Tuesday, December 7, 2021

BlackByte Ransomware – Pt. 1 In-depth Analysis

The main function of the obfuscated Jscript is to decode the main payload and launch it in the memory. Below is the de-obfuscated and the beautified code:

The DLL Payload

The payload is a .NET DLL (managed code) that contains a class named jSfMMrZfotrr.

Figure 3. DLL file .NET assemblies

The main purpose of this DLL is the following:

Add .JS and .EXE file extensions into Microsoft Defender’s exclusion list. Evade the Microsoft Antimalware Scan Interface (AMSI) DLL so that it will not scan t…

Read More

Latest news
Related news