- RegDecoder by Digital Forensics Solutions: Wonderful registry tool for analysis
- Scrdec by Mr.Brownstone: JScript decoder
- PDFStreamDumper by David Zimmer for prettifying the code
- CygWin to add some *nix functionality to Windows, these additional packages were added
- xxd -> hex editor
- binutils -> strings
- MAP by iDefense for the Shell Extensions of strings and submitting to VirusTotal
- Foremost for carving
For those who just want to cut to the chase (you know who you are, you TLDR people), here are the steps:
- Copy the data from the registry key holding the JScript encoded data ( it's somewhere in HKCU/Software/Microsoft/Windows/CurrentVersionRun)
- Decrypt with scrdec
- Extract & decode the base64
- Extract & decode the 2nd base64
- Carve the DLL
The next video I will show extracting the DLL from a memory dump. Hope everyone enjoys!
