Code – Page 2 – Lost in Security (and mostly everything else)

2019-02-12 Deobfuscating an Emotet maldoc

Herbie Zimmerman February 14, 2019 February 14, 2019Code 0

This blog entry is going to cover how I managed to de-obfuscate the macro from the Emotet sample that I was able to grab. The maldoc can be found in my Github repo located here: http://github.com/bloomer1016/2019-02-12-Deobfuscating-Emotet-Maldoc. Indicators of Compromise: ========================== MD5 of Word doc: 35c716c82f9912cb1a57bf7ee72e0c53 VT: http://www.virustotal.com/#/file/9fb5e5242394557e27ca3ccfc492f7db0f7474662148a8797953df702b4d78db/detection Any.Run: http://app.any.run/tasks/0e428667-3602-489f-85ac-1f022e2c9c1f Analysis:…

2019-01-03 Adwind RAT/Houdini Malspam

Herbie Zimmerman January 4, 2019 January 7, 2019Code, Packet Analysis 0

**2019-01-07** After talking with some researches about this malware via this Twitter thread, the JAR file is only the delivery mechanism for the VB script inside it. Once the JAR file has been unpacked; the VB script executed that sends traffic to 31.171.152.106:2522 is related to the Adwind RAT. The…

2018-10-12 Using Visual Studio to debug VBScript

Herbie Zimmerman October 12, 2018 October 12, 2018Code 0

There was a phishing email that came in the other day that looked interesting. When I went to the URL found in the PDF, it linked to an ARJ archive file. Once i downloaded this file and extracted it, I saw that there was a VBScript file. Opening this file…

2018-09-18 Emotet maldocs labeled as “Invoices”

Herbie Zimmerman September 22, 2018 September 22, 2018Code, Packet Analysis 0

Looking through the email filters in on the 18th of September, I managed to find a small batch of emotet emails from the same sender. The emails themselves tried to spoof email addresses, but Outlook ended up displaying both emails (the spoof and the true sender). Looking through the small…

Deobfuscating an Emotet MalDoc Script

Herbie Zimmerman December 5, 2017 December 5, 2017Code 0

So this post covers the malicious macro script that was found in an older writeup for Emotet which you can find here. While one could develop tools to help deobfuscate the macro script like @David Ledbetter did in his blog post, I wanted to show another way of doing it…

2017-08-28 Malspam Leads To Emotet Malware

Herbie Zimmerman August 28, 2017 August 28, 2017Code, Packet Analysis 0

For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk came across the same URLs 5 days ago. You can read that post here. Running…

2017-08-04 Quick Post – Deobfuscating the Javascript from “Blank Slate” malspam Pushing Gryphon Ransomware (A BTCware variant)

Herbie Zimmerman August 4, 2017 August 4, 2017Code 0

Just a quick one for today. I saw Brad’s tweet about a sample of Blank Slate malspam and decided to see if I could find some today while at work. Thankfully the email filters did their job and all of them were blocked. Brad also blogged about this over on…

2017-05-31 Cleaned Up Script from Jaff Ransomware

Herbie Zimmerman May 31, 2017 May 31, 2017Code 0

So last week I came across some malspam that used a PDF with an embedded Word document in it that encrypted my test VM with Jaff ransomware which I discussed here. Trying to figure out how the script worked, I came across some aspects/things that I had not seen done…

2017-05-19 Deobfuscating Malicious Javascript

Herbie Zimmerman May 19, 2017 May 19, 2017Code 0

Just a quick post for today’s blog. Once again went digging through some emails looking for some badness and came across an email that had a zipped Javascript file in it. Seeing this I thought that I would take a crack at trying to deobfuscate the script. I’ll post later…

2017-05-03 Smokeloader/Dofoil malware from Malspam

Herbie Zimmerman May 3, 2017 May 3, 2017Code, Packet Analysis 0

This investigation stems from a maldoc that was sent to us yesterday. It is your standard maldoc that requires you to enable content in order to get the embedded script to run. From the looks of it, the malware that is used in this infection is Smokeloader/Dofoil. For more information…