Code – Page 2 – Lost in Security (and mostly everything else)

2019-02-12 Deobfuscating an Emotet maldoc

Herbie February 14, 2019 February 14, 2019Code

This blog entry is going to cover how I managed to de-obfuscate the macro from the Emotet sample that I was able to grab. The maldoc can be found in my Github repo located here: http://github.com/bloomer1016/2019-02-12-Deobfuscating-Emotet-Maldoc. Indicators of Compromise: ========================== MD5 of Word doc: 35c716c82f9912cb1a57bf7ee72e0c53 VT: http://www.virustotal.com/#/file/9fb5e5242394557e27ca3ccfc492f7db0f7474662148a8797953df702b4d78db/detection Any.Run: http://app.any.run/tasks/0e428667-3602-489f-85ac-1f022e2c9c1f Analysis: ========= So to be honest, I was using this maldoc as a case to try to get better using oledump from Didier Stevens. This all stems from his latest posts on the SANS ISC blog (http://isc.sans.edu/forums/diary/Maldoc+Analysis+of+the+Weekend/24626/ and http://isc.sans.edu/forums/diary/Video+Maldoc+Analysis+of+the+Weekend/24628/). Unfortunately I was not able to get this maldoc de-obfuscated as easily…

2019-01-03 Adwind RAT/Houdini Malspam

Herbie January 4, 2019 January 7, 2019Code, Packet Analysis

**2019-01-07** After talking with some researches about this malware via this Twitter thread, the JAR file is only the delivery mechanism for the VB script inside it. Once the JAR file has been unpacked; the VB script executed that sends traffic to 31.171.152.106:2522 is related to the Adwind RAT. The VB script, and the data POSTed to ‘goz.unknowncrypter.com’ is related to Houdini. This post stems from looking at some malspam that had a JAR file as an attachment from yesterday. I also posted some of the information over on Twitter yesterday too. To see that thread click here. Based on…

2018-10-12 Using Visual Studio to debug VBScript

Herbie October 12, 2018 October 12, 2018Code

There was a phishing email that came in the other day that looked interesting. When I went to the URL found in the PDF, it linked to an ARJ archive file. Once i downloaded this file and extracted it, I saw that there was a VBScript file. Opening this file gave me the following code (also available at my Github located here). As you can see, this looks pretty complex (and just confusing to be honest). Manually trying to walk through this code was somewhat confusing since 1) the variable names were all over the language place (some are Italian,…

2018-09-18 Emotet maldocs labeled as “Invoices”

Herbie September 22, 2018 September 22, 2018Code, Packet Analysis

Looking through the email filters in on the 18th of September, I managed to find a small batch of emotet emails from the same sender. The emails themselves tried to spoof email addresses, but Outlook ended up displaying both emails (the spoof and the true sender). Looking through the small batch of emails, there were 2 different sets of hashes for the attachments. Below is the table showing the MD5 hashes associated with the maldoc: The artifacts from this can be found over in my Github found here. Another security researcher that has been activly maintaining emotet data (http://twitter.com/ps66uk/status/1042004723866509313) and…

Deobfuscating an Emotet MalDoc Script

Herbie December 5, 2017 December 5, 2017Code

So this post covers the malicious macro script that was found in an older writeup for Emotet which you can find here. While one could develop tools to help deobfuscate the macro script like @David Ledbetter did in his blog post, I wanted to show another way of doing it – manually without any programs or scripts. I wanted to do it this way and document it since I have no talent or skill in the ways of developing programs/scripts to do this kind of work and to show that it is possible to those of us that are “code…

2017-08-28 Malspam Leads To Emotet Malware

Herbie August 28, 2017 August 28, 2017Code, Packet Analysis

For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk came across the same URLs 5 days ago. You can read that post here. Running the maldoc in my test VM showed that the initial link was still working and downloaded an executable. When running that executable on my test VM, I saw a couple of POST requests going to dead sites. First I will walk through the script that I deobfuscated and then the…

2017-08-04 Quick Post – Deobfuscating the Javascript from “Blank Slate” malspam Pushing Gryphon Ransomware (A BTCware variant)

Herbie August 4, 2017 August 4, 2017Code

Just a quick one for today. I saw Brad’s tweet about a sample of Blank Slate malspam and decided to see if I could find some today while at work. Thankfully the email filters did their job and all of them were blocked. Brad also blogged about this over on his blog which you can read about here. Instead of breaking down the traffic and such (since he already did an excellent job at that and since the callbacks are exactly the same as his), I figured that I would try my hand at deobfuscating the Javascript. Some of it…

2017-05-31 Cleaned Up Script from Jaff Ransomware

Herbie May 31, 2017 May 31, 2017Code

So last week I came across some malspam that used a PDF with an embedded Word document in it that encrypted my test VM with Jaff ransomware which I discussed here. Trying to figure out how the script worked, I came across some aspects/things that I had not seen done before. Here is my walk through of this script. I started with the cleaned up scripts that made up the macro by using OfficeMalScanner against the Word document. Once I had the scripts, I walked through the code starting with the “ThisDocument” script. This is where the malicious macro will…

2017-05-19 Deobfuscating Malicious Javascript

Herbie May 19, 2017 May 19, 2017Code

Just a quick post for today’s blog. Once again went digging through some emails looking for some badness and came across an email that had a zipped Javascript file in it. Seeing this I thought that I would take a crack at trying to deobfuscate the script. I’ll post later on what traffic comes from the script when running it on my VM. Until then, you can find the malicious javascript and the cleaned up script files here. At first glance, this Javascript file made no sense since Notepad++ was treating most of the script as a comment since it…

2017-05-03 Smokeloader/Dofoil malware from Malspam

Herbie May 3, 2017 May 3, 2017Code, Packet Analysis

This investigation stems from a maldoc that was sent to us yesterday. It is your standard maldoc that requires you to enable content in order to get the embedded script to run. From the looks of it, the malware that is used in this infection is Smokeloader/Dofoil. For more information about this type of infection, Forcepoint had a good writeup about it which you can read about here. Granted it is not an exact match for this infection, but helps to explain some of the behavior that the malware used. I also had some fun trying my hand at de-obfuscating…