Lost in Security (and mostly everything else)

2024-10-12 Async RAT

October 12, 2024 October 14, 2024Forensics, Packet Analysis

Intro ========= So much for keeping New Years resolutions and posting things. ¯\_(ツ)_/¯ With that out of the way let’s get into taking a look at our friend ASync RAT. As usual, the link to the artifacts from this can be found over at my Github here. **Note: Process Monitor and Wireshark were running at the same time that I was playing around with the “MenToffice” binary by itself and also running the WSF script. So the data logged are conflated in each tool’s saved logs (Process Monitor files and PCAPs).** Analysis ========== So this started as an alert for…

2024-01-14 Remcos RAT Infection

January 14, 2024 January 22, 2024Packet Analysis

Summary ========= The last time I “published” anything was about a 1.8 years or so ago. So in the spirit of New Years resolutions to myself it really has come time for me to get back on the horse and get back into some sort of posting again. So let’s jump into an alert that I came across for what looks to be Remcos RAT. Link to the artifacts from this investigation can be found over at my Github here which also includes the output from the two URLs seen in the VB script. The memory dump of the Remcos…

2022-05-13 Quick Remcos Deobfusction

May 17, 2022 May 17, 2022Code

Summary ========= Decided that I would take a crack at trying to deobfuscate the VBScript that was in a sample of Remcos malspam since I haven’t been doing it for a long while. The VBScript can be found over at Any.Run inside a zip file (malspam attachment). I’ll do a post going over the analysis in the coming days since it seems pretty straight forward. The link to the scripts can be found at my Github. NOTE: Wherever there is a “&amp;” it is meant to be just the & symbol. Analysis ========= The script is a LONG one and…

2022-04-22 Emotet Malspam Using Excel 4 Macro

April 24, 2022 April 25, 2022Packet Analysis

Summary ======== Looking at the mail filters yesterday to see if there was anything interesting while having “some” downtime during the late part of my shift, I was able to come across a sample of some Emotet malspam leveraging the usual hacked/injected email thread. The sample was an encrypted zip file that had an Excel spreadsheet using the Excel 4 macro once the macro was enabled. All the files and artifacts from this can be found over at my Github repo located here. Analysis ======== Host ———- This infection chain is very much like the one that I detailed in…

2022-03-14 Emotet Malspam

March 15, 2022 March 16, 2022Packet Analysis

Summary ======== As part of brushing the “rust” off and getting back into the malware analysis and blogging thing, and since I have some free time since I am on holiday, I decided to see what was in the mail filters for anything interesting or fun to play with. I did come across an email that had an encrypted zip attachment that was an Excel spreadsheet that leveraged a macro in it. For this post, I am not digging into the macro. This will be a simple analysis post. As usual, all the artifacts from this investigation can be found…

2022-02-26 Quick Post – Push Notifications And Files Written To Disk

February 26, 2022 February 26, 2022Packet Analysis

Note: It took me a little longer to get this post written and my VM had crashed on me, so the logs seen from Chrome or Edge may reflect more data than I had initially. This is going to be slightly off topic from what I usually post about (malware) and is not deep in the weeds for someone that is wanting to do forensics. The lens that I am viewing this from is as a defender/SOC analyst. For a more in-depth look into this topic from a forensics perspective please see these awesome resources below: Jai Minton’s Digital Forensics and…

2022-02-13 Breaking out the WD40! First Stage Downloader For Remcos RAT

February 15, 2022 October 13, 2024Code

It has been a while since I have played with any malware or tried to RE a script of some sort. So here goes nothing… Shout out to David Ledbetter for the assist. Solid work as usual! This post will cover the downloader script from a Remcos maldoc that I was playing with from the beginning of the month. The email itself was your standard fare – a Wells Fargo phishing email that had an Excel XLSB attachment that was encrypted. The Excel XLSB can be found over at Any.Run or over at my Github here. A special shoutout to…

2022-01-09 First Round with Brim Using December’s Malware Traffic Exercise

January 9, 2022 January 11, 2022Packet Analysis

It has been a long while since I have done any blogging. Since it has been a hot minute since I have done a post I thought that I would take this opportunity to learn something new and expand my tool-belt. So this first step back into the blogging world is going to be about a tool called Brim using the latest malware exercise from Brad found over at his site here and the SANS site here. So let’s start with what Brim is – a tool that helps visualize PCAP data in a different way with WAY faster indexing…

2020-12-08 Hancitor Malspam

December 9, 2020 December 9, 2020Packet Analysis

Summary ======== This quick post stems from a tweet from @James_inthe_box about some Hancitor malware that he was seeing. After several attempts at trying to get a maldoc to download in the past, I was able to today. Out of the several links that I had, only one worked. For a list of other links that I saw, please see this Pastebin. The others did what they have always done in the past – redirected me to a Docusign site. For the artifacts and such, please see my Github repo for this here. Analysis ======== Once the maldoc was obtained,…

2020-11-03 Node.JS QRAT

November 4, 2020 November 4, 2020Packet Analysis

Summary ======== Looking through some of the email filters today looking for anything interesting, I ran into some emails that all had the same characteristics. All the emails were Fedex themed and had an attachment named “IMG-10227821963777100026367819.zip.” Once the file had been unzipped, it was actually a JAR file (IMG-10227821963777100026367819.jar). Also, since I had not seen any kind of malware like this before, I came across some interesting posts about this that you can review. Trustwave did a great write up about this, along with TrendMicro. For the PCAPs, ProcMon, and strings2 artifacts from this, please see the Github repo…