{
	"id": "bf3e6244-5dad-4545-b687-9a7fb5125a74",
	"created_at": "2026-04-06T00:19:56.450252Z",
	"updated_at": "2026-04-10T13:13:07.469078Z",
	"deleted_at": null,
	"sha1_hash": "5fa612883bc0717b7f3cbed4749aa5544f031714",
	"title": "Where we go, we don't need files: Analysis of fileless malware \"Rozena\"",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4480474,
	"plain_text": "Where we go, we don't need files: Analysis of fileless malware\r\n\"Rozena\"\r\nBy Andrew Go, Christopher del Fierro, Lovely Bruiz, Xavier Capilitan\r\nPublished: 2018-07-02 · Archived: 2026-04-05 14:21:24 UTC\r\nFileless malware leverages exploits to run malicious commands or launch scripts directly from memory using\r\nlegitimate system tools such as Windows Powershell. Code Red and SQL Slammer were pioneers of fileless\r\nmalware which date back to the early 2000s. Currently, this type of malware is on the rise once again.\r\nThe talk of the town within the first half of the year on Cyber Security community is the term “fileless” attack. It\r\nis an attack technique that does not require downloading nor dropping malicious files into the system to execute\r\nits malicious behavior, but rather leverages on exploits to run malicious commands or launch scripts directly from\r\nmemory via legitimate system tools. In fact, attacks such as Code Red and SQL Slammer worms in the early\r\n2000s do not save itself to any disk but store its malicious code solely in memory.\r\nHowever, the term \"fileless\" can also be a misnomer as there are attacks that may involve presence of files on the\r\ncomputer, such as opening an attachment from spam emails. Once executed, it may still save a file on disk and\r\nlater use fileless techniques to gather information on the system and spread the infection throughout the network.\r\nThese techniques can be in the form of exploits and code injections to execute malicious code directly in memory,\r\nstoring scripts in registry, and executing commands via legitimate tools. In 2017 alone, 13% of the gathered\r\nmalware uses PowerShell to compromise the system.\r\nLegitimate system tools such as PowerShell and Windows Management Instrumentation are being abused for\r\nmalicious activities, since these are all built-in tools that run in Windows operating system. One known malware\r\nfamily that uses PowerShell to download and execute malicious files is the Emotet downloader.\r\nThere are even old malwares that changed its technique and now uses fileless attack. These malwares aim to be\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 1 of 13\n\nmore effective in terms of infecting machines and avoiding detection like Rozena.\r\nRozena is a backdoor-type malware capable of opening a remote shell connection leading back to the malware\r\nauthor. A successful connection to the malware author yields numerous security concerns not only to the affected\r\nmachine, but also to other computers connected on its network.\r\nThis was first seen in 2015 and made a comeback on March 2018. The old and new Rozena malware still targets\r\nMicrosoft Windows operating systems, but what made the difference is the new one’s adaption to the fileless\r\ntechnique which uses PowerShell scripts to execute its malicious intent. A survey done by Barkly and the\r\nPonemon Institute, which polled 665 IT and security leaders, found out that fileless attack are 10 times more likely\r\nto succeed than those of file-based attacks. This could be the probable reason why malware authors are now\r\nfollowing the fileless trail.\r\nArrival and Infection Routine Overview\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 2 of 13\n\nFigure 1: Steps of Rozena's infection routine\r\nThis file may arrive on a system as a dropped file by another malware or as a downloaded file when visiting\r\nmalicious sites. It may also arrive as an attachment on a crafted spam email. Rozena is an executable file that\r\nmasks itself as a Microsoft Word file. Upon execution, it will create a text file named Hi6kI7hcxZwU in %temp%\r\nfolder. Then the exeutable file will launch obfuscated and encoded PowerShell commands with specific order and\r\npurpose. In this case, we name these scripts as CREATOR script, DECODER script and INJECTOR script for\r\neasier tagging in the In-Depth Analysis. The creator script is responsible in spawning the decoder script. The\r\ndecoder script is to decrypt the content of Hi6kI7hcxZwU and execute it. The decoded script will yield the injector\r\nscript that will injects shellcode to PowerShell.exe.\r\nThis injected shellcode will create a reverse TCP connection to a remote server that will give an access to the\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 3 of 13\n\nmalware author. It is like opening a door to the thieves that makes them take and do whatever they want to the\r\nhouse, and can go beyond in reaching all its neighbors.\r\nIn-depth Analysis\r\nOne of the common techniques used to lure users in executing files from unknown sender or unknown downloads\r\nis to make them look harmless. Since the default Windows’ feature is not to show the file extension, it is easier for\r\nthe malware author to bait the user to execute the file as shown in Figure 2. Rozena chooses to use Microsoft\r\nWord Icon, but it is a Windows executable file as shown in Figure 3 for Rozena’s file header.\r\nFigure 2: Rozena uses the icon of a Microsoft Word file to disguise itself\r\nFigure 3: File header of Rozena - note that the MZ header indicates a regular executable file\r\nUpon execution, it will create a file in %temp% folder with a fixed filename Hi6kI7hcxZwUI.\r\nFigure 4: The contents of \"Hi6kI7hcxZwUI\", as seen in HVIEW\r\nThen it will call CreateProcessA to a PowerShell script via command line, where we name the first script as\r\nCREATOR Script.\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 4 of 13\n\nFigure 5: Shell - executing a PowerShell script\r\nNow let's take a closer look at the PowerShell parameters:\r\nFigure 6: First PowerShell script (parameter and partially encrypted code)\r\nThe parameters and functions consist of mixed lower and upper cases, and this is one of the obfuscation\r\ntechniques used by this file for executing PowerShell scripts. PowerShell commands by default is not case\r\nsensitive, thus doing this cannot affect its execution. Almost all parameters used by this file has similar format –\r\nmixed cases and shortened syntax.\r\n-wIndOwsTY, is a syntax for -WindowStyle parameter of PowerShell. The truncating of syntax is also for\r\nobfuscation and anti-detection, and this is still a valid parameter because of how PowerShell handles parameter\r\nbinding.\r\nHiddeN, which means that it will set the window style for this session to hidden. This parameter is widely used to\r\nprevent the PowerShell from displaying a window when it executes a script.\r\n-c, short for -Command. It will execute a command that follows the parameter as though they were typed at the\r\nPowerShell command prompt. The value after the command is an encrypted script block.\r\nFigure 7: Encrypted CREATOR Script\r\nUsing join, split and convert functions from PowerShell, this code will be decrypted as a script as shown on\r\nFigure 8. The script also uses a pipeline operator (|) to send the command string to Invoke -Expression, that will\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 5 of 13\n\nexecute the script on the infected machine. For obfuscation and not to be detected easily, the 'iNVOKE-EXPreS'+'sIOn' is a concatenated string for Invoke-Expression.\r\nFigure 8: Decrypted CREATOR Script\r\nThe first section that is boxed in red is only for variable declarations to be later used in the PowerShell parameter.\r\nThe lower part which is boxed in gray are the new parameters for the second PowerShell that will be spawned.\r\nNow let us take a look at the newly created PowerShell script and its parameters:\r\nFigure 9: Encrypted DECODER script\r\nThe upper part boxed in red consists of PowerShell parameters and some obfuscation functions.\r\nNow let's break down each parameter:\r\n-noniNtE, shortened syntax for -NonInteractive. It is used to prevent showing an interactive prompt to the user. It\r\nis often combined with -WindowStyle Hidden to hide any script execution.\r\n-nOlOG, shortened syntax for -NoLogo. Hides the copyright banner when PowerShell is executed.\r\n-NOpROFI, shortened syntax for -NoProfile. Does not load the PowerShell profile.\r\n-wIndOwsTY HiddeN, shortened syntax for -WindowStyle Hidden. As mentioned above, to prevent PowerShell\r\nfrom displaying when executed.\r\n-ExeCUTIonPOlic BypaSS, truncated syntax for -ExecutionPolicy bypass. It is used to set the default execution\r\npolicy for the current session. This parameter does not make any changes to the PowerShell execution policy set\r\nin Windows Registry, nor writes file on disk to evade security checks and hide malicious execution.\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 6 of 13\n\nSetting the execution policy to bypass will not block any script execution and there are no warnings or prompts to\r\nalarm the user. It is also regardless of the user’s profile, whether administrator or not, the PowerShell script will\r\nstill be executed.\r\nAfter -ExeCUTIonPOlic BypaSS, there is an obfuscated code that only yields ‘-ec’ when decrypted.\r\n-ec, truncated syntax for encodedcommand, it accepts a base-64-encoded data block version of a command. This\r\nparameter is used to submit commands to PowerShell that require complex quotation marks or curly braces. This\r\nparameter runs the base64-encoded command highlighted section from Figure 8.\r\nDecrypting the part boxed in green in Figure 9 which is a base-64-encoded data block. This will generate another\r\nPowerShell script, calling this as the DECODER script.\r\nFigure 10: Decrypted DECODER script\r\nThe procedure is the same in the decrypted CREATOR Script shown in Figure 8. The part boxed in red is just\r\nvariable declarations which will be used later as a parameter for PowerShell execution. The part boxed in gray has\r\nthe same parameters as Figure 9, but with different obfuscations used.\r\nIn the DECODER script, it used some new parameters highlighted in green, which is somehow readable even with\r\nthe strings are concatenated.\r\nNew-Object is used to create an instance of a .NET Framework class, which in this script, it creates\r\nSystem.Net.Webclient which is used to send and receive data from remote resources. Most of the threats today,\r\nespecially downloaders that uses PowerShell scripts uses this code.\r\n-f / -File, run commands from a specified file which points to the output of DownloadString()\r\nthat downloads the content from Hi6kI7hcxZwU (file located in %temp% folder shown in Figure 2 to a buffer in\r\nthe memory.\r\nSince this is an encrypted string, it will then be decrypted using XOR operation as seen on the last part of the\r\nPowerShell script (DECODER script). The file Hi6kI7hcxZwU will subsequently be deleted.\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 7 of 13\n\nFigure 11: Decrypted content of Hi6kI7hcxZwU\r\nThe decrypted output has the same structure as the CREATOR script. Notice the last part of this script in Figure\r\n11, it is an obfuscated parameter for Invoke-Expression and this will be the third PowerShell Script to be executed\r\nby this file, calling this as the INJECTOR script. This is a common anti-debugging technique by most malware\r\nwherein wrapping their code with multiple layers of obfuscation and encryption. Decrypting this code, will yield\r\nus another base-64-encoded data block.\r\nFigure 11b: Second half of the decrypted content of Hi6kI7hcxZwU\r\nAfter decrypting this base-64-encoded data block in Figure 12.a, we finally can see the script in its full glory:\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 8 of 13\n\nFigure 11b: Decrypted INJECTOR Script\r\nThe upper part highlighted in red has much a lot of readable strings and only few string obfuscations. There is\r\nDLLImport for kernel32.dll and msvcrt.dll, for importing APIs in Windows Kernel and msvcrt library. There are\r\nspecific APIs that can be seen: VirtualAlloc, CreateThread and memset. These are common APIs used for\r\nexecuting a code injection. The middle part contains hexadecimal byte values that make up a block of code and\r\nassign it to a variable. This block of code is referred to as the shellcode. In the bottom part, hightighted in green,\r\nthe obfuscated functions will copy the hexadecimal byte values to the allocated memory and inject it to the\r\nrunning PowerShell.exe, using VirtualAlloc and memset.\r\nDigging into the shellcode\r\nThe following APIs will be harvested and used:\r\n- WSASocketA\r\n- Connect\r\n- Recv\r\n- VirtualAlloc\r\nIt will try to establish a connection to a server: 18[.]231[.]121[.]185[:]443 (down at the time of analysis). Notice\r\nthat it also uses TCP port 443 which is used for SSL connections, as shown on Figure 13. This means that all data\r\npassed through the server to the receiver remains private and integral and a way to avoid security checks and\r\nnetwork detections. The IP address and port number are hard-coded in the shellcode as hexadecimal byte values.\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 9 of 13\n\nFigure 12: The shell code contains a hard-coded IP address and port number\r\nRozena will make four attempts to establish a connection. The IP address was unreachable at the time of analysis,\r\nhowever.\r\nIt does not end here\r\nGiven that the IP address was not available for a connection, we might as well have stopped at this point.\r\nHowever: doing so would mean that we could not find out what Rozena can do to an infected machine. In order to\r\nproceed with the analysis, we set up a test environment. Since the IP address and port number were hard-coded in\r\nthe shellcode, we just modified it to point to an internal dummy server for the sole purpose of continuing the\r\nanalysis. This is the only modification done in the whole script for further analysis. We also destroyed the\r\nmodified malware after the test so it will not find its way into anyone’s malware collection.\r\nFigure 14: Established connection to dummy server\r\nOnce the connection between the server and the infected machine is established, it is now ready to receive files\r\nfrom the server that will be allocated in the memory and be executed.\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 10 of 13\n\nFigure 15: Metasploit framework Reverse TCP connection\r\nThe series of code above is from the Metasploit framework that creates a reverse TCP connection. In a reverse\r\nTCP connection, the infected machine will open the port that the server will connect to. This is mostly used by\r\nbackdoor malware since it bypasses firewall restrictions on open ports.\r\nFigure 16: Established connection to infected machine seen in Metasploit\r\nThe infected machine is now connected to the dummy server that uses Kali Linux environment with Metasploit\r\nFramework. It uses meterpreter to craft and send files to the infected machine or any other commands shown\r\nbelow.\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 11 of 13\n\nFigure 17: Meterpreter commands\r\nTo be infected by a backdoor malware and looking on the few commands above that can be used to compromise\r\nthe system is no doubt terrifying. It can literally do anything with the infected machine, the files, be familiar with\r\nthe system and infecting its network. This poses a lot of security threats and can cause huge amount of damage.\r\nNow that Rozena follows the fileless trail, its stealthy way of delivering and executing its malicious activity\r\nintensifies.\r\nPrevention\r\nAs the world changes, malware authors adapt and make use of built-in legitimate tools for their infection that\r\nmight leave us defenseless. But there is always a way to shield ourselves from these types of attack.\r\n1. Keep operating systems and software up-to-date, including security updates. Especially knowing that older\r\nsystems have numerous vulnerabilities that can be exploit and be use for the infection.\r\n2. It is strongly advised to download, save or execute files from known and trusted sources. malware authors still\r\nuse traditional arrival vector to lure users for executing malicious files.\r\nIf disabling system tools especially PowerShell is not an option, you will find some alternative ways to configure\r\nPowerShell to prevent malicious script execution.\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 12 of 13\n\n3. Set PowerShell Constrained Language Mode – this will limit the capability of PowerShell by removing\r\nadvanced feature such as .Net and Windows API calls, since most PowerShell scripts rely on these parameters and\r\nmethods.\r\n4. Pairing PowerShell with AppLocker – this will prevent unauthorized binary file from being executed.\r\nIOC list \u0026 information for fellow researchers\r\nExecutable File (masks as Microsoft Word):\r\nc23d6700e93903d05079ca1ea4c1e36151cdba4c5518750dc604829c0d7b80a7\r\nCreated File (filename Hi6kI7hcxZwU):\r\nd906dc14dae9f23878da980aa0a3108c52fc3685cb746702593dfa881c23d13f\r\nConnected to remote server: 18[.]231[.]121[.]185[:]443\r\nSource: https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nhttps://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena"
	],
	"report_names": [
		"30862-fileless-malware-rozena"
	],
	"threat_actors": [],
	"ts_created_at": 1775434796,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5fa612883bc0717b7f3cbed4749aa5544f031714.pdf",
		"text": "https://archive.orkl.eu/5fa612883bc0717b7f3cbed4749aa5544f031714.txt",
		"img": "https://archive.orkl.eu/5fa612883bc0717b7f3cbed4749aa5544f031714.jpg"
	}
}