Github Twitter YouTube
Lost in Security (and mostly everything else)
 
Skip to content
  • About me
  • My GitHub Repos
  • Packet Analysis
  • SecurityOnion
  • Challenges
Home Archive by category "Code" (Page 2)

Category: Code

2018-10-12 Using Visual Studio to debug VBScript

Herbie Zimmerman October 12, 2018 October 12, 2018Code Debugging 0

There was a phishing email that came in the other day that looked interesting. When I went to the URL found in the PDF, it linked to an ARJ archive file. Once i downloaded this file and extracted it, I saw that there was a VBScript file. Opening this file…

Continue reading

2018-09-18 Emotet maldocs labeled as “Invoices”

Herbie Zimmerman September 22, 2018 September 22, 2018Code, Packet Analysis De-obfuscation, Emotet 0

Looking through the email filters in on the 18th of September, I managed to find a small batch of emotet emails from the same sender. The emails themselves tried to spoof email addresses, but Outlook ended up displaying both emails (the spoof and the true sender). Looking through the small…

Continue reading

Deobfuscating an Emotet MalDoc Script

Herbie Zimmerman December 5, 2017 December 5, 2017Code Deobfuscation, Emotet 0

So this post covers the malicious macro script that was found in an older writeup for Emotet which you can find here. While one could develop tools to help deobfuscate the macro script like @David Ledbetter did in his blog post, I wanted to show another way of doing it…

Continue reading

2017-08-28 Malspam Leads To Emotet Malware

Herbie Zimmerman August 28, 2017 August 28, 2017Code, Packet Analysis Emotet 0

For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk came across the same URLs 5 days ago. You can read that post here. Running…

Continue reading

2017-08-04 Quick Post – Deobfuscating the Javascript from “Blank Slate” malspam Pushing Gryphon Ransomware (A BTCware variant)

Herbie Zimmerman August 4, 2017 August 4, 2017Code 0

Just a quick one for today. I saw Brad’s tweet about a sample of Blank Slate malspam and decided to see if I could find some today while at work. Thankfully the email filters did their job and all of them were blocked. Brad also blogged about this over on…

Continue reading

2017-05-31 Cleaned Up Script from Jaff Ransomware

Herbie Zimmerman May 31, 2017 May 31, 2017Code 0

So last week I came across some malspam that used a PDF with an embedded Word document in it that encrypted my test VM with Jaff ransomware which I discussed here. Trying to figure out how the script worked, I came across some aspects/things that I had not seen done…

Continue reading

2017-05-19 Deobfuscating Malicious Javascript

Herbie Zimmerman May 19, 2017 May 19, 2017Code 0

Just a quick post for today’s blog. Once again went digging through some emails looking for some badness and came across an email that had a zipped Javascript file in it. Seeing this I thought that I would take a crack at trying to deobfuscate the script. I’ll post later…

Continue reading

2017-05-03 Smokeloader/Dofoil malware from Malspam

Herbie Zimmerman May 3, 2017 May 3, 2017Code, Packet Analysis 0

This investigation stems from a maldoc that was sent to us yesterday. It is your standard maldoc that requires you to enable content in order to get the embedded script to run. From the looks of it, the malware that is used in this infection is Smokeloader/Dofoil. For more information…

Continue reading

Walk through of a VBS script

Herbie Zimmerman March 28, 2017 March 28, 2017Code 0

So for today’s update, a change of pace. A couple of weeks ago I came across a Tweet from someone that I follow on Twitter. Unfortunately I can’t find the one that caught my eye, but the link was to Open Analysis Live’s video. The video was covering an “user…

Continue reading

12
Powered by Nirvana & WordPress.