0

I'm trying to analyze a piece of malware from the internet. I found out, that nemo browser and ls command show the filename of the malware in different ways. ls displayes filenames IMG147pgj.exe, IMG148pgj.exe, IMG149pgj.exe, while nemo shows the same files as IMG147exe.jpg, IMG148exe.jpg, IMG149exe.jpg (those files are in fact WIN32 executibles):

Example

Why is that and how is that possible?

EDIT1: Results of ls | od -c and ls -q as requested.

Request

burtek
  • 643

1 Answers1

1

The bytes you see using is (342 200 256 or E280AE in hex) are decoded in utf8 as Unicode 0x202E, which is the right-to-left override. Nemo from there on reverses all characters leading gpj.exe to become exe.jpg, while your terminal doesn't.

Similarly Windows explorer would reverse it, but still read the extension without reversing it, leading what appears to be a jpg to be executed.

Searching for RLO will show you it's a known malware technique.

user2313067
  • 2,585