Category: Packet Analysis

Looking for some malspam yesterday and I came across something that looks like it was exploiting the CVE 2017-0199 vulnerability in MS Office RTF files. FireEye did a nice write-up of this which you can read here. Googling to see if anyone else had seen these domains before, I was able to find that @Security Doggo had a sample back on the 14th of June for the dev[.]null[.]vg domain and that Sophos has written about the domain toopolex[.]com domain in their “Troj/Fareit-DEB” report. Running the PCAP through Network Total’s tool, I saw that it is labeling this infection as part…

Continue reading

So yesterday I came across some malspam that used a PDF with an embedded Word document in it that encrypted my test VM with the Jaff ransomeware. It looks like Brad (@Malware_Traffic) received something very similar to me which you can read about here. As a side note, I did get the script from the Word doc via OfficeMalScanner, but I am still trying to go through it since it does not make complete sense to me. If I make any progress on that I will do another blog post about it. Thankfully the malicious URLs are not obfuscated and…

Continue reading

As promised from my last post, here is the write up from running the malicious Javascript in my VM. Initially a couple of us on Twitter thought that this may be GEO IP specific since they could not get it to run in the US, and nor could I. I could only seem to get it to work when using European endpoints. Turns out that I forgot to delete the *.tmp file that got created when running the Javascript script when I started bouncing around different VPN locations. As of this write-up, I was able to get the malware to…

Continue reading

Trolling through the email filters today I came across this nugget. From what I can tell this looks to be related to the Adwind/JRat family of malware. This particular RAT was found in an email that is in Turkish. Kaspersky has a quick write-up about this RAT which you can find here. As usual, you can find the artifacts from this investigation over in the Github repo here. The Google translation of the email states the following: Subject: Could you take a look at all your orders? Body of email: Could you take a look at all your orders? Hello,…

Continue reading

Below is my write up from Brad’s last malware exercise. You will be able to find the artifacts from these two investigations over on my Github page which can be found here. Executive Summary ================== The brothers caused infections on their systems by opening malicious emails that were sent to them via their shared email address. Marion’s system received the Cerber ransomware infection and has encrypted different files on his system, while Marcus’ system has a generic malware infection which may have caused data exfil over a TOR network connection. About the Investigation ======================== Overall, the brothers system’s should be…

Continue reading

Monday there was a file sent via email to an employee with a maldoc attached to it. The maldoc was encrypted and used the password of 3443 to unlock it. Once you unlocked the document, it asked to enable macros. It is from here that this analysis starts. This infection chain seems very close to the one that Sophos had reported on here in this link. Like the test done in the Sophos article, I was not able to get any callback traffic generated on my test VM. Based on the Virustotal and Hybrid-Analysis links and the article from Sophos,…

Continue reading

A little late for this write-up, but here is an example of some Kovter/Osiris malspam that I was able to find from late last week. While researching some of the URLs below I came across My Online Security’s blog post which had the domains listed below. It looks as if they have been keeping tabs on these types of emails and the callbacks used as well. All artifacts from this investigation can be found in this Github repo located here. The attack is a simple one; phishing emails sent to users suggesting that the person has a UPS shipment that…

Continue reading

In this post I was able to investigate a Hancitor/Pony/zloader malspam message. Looking around for some more information about this infection, I was able to find the following links: – Brad’s SANS ISC Blog post talking about this exact malspam: http://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919/ – Hybrid Analysis’ report for another example of this malspam: http://www.hybrid-analysis.com/sample/827873b4d0b846e9bc372bfdac135ec7431baa809366633df4eac15235b9736c?environmentId=100 – Looking at the Virustotal comments, I saw Techhelplist had commented about this and then looked for the Tweet: http://twitter.com/Techhelplistcom/status/824283429181259776 As usual, all the artifacts, the PCAP, and ProcMon log can be found in my Github repo for this investigation here. Update After posting this blog entry out…

Continue reading

For this blog post, I was able to infect my VM with Cerber from a link that I found via a Tweet that @malware_traffic retweeted from @Techhelplistcom. I am not able to determine how a user would get directed to this site though, so that part is a mystery. Overall, this was pretty straight-forward Cerber infection that one has become used to seeing. The artifacts and logs/pcap for this infection can be found in this repo here. IOCs: ===== 92.242.40.154 / sallykandymandy[.]top/search.php 11.56.22.0 – 11.56.22.31 (UDP Port 6892) 17.35.12.0 – 17.35.12.30 (UDP Port 6892) 91.239.24.0 – 91.239.24.255 (UDP Port 6892)…

Continue reading