Memory modification not detected?

When you say “spoofed as jpg”, the only way I can think of is if the file you’re referring to is called something like “filename.jpg.exe”.

For display purposes, Windows, for reasons best known to itself, reads the filename up to the first period and then assumes the next chunk of characters up to the end of the filename (or up to the next period) is the file extension. In the example above, Windows reads “filename” as the name of the file and “jpg” as the file extension associated with “filename”. This is why your jpg file appears with what I assume is an ACDSee file icon. For display purposes, Windows absolutely ignores the “.exe” that is after the “.jpg”.

If the file is called “filename.jpg.exe”, you would need to enter exactly that (including the double extension) to run it as an executable from the command line. If you ran “filename.jpg” it simply would be opened by whatever application your system has associated with JPGs.

LOL. Now I’m starting to have second thoughts on this.

When I get a spare moment, I’ll double check all this, but I’m pretty sure I’m right. JPGs are not executable, only callable by an excutable.

As a test, can you run it again and while it is running, open Task Manager and see if you can see the JPG file listed.
If it is, I’ll get out the bar-b-q and prepare to eat my good brown hat. :wink:

Ewen :slight_smile:

Hi, it,s an executable and it has no double extension like jpg.exe etc. It,s extension jpg is wrong and its icon is also wrong. It,s an executable, all I can tel u. When u run it via commandline it executes and run in the task manager as an executable.

That,s all. I am sending u the link via PM. Run it via command line and see wat happens.

Got it! It’s not a double extension, it’s a renamed EXE. If you look at the file header it’s type is PE (program executable), regardless of what file extension is applied to the file.

It’s a variant of the delph trojan. Nasty bit of work. If you rename it to a TXT file you can open it and read some of the junk in notepad.

Now, I’ll go back and have a look at your original post. LOL

Cheers,
Ewen :slight_smile:

Any thing new about this?

Thanks

Bump!

Hi,

Attached are the D+ popups you can see when this malware is run. The critical popup is the second one i.e. the malware tries to run iexplore.exe.

After allowing this action, D+ will not ask for any memory modification attempts on an application by its parent because:

1 - The parent already obtained a handle to the child process i.e. this means it can fully control its child process without modifying its memory (there are many ways to do this)
2 - There are many other things it can do on the child process once it is allowed to execute it
3 - Legitimate applications such as explorer.exe do the same from time to time.

Egemen

[attachment deleted by admin]

Yep. Executing iexplore.exe is the key popup here and cant be missed.

I noticed your post after i posted mine. Mine was useless because of yours, that’s why i almost immediately deleted it :-[

Thanks Egemen :-TU
That explains everything i was thinking of during testing.

Hi egemen, thanks for you explanation. It,s clear now. (:CLP)

goodbrazer! Thanks too.

All !ot! discussion about file extensions etc. was moved here.
Thread is closed.