SecuriTreeHome

SecuriTree

  • Malware Theory
    • Anti-Analysis
      • Anti-Debugging
      • Anti-VM
    • Persistency
    • Listener
    • Communication
    • Initial Access
      • Tricks
      • Executables
      • Containers
        (MOTW Bypass)
      • Delivery
    • Shellcode
      • Execution
      • Preparation
        • Encoding
        • Encryption
        • Placement
        • Generators
          (Msfvenom)
#Malware Theory #Initial Access #Executables

Malware Executable Formats

Windows supports quite a few file extensions that can be executed by the built-in functions of the operating system. In addition to the built-in extensions, there are also files supported by very popular software, such as Microsoft Office. Each of these extensions can potentially execute malicious code. They vary in popularity and detection rates.

Native executables

EXE

The most basic type of executable file on Windows. They are executed by double-click or ./file.exe command. File format: Portable Executable. Exe is the most versatile format, though probably also the most suspect. Unsigned .exe files from unknown vendors are inherently suspicious.

Malicious .exe files can be packed with packers. Packers are software that transform the file so its structure looks different, but their functionality remains the same. Packers are obfuscating the final PE structure, the code and compress it. Apart from malware development, they are used to protect the software from being reverse engineered or cracked. Most common packers: UPS, MPRESS, Themida. Sometimes they add some anti-debbuging code as well.

The packers embed a code stub that contains an unpacker and redirect the main entry point to it. If the unpacker has a known signature, AV solutions might still detect any packed executable based on the unpacker stub only. In-memory unpacked payload still can be detected by memory scanning but it can be evaded with anti-vm techniques.

There are many different tricks to try to hide the actual operation of the exe file from static analysis.

MSI

Legitimate .msi files are pre-compiled packages that automate the installation process. They are executed by double-click or msiexec -i file.msi command. .msi files follow the PE file structure so they can be as malicious as .exe files.

DLL

A .dll file (Dynamic-Link Library) cannot be executed by double-click but it has other interesting properties. Malicious DLL files can be run by signed and trusted software as a result of errors called:

  • DLL Side-Loading
  • DLL Hijacking

DLLs are ordinary PE files so they can do everything like a standard .exe. The DLL file can be also executed directly using: rundll32.exe file.dll,EntryPoint.

COM

TBD;

CPL

A .cpl (Control Panel Item) file is used to extend the functionality of the built-in Control Panel, allowing for configuration and management of various system settings. .cpl files are compiled PE binaries so they can do everything like a standard .exe. They contain special functions and interfaces that allow them to be invoked by the Control Panel. It can be executed by double-click or control.exe file.cpl command.

SCR

A .scr file is primarily known as a screensaver file. The most common use of .scr files is as screensaver executables. When a computer is idle for a specified period, the operating system can display a screensaver. .scr files are basically PE files that contain the necessary code to run a screensaver. They can include visual effects but also malicious code.

Periodic execution of .scr file can be configured in the Control Panel but it can be also executed by double-click.

BAT

A .bat file, is a script file (batch script) that contains a sequence of commands intended to be executed by CMD. Legitimate .bat files are commonly used to automate tasks and configure system settings. These files are just a plain text set of instructions interpreted and executed directly by cmd.exe (double-click).

CMD

The .cmd extension is the newer brother of .bat. In most cases, for general scripting both extensions will work similarly. However, .cmd files can offer subtle advantages in error handling and command interpretation for more complex scripts on modern Windows platforms. Both extensions are executed by double-click.

LNK

.lnk files are essentially shortcuts, commonly used to create convenient access points to applications or documents. More precisely, .lnk is a simple command shortcut that most often opens or runs some frequently used program. However, this does not have to be the case. Just define in the shortcut properties that .lnk leads to "cmd.exe /c ..." to execute any malicious CMD or PowerShell code with double-click.

Caveats:

  • Although .lnk is the actual file extension, Windows typically hides the extension part from view, and users just see the file name and an arrow overlay on the icon.

VBS / VBE

A .vbs file is a script file written in VBScript (Visual Basic Script), a scripting language developed by Microsoft. The language is similar to Visual Basic. .vbs files are executable scripts, interpreted by the Windows Script Host (WSH). When you double-click a .vbs file, Windows Script Host executes the script line by line. They can be also executed using cscript script.vbs.

Caveats:

  • Windows has options to disable Windows Script Host (WSH), which will prevent .vbs files from running. VBScript vs Visual Basic: VBScript is a sub-set of VB and is a scripting language that can be used to run an interpreted set of commands. It cannot be used to create a binary application and it can not be compiled down to a executable binary file.

A .vbe file is an encoded brother of the .vbs file. The source code is in encoded form. It's decoded and executed automatically by WSH.

JS / JSE

A .js file is a plain text file that contains Microsoft JScript code. They can be also executed using cscript script.js. The language is similar to JavaScript. .js files are executable scripts, interpreted by the Windows Script Host (WSH). When you double-click a .js file, Windows Script Host executes the script line by line. They can be also executed using cscript script.js.

Caveats:

  • Windows has options to disable Windows Script Host (WSH), which will prevent .js files from running. JScript vs JavaScript: JScript is Microsoft's implementation of the ECMAScript specification. It has custom idioms and ActiveX functions to interact with Windows.

A .jse file is an encoded brother of the .js file. The source code is in encoded form. It's decoded and executed automatically by WSH.

WSF

A .wsf (Windows Script File) is an XML-based file format that can contain scripts written in multiple languages (including VBScript and JScript) supported by Windows Script Host. The .wsf file can be executed by double-click or csript script.wsf.

Example content:

<?xml version="1.0"?>
<job>
    <script language="VBScript" src="script.vbs" />
    <script language="JScript">
        ... JScript ...
    </script>
</job>

SCT

A .sct file is a type of file used by WSH as a scriptlet file. It often contains a combination of scripting languages: VBScript and JScript. .sct files are generally binary files that may include compiled code or encoded script content. It can be executed by double-click or ./file.sct in cmd.

Creating an .sct file typically involves using a scripting tool or compiler that can produce a scriptlet format.

WSC

TBD;

HTA

A .hta (HTML Application) is a file format that allows you to create applications using HTML, CSS, and scripting languages like VBScript or JScript HTA files are essentially HTML files that can include scripts and styles. They can contain any valid HTML, including standard HTML elements, CSS and scripts.

HTAs are executed by the mshta.exe (Microsoft HTML Application Host). They run in a special environment provided by the Windows. This environment allows HTAs to use the full capabilities of WSH. While HTAs can run outside of the traditional web browser environment, they still leverage the Internet Explorer rendering engine to interpret and display HTML, CSS, and execute scripts.

Caveats:

  • HTAs can be configured to run without a visible window.

REG

A .reg file is a text file used by Windows to add, modify, or delete entries in the Windows Registry using double-click. Although the .reg file does not execute the code directly, it can still be used for malicious purposes. Some Windows registry records can be used to execute code in a various ways. An attacker can abuse the Windows Registry to install fileless malware on victim systems.

External executables

RTF

A .rtf (Rich Text Format) file. TBD;

Notes

Windows Script Host (mostly very-well detected):

  • VBE, VBS - VBScript
  • JSE, JS - JScript
  • HTA - HTML Application
  • XSL - XML
  • WSF - Windows Script File (OneNote?)

Executables (very well detected):

  • EXE
  • CPL - Control Panel Applet
  • XLL - Excel Add-In
  • WLL - Word Add-In
  • SCR - Screensaver
  • BAT, COM, PS1, SH

LNK (mostly detected)

COM Scriptlets:

  • SCT - COM Scriptlet
  • WSC - Windows Script Component
  • INF-SCT - CSMTP accepts INF which can execute COM Scriptlets

Maldocs (VBA malware):

  • ppt, ppsm, pptm - PowerPoint
  • doc, docx - Word via Template Injection
  • xls, xlsx - Excel via CustomUI Injection

https://aerorock.co.nz/list-of-executable-file-extensions-windows/ https://www.x33fcon.com/slides/x33fcon23_-Mariusz_Banach-_Modern_Initial_Access_and_Evasion_Tactics.pdf

Children

Executables