2017-05-26 Jaff Ransomware From Malspam

So yesterday I came across some malspam that used a PDF with an embedded Word document in it that encrypted my test VM with the Jaff ransomeware. It looks like Brad (@Malware_Traffic) received something very similar to me which you can read about here. As a side note, I did get the script from the Word doc via OfficeMalScanner, but I am still trying to go through it since it does not make complete sense to me. If I make any progress on that I will do another blog post about it. Thankfully the malicious URLs are not obfuscated and…

Continue reading

2017-05-22 Blankslate/GlobalImposter Malspam

As promised from my last post, here is the write up from running the malicious Javascript in my VM. Initially a couple of us on Twitter thought that this may be GEO IP specific since they could not get it to run in the US, and nor could I. I could only seem to get it to work when using European endpoints. Turns out that I forgot to delete the *.tmp file that got created when running the Javascript script when I started bouncing around different VPN locations. As of this write-up, I was able to get the malware to…

Continue reading

2017-05-15 Adwind/JRAT RAT from MalSpam

Trolling through the email filters today I came across this nugget. From what I can tell this looks to be related to the Adwind/JRat family of malware. This particular RAT was found in an email that is in Turkish. Kaspersky has a quick write-up about this RAT which you can find here. As usual, you can find the artifacts from this investigation over in the Github repo here. The Google translation of the email states the following: Subject: Could you take a look at all your orders? Body of email: Could you take a look at all your orders? Hello,…

Continue reading

Malware Exercise 2017-04-21 Double Trouble

Below is my write up from Brad’s last malware exercise. You will be able to find the artifacts from these two investigations over on my Github page which can be found here. Executive Summary ================== The brothers caused infections on their systems by opening malicious emails that were sent to them via their shared email address. Marion’s system received the Cerber ransomware infection and has encrypted different files on his system, while Marcus’ system has a generic malware infection which may have caused data exfil over a TOR network connection. About the Investigation ======================== Overall, the brothers system’s should be…

Continue reading

2017-05-03 Smokeloader/Dofoil malware from Malspam

This investigation stems from a maldoc that was sent to us yesterday. It is your standard maldoc that requires you to enable content in order to get the embedded script to run. From the looks of it, the malware that is used in this infection is Smokeloader/Dofoil. For more information about this type of infection, Forcepoint had a good writeup about it which you can read about here. Granted it is not an exact match for this infection, but helps to explain some of the behavior that the malware used. I also had some fun trying my hand at de-obfuscating…

Continue reading

2017-04-03 Malspam leading to Graftor/Ursnif

Monday there was a file sent via email to an employee with a maldoc attached to it. The maldoc was encrypted and used the password of 3443 to unlock it. Once you unlocked the document, it asked to enable macros. It is from here that this analysis starts. This infection chain seems very close to the one that Sophos had reported on here in this link. Like the test done in the Sophos article, I was not able to get any callback traffic generated on my test VM. Based on the Virustotal and Hybrid-Analysis links and the article from Sophos,…

Continue reading

2017-02-06 Kovter/Osiris UPS Malspam

A little late for this write-up, but here is an example of some Kovter/Osiris malspam that I was able to find from late last week. While researching some of the URLs below I came across My Online Security’s blog post which had the domains listed below. It looks as if they have been keeping tabs on these types of emails and the callbacks used as well. All artifacts from this investigation can be found in this Github repo located here. The attack is a simple one; phishing emails sent to users suggesting that the person has a UPS shipment that…

Continue reading

2017-01-25 Hancitor/Pony/zloader Malspam

In this post I was able to investigate a Hancitor/Pony/zloader malspam message. Looking around for some more information about this infection, I was able to find the following links: – Brad’s SANS ISC Blog post talking about this exact malspam: http://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919/ – Hybrid Analysis’ report for another example of this malspam: http://www.hybrid-analysis.com/sample/827873b4d0b846e9bc372bfdac135ec7431baa809366633df4eac15235b9736c?environmentId=100 – Looking at the Virustotal comments, I saw Techhelplist had commented about this and then looked for the Tweet: http://twitter.com/Techhelplistcom/status/824283429181259776 As usual, all the artifacts, the PCAP, and ProcMon log can be found in my Github repo for this investigation here. Update After posting this blog entry out…

Continue reading

2017-01-25 Cerber infection

For this blog post, I was able to infect my VM with Cerber from a link that I found via a Tweet that @malware_traffic retweeted from @Techhelplistcom. I am not able to determine how a user would get directed to this site though, so that part is a mystery. Overall, this was pretty straight-forward Cerber infection that one has become used to seeing. The artifacts and logs/pcap for this infection can be found in this repo here. IOCs: ===== 92.242.40.154 / sallykandymandy[.]top/search.php 11.56.22.0 – 11.56.22.31 (UDP Port 6892) 17.35.12.0 – 17.35.12.30 (UDP Port 6892) 91.239.24.0 – 91.239.24.255 (UDP Port 6892)…

Continue reading

2017-01-23 Dridex Malware from Malspam

Here is an example of some Dridex malspam that I was able to analyze yesterday. As usual the artifacts and such can be found over in my Github repo found here. IOCs: ===== relish.net / 81.91.205.168 (Port 443) www1.relish.net / 81.91.205.167 (Port 443) u4593764.ct.sendgrid.net / 167.89.125.30 agfirstnz-my.sharepoint.com, prodnet329-325selectora0000.sharepointonline.com.akadns.net / 104.146.164.65 (Port 443) BrightSteps.sharepoint.com, prodnet324-328selectora0000.sharepointonline.com.akadns.net / 104.146.164.25 (Port 443) 212.227.105.182 (Port 8343) 91.121.30.169 (Port 4431) Artifacts: ========== File name: Bill View.js File size: 18KB MD5 hash: 16e101cd7af89f643efecd1aa59a39cd Virustotal: http://www.virustotal.com/en/file/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073/analysis/ Payload Security: http://www.hybrid-analysis.com/sample/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073?environmentId=100 File name: qqBfqaxXe.exe File size: 154KB MD5 hash: 55c2368aa15a128e946fafd700160375 Virustotal: http://www.virustotal.com/en/file/a38ea56e8849addbe6fd94c5196e02169504f9384618edb192b5e87d1a645b97/analysis/ Payload Security: http://www.hybrid-analysis.com/sample/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073?environmentId=100 Analysis: ========= When looking at…

Continue reading