![]() The malware will disable the ability to lock the computer by using CTRL+ALT+DELETE. Decrypting configuration strings.įigure 5 shows the routine used by FatalRAT for decrypting strings. These configuration strings include the Command and Control (C&C) address, new malware file name, service name, and other settings.įigure 4. If the machine passes the malware AntiVM tests, FatalRAT will then starts its malicious activity.įirst, it decrypts each of the configuration strings separately ( T1027). AntiVM techniques includes searching for services.Īnother includes querying the registry, as shown in figure 3.įigure 3. One of the tests run by FatalRAT involves checking for existence of virtual machine services, as shown in figure 2.įigure 2. The malware runs several tests before fully infecting a system, checking the existence of multiple virtual machine products, disk space, number of physical processors, and more ( T1497.001).įigure 1. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |