Category: Packet Analysis

So this past week I went trolling through the email filters at work to see what “goodies” I could find that it had blocked. A lot of the ones that I had tested and played around with either 1) did not work since the callbacks where already fixed, or 2) would not detonate fully on my test VM. Yesterday I was finally lucky to find one that was fully operational and worked. The email was very simple and had a zip file attached to it that held a javascript file which lead to a Cerber infection. For all the artifacts…

Continue reading

Here is another example of some malspam I was able to find the other day while at work. From what I can tell this is the standard Nemucod/Kovter malware (since it drops other malicious binaries on the system) with a version of XXXCrypt embedded in it. I was able to find some more information about this malware (which looks very close to the sample that I have below) over on Fortinet’s blog post here. There was one thing that was different that Fortinet’s blog did not talk about – the presenece of some PHP files. Another blog from Reaqta talks…

Continue reading

Below is a write up of a malicious email that I received the other day that looks to be Nemucod/Locky combination based on the results from the upload of the PCAP form Virustotal. Unfortunately it looks like this one did not fire completely as I did not get the “all your files are encrypted” message, and from looking at the PCAP there was just one GET request and nothing more. Possibly because this was several days old and the callback domains/IP addresses had already been taken offline (just a theory since several DNS calls were made and no DNS record…

Continue reading

The other day while working we started to get a wave of malspam hitting the company. Looking into this malicious Word document revealed something was a little different than what I was used to seeing from Dridex Word malspam. The thing that really made me scratch my head was the fact that I was not seeing any traffic that looked malicious, and one of the files that was dropped had the same hash as the Windows “calc.exe.” The next day while waiting for the family to get ready to go out, I started Googling around for some of the things…

Continue reading

This post is covering some Locky malspam that I was able to find while working in the SOC the other day. For the artifacts and such from this post, please see the Github repo located here. IOCs: ==== 5.39.70.7 / cmobilier.com 193.124.185.87 File name: export_xls_5F0.zip MD5 hash: 11e29168d188a4af060772422bb8a1d2 Size: 8KB VirusTotal: http://www.virustotal.com/en/file/88ba0118c53b1c9119084bd0700db0c01f39cfe1f2b5d71ed10c4c14bd93c42f/analysis/ Detection ratio: 11 / 57 First submission: 2016-05-10 09:10:35 UTC Within the zip archive there are 3 javascript files that look identical. The 3 files have the following characteristics: File name: transactions 4337328.js / transactions 4337328.js – copy.js / transactions 4337328.js – copy (2).js SHA1 hash (same hash…

Continue reading

Another day at the office and another malicious Word document sent to a user in hopes of them running the macro. From what I can tell from my investigation below this malware has been talked about over at SANS ISC via Brad and looks to be a new type of ransomware called Cerber. With that being said, my investigation into this malware is WITHOUT any files being encrypted on my test VM and some of the other characteristics of this infection (my VM talking to me about it being infected). So after opening the Word document and enabling the macro,…

Continue reading

So here is my answers for the latest exercise from Brad. This one threw me off a bit as I thought that I was missing something when reviewing the PCAP since I was not seeing the “usual” things that I have come to expect from Brad when doing these exercises. It reminded me of when I was in school and would get through an exam with plenty of time to spare. I would then look around and see that the rest of the class was still chugging through the test. Then self-doubt would kick in. Did I miss something, or…

Continue reading

So here is another one from Brad. Talking to some of the other guys on the team, we all came to the conclusion that this one seemed kind of “generic” (for the lack of a better word); which leads me to believe that I missed something somewhere. LOL. The whole second guessing yourself really does suck at times. But anyways, here is my write-up of this latest one. Enjoy! About the Investigation ======================= – Date and time range of the traffic you’re reviewing. > 2016-02-28 22:38:13 – 2016-02-28 22:46:27 Elapsed: 00:08:14 – IP address, MAC address, and host name. >…

Continue reading

So it is another day at the office and I was looking at some of the malspam that we had received. So I decided to open one up and have a play. Let’s see what this one email is all about: As you can see, this is one of the “Notice to appear in Court” emails that has been going around for some time now. Let’s see what is in the zip file: Yay, it is another script file. Looking at it you can see some of the domains it tries to use and some other bits of information. I…

Continue reading

Happy New Year to everyone. Hope that you all had a great Christmas and New Year! With that being said, time to get back into the swing of things and working on the exercises from Brad. For the first one out of the gate, Brad has some traffic from three different hosts in one PCAP. The following is my write up of the exercise. As always, you can find the artifacts from my write on my Github page for this particular exercise. – Date and time range of the traffic you’re reviewing. > 22:05:47 – 22:17:18 Duration: 00:11:31 – IP…

Continue reading