- 2 months
Wow, in case it’s not clear, it really is the same file for all three platforms.
- 2 months
This is pretty cool. Reminds me of .kkrieger, but this beats it in small size and that it’s a polyglot (though .kkrieger wins in visuals)
I didn’t see a link to source code for the snake tho
- 2 months
No problem :)
Upon reading my comment again, it’s a bit ambiguous. Clarified a bit
- 2 months
VirusTotal doesn’t like it https://www.virustotal.com/gui/file/ede115f31fb3fcc3c27bad1b6da5cfee30bd692c3fc04ca1e8f0e8f43787b66f
Either it’s because it’s using the same technique as malware, or because it’s malware.
2 monthsI’d guess the former, given it’s tiny compared to normal droppers, but you can never be sure these days.
This sample is a multi-platform ‘polyglot’ binary acting as a dropper and potentially a browser-based exploit. It functions as a Windows PE (with no standard imports, suggesting custom shellcode or manual API resolution), a Linux shell script, and an HTML/JavaScript file. The Linux component contains a command (‘tail -c+4294 $0 | lzma -dc > /tmp/a’) that extracts and executes a hidden payload from its own body. The embedded JavaScript is obfuscated and uses ‘eval’ to execute dynamically generated code. This structure is typical of sophisticated malware or cross-platform exploit delivery kits.
