If you see malware performing this action in windows assembly
push ...
push ...
push ...
push ...
push ...
push ...
push offset FileName ; "\\\\.\\PhysicalDrive0"
call ds:CreateFileA
It may be trying to open the entire C drive as 1 large file and write to it which can be catastrophic
For example if you see this followed up with this code
push 0
push ...
push ...
push ...
push ...
call ds:WriteFile
Where the offset is 0, that means it's trying to overwrite your MBR (master boot record)
------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own
https://www.youtube.com/watch?v=b0WQwCQGjv4
No comments:
Post a Comment