7·
26 days agoI can’t sleep :(
bcovertigo
- 0 Posts
- 3 Comments
Joined 2 years ago
Cake day: October 24th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Typosquat domain for sure! In a sandbox I’m seeing that all the download links point to the same HTML page on a .ink domain that cloudflare is now refusing to serve.
But our buddy joe already got a copy for us so we can at least view that report for fun: https://www.joesandbox.com/analysis/1763244/1/html
Edit: It pulls down an MSI installer or something it runs with msiexec but disguised with a PDF file extension. It seems to want a copy of cmd.exe to exist in an AutoIT installation (SearchPathW vs “C:\Program Files (x86)\AutoIt3\cmd.exe”) as well as pointing toward the multilanguage (.exe.mui) and other cmd variants. I suspect we’re one step away from a real payload with this report and that’s what we’d see the “Invoke-Obfuscation” powershell the sandbox spotted used for (if that wasn’t a false positive due to the base64 offset string).
1·3 months agodeleted by creator
I genuinely think that being ranted at by my principal engineer early in my career and having to defend my ideas did more for my understanding and problem solving than any amount of explanation could have. Good faith disagreement is like a mirror that lets you see from perspectives you’d never have access to alone.