassoLabs", "PicassoFinance", "PicassoBriefings". I don't know if this is a 3rd party thing or something they made internally. I have no idea what I'm looking at.
Anyway, that is my scattered thoughts on Copilot. It is basically a really, really, really fancy web browser that can only be used to communicate with Microsoft's AI endpoints.
I quickly realized though that if you go to
C:\Windows\System32\drivers\etc\hosts
... and make an entry that makes the Microsoft Copilot AI domain resolve to l
β€48π7π«‘6π₯°4π1π±1π’1π1
vx-underground
I've had a surprising amount of people ask me about Copilot and the stick I'm poking it with. Copilot is a hot topic, so I assume people are genuinely interested in how it works? I can't really give a good tl;dr because I'm still poking it with a stick. Thereβ¦
[continued]
I quickly realized though that if you go to
C:\Windows\System32\drivers\etc\hosts
... and make an entry that makes the Microsoft Copilot AI domain resolve to localhost, Copilot implodes and drops dead. It can no longer access any API endpoints hence it cannot exist.
I quickly realized though that if you go to
C:\Windows\System32\drivers\etc\hosts
... and make an entry that makes the Microsoft Copilot AI domain resolve to localhost, Copilot implodes and drops dead. It can no longer access any API endpoints hence it cannot exist.
π67π€£25π₯8π₯°4β€3π±1π’1
vx-underground
I've had a surprising amount of people ask me about Copilot and the stick I'm poking it with. Copilot is a hot topic, so I assume people are genuinely interested in how it works? I can't really give a good tl;dr because I'm still poking it with a stick. Thereβ¦
tl;dr to kill Copilot forever just block copilot[.]microsoft[.]com
π₯°81π«‘27β€21π3β€βπ₯1π±1π’1
yOurE nOt a ReAl pRoGraMmeR uNlEsS yOu knOw ASSemBly
1. It's an instruction set
2. It's illegal
3. It's for nerds
1. It's an instruction set
2. It's illegal
3. It's for nerds
π₯°83π26π€15β€12π4π―4π€―2π’1
Absolutely bloodbath on Xitter right now.
New changes have been pushed where you can now see the origins of someones account. Additionally, it flags if they suspect the person is using a VPN
Surprise Pikachu face, lots of people from India, Pakistan, and Indonesia impersonating Americans, Israelis, or Europeans to engagement bait for money.
Also, a surprisingly high amount of people who are heavily involved (commenting on) in United States politics who reside outside of the United States.
Funny stuff. Very silly.
New changes have been pushed where you can now see the origins of someones account. Additionally, it flags if they suspect the person is using a VPN
Surprise Pikachu face, lots of people from India, Pakistan, and Indonesia impersonating Americans, Israelis, or Europeans to engagement bait for money.
Also, a surprisingly high amount of people who are heavily involved (commenting on) in United States politics who reside outside of the United States.
Funny stuff. Very silly.
π€£134π₯°17π12β€5π2π’2π2
This media is not supported in your browser
VIEW IN TELEGRAM
computer time
β€107π€£34π7π₯°4π’1
Hello,
Soon I will be off-loading our vx-underground merch stuff to 1336_0ff_by_0ne.
1. Bradley primarily handled merchandise stuff. Unfortunately, Bradley isn't really around anymore due to sickness in his family. His Father is terminally ill (sort of, long story) and is working a full-time job while also simultaneously taking care of his Father. Bradley is a real muthafuckin G, works his fuckin' ass off, and takes care of his family. I love him.
2. I do malware paper collections, malware sample collections, social media posts, ... pretty much everything related to vx-underground. I also do weird dumb goofy shit like spend 16 hours poking Microsoft Copilot with a stick. I also (also) do this while working full-time and having a family. I do not possess the energy to deal with merchandise stuff.
3. 1336 0ff by 0ne is amazing. He does everything by hand (making the merchandise) and he also does the artwork by himself. He's a fucking genius and I love his work.
My plan is to basically off load all vx-underground merchandise to him with him keeping a majority of the profit and myself only getting some pennies, or something. Our current deal with Shopify doesn't give us shit anyway. We make like, $1 off a shirt. If we use 1336 0ff by 0ne then at least someone cool is making money and not some slimy fuck in a suit
Ideally, if I offload this merchandise stuff to 1336 0ff by 0ne we can have cool stuff happen such as:
1. I no longer have to deal with merchandise stuff, I'm busy
2. 1336 0ff by 0ne gets more business. We get some merchandise sales so hopefully people will think his merchandise is cool and badass and he makes some money too.
Look at his Emotet and Lockbit malwear* merchandise. It's cool and badass
Soon I will be off-loading our vx-underground merch stuff to 1336_0ff_by_0ne.
1. Bradley primarily handled merchandise stuff. Unfortunately, Bradley isn't really around anymore due to sickness in his family. His Father is terminally ill (sort of, long story) and is working a full-time job while also simultaneously taking care of his Father. Bradley is a real muthafuckin G, works his fuckin' ass off, and takes care of his family. I love him.
2. I do malware paper collections, malware sample collections, social media posts, ... pretty much everything related to vx-underground. I also do weird dumb goofy shit like spend 16 hours poking Microsoft Copilot with a stick. I also (also) do this while working full-time and having a family. I do not possess the energy to deal with merchandise stuff.
3. 1336 0ff by 0ne is amazing. He does everything by hand (making the merchandise) and he also does the artwork by himself. He's a fucking genius and I love his work.
My plan is to basically off load all vx-underground merchandise to him with him keeping a majority of the profit and myself only getting some pennies, or something. Our current deal with Shopify doesn't give us shit anyway. We make like, $1 off a shirt. If we use 1336 0ff by 0ne then at least someone cool is making money and not some slimy fuck in a suit
Ideally, if I offload this merchandise stuff to 1336 0ff by 0ne we can have cool stuff happen such as:
1. I no longer have to deal with merchandise stuff, I'm busy
2. 1336 0ff by 0ne gets more business. We get some merchandise sales so hopefully people will think his merchandise is cool and badass and he makes some money too.
Look at his Emotet and Lockbit malwear* merchandise. It's cool and badass
β€59π₯°11π₯5π€£4π’1
vx-underground
Hello, Soon I will be off-loading our vx-underground merch stuff to 1336_0ff_by_0ne. 1. Bradley primarily handled merchandise stuff. Unfortunately, Bradley isn't really around anymore due to sickness in his family. His Father is terminally ill (sort of,β¦
π₯°28π€9β€7π7π€£7π₯4
Today an old acquaintance of mine died. Him and I were not close by any means. He was a family member of a friend.
As I get older in life the more dead people I know.
I've lost a lot of friends, family, and acquaintances over the past 3 decades.
A majority of the deaths have been due to the influence of drugs or alcohol.
I know many of you younger people think (whether you acknowledge it or not) that you're invincible or "it wouldn't happen to me", but I cannot stress this enough: don't fuck around with drugs or alcohol.
"So when the devil wants to dance with you, you better say never, because a dance with the devil might just last you forever"
As I get older in life the more dead people I know.
I've lost a lot of friends, family, and acquaintances over the past 3 decades.
A majority of the deaths have been due to the influence of drugs or alcohol.
I know many of you younger people think (whether you acknowledge it or not) that you're invincible or "it wouldn't happen to me", but I cannot stress this enough: don't fuck around with drugs or alcohol.
"So when the devil wants to dance with you, you better say never, because a dance with the devil might just last you forever"
π’144β€40π«‘38π―5π€£2
vx-underground
Today an old acquaintance of mine died. Him and I were not close by any means. He was a family member of a friend. As I get older in life the more dead people I know. I've lost a lot of friends, family, and acquaintances over the past 3 decades. A majorityβ¦
I cannot keep track of the number of deceased I know. It's pretty high and it grows each year.
Off the top of my head:
- 4 Dead from drunk driving
- 1 Overdose
- 3 Suicides (addicted to drugs)
- 2 Dead from medical complications from alcohol
Off the top of my head:
- 4 Dead from drunk driving
- 1 Overdose
- 3 Suicides (addicted to drugs)
- 2 Dead from medical complications from alcohol
π’123π«‘47β€12π6π―4π3π€―2π2π₯1
My least favorite thing about doing malware stuff is the absolutely deranged malware conspiracy theories.
I can't tell if it's mental illness, or the result of being terminally online, or ignorance, or all of the above.
I get messages from people writing about cross-platform metamorphic multi-staged information stealers abusing 0day exploits in image compression software which is delivered from Bruce Springsteen eBay listings.
You need to get off the computer, dawg
I can't tell if it's mental illness, or the result of being terminally online, or ignorance, or all of the above.
I get messages from people writing about cross-platform metamorphic multi-staged information stealers abusing 0day exploits in image compression software which is delivered from Bruce Springsteen eBay listings.
You need to get off the computer, dawg
π50π€£21π₯°7β€3π₯2π€2π’1
vx-underground
My least favorite thing about doing malware stuff is the absolutely deranged malware conspiracy theories. I can't tell if it's mental illness, or the result of being terminally online, or ignorance, or all of the above. I get messages from people writingβ¦
SCHMEELLY I THINK THE GOVERNMENT PUT A RAT IN MY PHONE
Dawg, you play Diablo and piss in empty soda cans. The government does NOT give a fuck about you.
Dawg, you play Diablo and piss in empty soda cans. The government does NOT give a fuck about you.
π€£75π₯°14β€9π4π€2π±2π’1π€1π1π€1
Might not work this week. In the United States it is a holiday called "Thanksgiving".
According to our educational institutions when we were like, 6 years old, Thanksgiving is a day which we celebrate the day English settlers and the indigenous Native Americans sat down and ate a lovely meal.
It is symbolic of unity of English settlers who escaped tyranny, or something, and then befriend the indigenous people of the Americas. It is a day we share thanks and give, or whatever.
We later learn this is romanticized and partially incorrect. We also later learn in our educational institutions what followed this lovely meal was famine, war, disease, and anything else horrible you can fathom.
Despite virtually every single person in the United States acknowledging this is a romanticized myth, we still celebrate it because its another reason to burn money and drive ourselves deeper in debt.
Following this, people do "Black Friday". Black Friday is a day where we worship our billionaire oligarchs and beg them for discounts and scraps of goods they no longer intend to sell at regular retail value.
Our billionaire overlords have been so pleased with this the "Black Friday" event has now been extended for several days, as long as a week by some retailers, to ensure maximum exploitation of not only consumers but seasonal employees.
According to our educational institutions when we were like, 6 years old, Thanksgiving is a day which we celebrate the day English settlers and the indigenous Native Americans sat down and ate a lovely meal.
It is symbolic of unity of English settlers who escaped tyranny, or something, and then befriend the indigenous people of the Americas. It is a day we share thanks and give, or whatever.
We later learn this is romanticized and partially incorrect. We also later learn in our educational institutions what followed this lovely meal was famine, war, disease, and anything else horrible you can fathom.
Despite virtually every single person in the United States acknowledging this is a romanticized myth, we still celebrate it because its another reason to burn money and drive ourselves deeper in debt.
Following this, people do "Black Friday". Black Friday is a day where we worship our billionaire oligarchs and beg them for discounts and scraps of goods they no longer intend to sell at regular retail value.
Our billionaire overlords have been so pleased with this the "Black Friday" event has now been extended for several days, as long as a week by some retailers, to ensure maximum exploitation of not only consumers but seasonal employees.
β€70π€18π€£15π8π―8π₯3π₯°3π’3π«‘3β€βπ₯1π1
If you want to learn more about malware the easiest method is learning malware TTPs (Tactics Techniques and Procedures). Basically, understand some of the techniques employed by malware authors to do stuff
Some malware techniques are simple and old
Some malware techniques are incredibly sophisticated
What you'll notice though with malware TTPs is each TTP is a "stepping stone". For example, the most advanced evasion techniques often stem from the most basic of evasion techniques.
Research and improvements on malware don't come from nowhere. Each technique comes from standing (metaphorically) on the work of others.
Malware TTPs are broken down kind of subjectively. They're hard to categorize. MITRE is the industry standard for malware TTPs, but even then there is some debate on the effectiveness of it.
By effectiveness I mean, if you have a simple malware technique that is slightly modified, is it the same malware technique? Is it a whole new category? How many "modifications" until it has its own entry? It's just debating classification.
For Windows malware however malware is defined as something along the lines of:
1. How was it delivered to the machine?
2. How many "chains" or "stages" or "redirects" were performed until the payload was detonated?
3. How was the payload detonated?
4. Is the payload persistent?
5. What was the objective of the malware?
On missiles and stuff, the part that explodes is the payload. It is the same concept with malware. The actual malicious code that does the malicious stuff is the payload.
With chains, or redirects, or stages, ... modern malware is often not as simple as someone double clicking a .exe the payload detonates. While this is true for common malware, more sophisticated malware will often jump through a series of hoops until the actual payload is detonated.
For example, more sophisticated malware may send a malicious email attachment that is a .Lnk file (shortcut file). When the user double clicks the .Lnk file the .Lnk file may download a .zip file. The . Lnk file will extract the .zip which will contain a malicious .JS file. The .Lnk file will execute the .JS file.
The .JS file will delete the .Lnk and .zip. The .JS file with then generate a .PS1 script and execute it. The .PS1 file will delete the .JS file and download a .exe file. The .exe file then will download a .dll file. The .DLL is the payload.
1. Lnk downloads .zip
2. Lnk extracts zip
3. Lnk runs .JS
4. JS deletes .Lnk
5. JS deletes .zip
6. JS makes .ps1
7. ps1 downloads .exe
8. ps1 deletes .JS
9. .exe downloads .DLL
10. .exe runs .DLL payload
The reason malware does this is because it makes it difficult for anti virus software to identify the final payload. Researchers will need to reconstruct the series of events which lead to the payload delivery. Additionally, malware authors may modify the chaining at any given moment to make detection much more difficult.
Okay, that's enough schizo ranting for now.
Some malware techniques are simple and old
Some malware techniques are incredibly sophisticated
What you'll notice though with malware TTPs is each TTP is a "stepping stone". For example, the most advanced evasion techniques often stem from the most basic of evasion techniques.
Research and improvements on malware don't come from nowhere. Each technique comes from standing (metaphorically) on the work of others.
Malware TTPs are broken down kind of subjectively. They're hard to categorize. MITRE is the industry standard for malware TTPs, but even then there is some debate on the effectiveness of it.
By effectiveness I mean, if you have a simple malware technique that is slightly modified, is it the same malware technique? Is it a whole new category? How many "modifications" until it has its own entry? It's just debating classification.
For Windows malware however malware is defined as something along the lines of:
1. How was it delivered to the machine?
2. How many "chains" or "stages" or "redirects" were performed until the payload was detonated?
3. How was the payload detonated?
4. Is the payload persistent?
5. What was the objective of the malware?
On missiles and stuff, the part that explodes is the payload. It is the same concept with malware. The actual malicious code that does the malicious stuff is the payload.
With chains, or redirects, or stages, ... modern malware is often not as simple as someone double clicking a .exe the payload detonates. While this is true for common malware, more sophisticated malware will often jump through a series of hoops until the actual payload is detonated.
For example, more sophisticated malware may send a malicious email attachment that is a .Lnk file (shortcut file). When the user double clicks the .Lnk file the .Lnk file may download a .zip file. The . Lnk file will extract the .zip which will contain a malicious .JS file. The .Lnk file will execute the .JS file.
The .JS file will delete the .Lnk and .zip. The .JS file with then generate a .PS1 script and execute it. The .PS1 file will delete the .JS file and download a .exe file. The .exe file then will download a .dll file. The .DLL is the payload.
1. Lnk downloads .zip
2. Lnk extracts zip
3. Lnk runs .JS
4. JS deletes .Lnk
5. JS deletes .zip
6. JS makes .ps1
7. ps1 downloads .exe
8. ps1 deletes .JS
9. .exe downloads .DLL
10. .exe runs .DLL payload
The reason malware does this is because it makes it difficult for anti virus software to identify the final payload. Researchers will need to reconstruct the series of events which lead to the payload delivery. Additionally, malware authors may modify the chaining at any given moment to make detection much more difficult.
Okay, that's enough schizo ranting for now.
π₯°65β€25π«‘13π4π₯2π’1π―1π€1