Supremepdfapp: Malware that's not so supreme
In another YAPA investigation, I began by "hunting" around keywords using Google's ad transparency, and came across supremepdfapp[.]com . I went the website and downloaded the sample, now found on VirusTotal . While pivoting around on various strings, and the icon hash, I noticed that this actually flagged under my powerdocapp hardcoded XOR key YARA rule . This time however, the hard-coded XOR key has been changed (this change is now reflected in my YARA rule). Observed Obfuscated Strings string text = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\" + TManager.BS(new int[] { 99, 104, 114, 111, 109, 101, 46, 101, 120, 101 }); *translates to chrome.exe string text4 = TManager.BS(new int[] { 71, 111, 111, 103, 108, 101 }); *Google string text5 = TManager.BS(new int[] { 67, 104, 114, 111, 109, 101 }); *Chrome string text6 = TManager.BS(new int[] { 99, 104, 114, 111, 109, 101, 46, 101, 120, 101 }); *chrome.ex e string text3 = "...