Packet Analysis – Page 4 – Lost in Security (and mostly everything else)

2017-11-15 Another Malspam Message Leads to New Emotet

Herbie November 16, 2017 November 16, 2017Packet Analysis

This is just a quick writeup for an Emotet malspam that I found in Triton. Nothing to detailed or anything of the sort. I was not able to obtain the initial malicious binary (73077.exe) from the Word document, so after getting all the details, I went back on a clean VM to get that file. The file 73077.exe should be the same as the one listed below – 12961.exe. The artifacts from this can be found over at my Github here. IOCs: ===== 172.81.117.237 / xanaxsleepingpills.website (GET /Invoice-number-588962/) 162.221.188.251 / www.medicinedistributor.com (GET /UVRJ/) 41.72.140.141:8080 (POST /) 69.43.168.196:443 (POST /) Artifacts:…

2017-11-01 Another Trickbot Maldoc

Herbie November 2, 2017 November 2, 2017Packet Analysis

Looking through the email filters yesterday, I saw numerous emails from the sender “secure@hsbcdocuments.com” with the subject of “We need to confirm your details.” The email was a well laid out phish with a malicious Word document attached. This Word document led to a Trickbot banking malware infection via the use of a malicious macro instead of the use of the DDE attack vector. Initially when I was looking into these emails yesterday I was not seeing anything online about them. As part of my daily morning reading, I went to ‎@dvk01uk‘s site this morning and saw that it was…

2017-10-30 Generic Infostealer Malware Using UAC Bypass

Herbie November 1, 2017 November 1, 2017Packet Analysis

A quick write-up on a generic infostealer that also uses a UAC bypass technique. I could not find much about this malware outside that it was a generic information stealing malware. For some interesting reading on how to bypass UAC within Windows, please see the following links: http://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ http://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ http://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/ For the artifacts, ProcMon logs, and the PCAP from the investigation, please see my Github repo here. IOCs: ===== 216.146.43.70 / checkip[.]dyndns.org (GET /) 37.72.171.98 / yatupaints[.]com (POST /WebPanel/api.php) Artifacts: ========== File name: PO.zip File size: 128KB File path: NA MD5 hash: 96d897d444793e2aea70cf6b28224eac Virustotal: http://www.virustotal.com/#/file/4e01b1b9f1d1068de5d461f4469c7bfc1ccc906b182ee7354b6b6879e5110fdd/detection Detection ratio: 7 / 63…

2017-10-03 Nemucod Maldoc Leads to Locky (Ykcol) Infection

Herbie October 3, 2017 October 3, 2017Packet Analysis

Quick post for today. I have been seeing a lot of malspam with malicious Javascript attachments zipped inside a 7zip archive for the past couple of days. The emails themselves all seem to revolve around the theme of a receipt or invoice as seen below. From what I can tell, the scripts are all about the same and the binary downloaded from each of the sites are exactly the same file. I am not sure if this is the case with the other emails from yesterday or the day before, but I can only assume it is. All the scripts…

2017-08-30 Trickbot Maldoc – Part Two

Herbie September 1, 2017 September 1, 2017Packet Analysis

So continuing from my update yesterday (see 2017-08-30 Trickbot Maldoc – Part One), it looks as if sometime last night while working on the writeup, and perhaps again this morning, Trickbot got cheeky and updated itself. It looks as if the file “Atpsijj.exe” is a new file with a different size and hash, and now I have a complete “Modules” folder. From a host perspective, the malware is working pretty much as I described yesterday. From a network communication perspective though, there are some different IP addresses, and from what I was able to determine from looking at the string…

2017-08-30 Trickbot Maldoc – Part One

Herbie August 31, 2017 September 1, 2017Packet Analysis

For today’s post, I will be looking at a malicious Word document that we got spoofing NatWest which led to Trickbot malware being installed on the system. After I found this sample, I started to see posts on Tweeter from people like @dvk01uk and @VK_Intel posting about Trickbot. For this initial investigation there are three PCAPs since I initially did not see much going on after the initial infection, and then after a couple of minutes I started to see more traffic and fired up Wireshark again to see what I could capture. The last one is from when I…

2017-08-28 Malspam Leads To Emotet Malware

Herbie August 28, 2017 August 28, 2017Code, Packet Analysis

For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk came across the same URLs 5 days ago. You can read that post here. Running the maldoc in my test VM showed that the initial link was still working and downloaded an executable. When running that executable on my test VM, I saw a couple of POST requests going to dead sites. First I will walk through the script that I deobfuscated and then the…

2017-07-25 Malspam Leading To Emotet Malware

Herbie July 25, 2017 July 25, 2017Packet Analysis

Today’s post is based on a malicious email that I saw in out email filters. The email (seen below) had a simple link in it that took the user to a site that automatically started a download of a malicious Word document. Odd thing is that when you visited the site in IE8, it would not allow you to connect. The link seemed to work just fine in Chrome or via Malzilla. From what I am able to gather based on the network traffic within the PCAP files along with the results from the Virustotal and Hybrid-Analysis links, it looks…

2017-07-03 Malspam Leading To Geodo/Emotet Malware

Herbie July 4, 2017 July 4, 2017Packet Analysis

This write up stems from a user getting a malicious Word document via an email for an invoice. Running the PCAP file through Network Total, I saw that that this was tagged as Geodo/Emotet malware. Googling around for Emotet, I came across a Forcepoint article in which they did a great walk-through which you can read about here. Their article seems to cover most of what I was seeing from the network traffic perspective. Fortinet has two more articles (http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 and http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-2) that goes into really good detail about how this malware works. For the artifacts from this investigation, check…

2017-06-23 Loki Bot Malware Using CVE 2017-0199

Herbie June 24, 2017 June 26, 2017Packet Analysis

Looking for some malspam yesterday and I came across something that looks like it was exploiting the CVE 2017-0199 vulnerability in MS Office RTF files. FireEye did a nice write-up of this which you can read here. Googling to see if anyone else had seen these domains before, I was able to find that @Security Doggo had a sample back on the 14th of June for the dev[.]null[.]vg domain and that Sophos has written about the domain toopolex[.]com domain in their “Troj/Fareit-DEB” report. Running the PCAP through Network Total’s tool, I saw that it is labeling this infection as part…