![run vbs file from cmd peru run vbs file from cmd peru](https://i.stack.imgur.com/DOwRK.png)
- Run vbs file from cmd peru update#
- Run vbs file from cmd peru zip#
- Run vbs file from cmd peru windows#
Most of these chains consist of several stages and end up downloading a ZIP archive, as is typical for Latin American banking trojans.
![run vbs file from cmd peru run vbs file from cmd peru](https://content.spiceworksstatic.com/service.community/p/how_to_step_attachments/0000115244/5829cbef/attached_file/epo_deploy.png)
Since 2018, we have observed 38 different distribution chains used by this family. We believe the main distribution method for Mekotio is spam (see Figure 3 for an example). HKCU\Software\Microsoft\Internet Explorer\Main\įor an in-depth analysis of one specific variant of Mekotio targeting Chile, refer to ESET’s recently published article (in Spanish).HKCU\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete\.
![run vbs file from cmd peru run vbs file from cmd peru](https://i.stack.imgur.com/mMGjz.png)
Run vbs file from cmd peru windows#
Mekotio turns it off by changing the following Windows Registry values: This feature, when enabled, saves time for Internet Explorer users by remembering inputs on various types of fields that have been filled in previously. To ease stealing passwords with its keylogging feature, Mekotio disables the “AutoComplete” option in Internet Explorer. Your system will be restarted to complete the operation.”) (translation: “We are currently performing security updates on the site! Please, try again later! New security measures are being adopted: (1) new security plugin and (2) new visual look of the site. One way to identify Mekotio is a specific message box the trojan displays on several occasions (see Figure 2).įigure 2. Interestingly, one command is apparently intended to cripple the victim’s machine by trying to remove all files and folders in the C:\Windows tree. Some variants are also able to steal bitcoins by replacing a bitcoin wallet in the clipboard and to exfiltrate credentials stored by the Google Chrome browser.
Run vbs file from cmd peru update#
It can take screenshots, manipulate windows, simulate mouse and keyboard actions, restart the machine, restrict access to various banking websites and update itself. Mekotio ensures persistence either by using a Run key or creating an LNK file in the startup folder.Īs is common for most Latin American banking trojans, Mekotio has several typical backdoor capabilities.