Lost in Security (and mostly everything else)

2020-09-22 Deobfuscating Emotet Script

September 22, 2020 September 22, 2020Code

Summary ========= In this post I am going to cover how I managed to to deobfuscate the macro for this Emotet (Epoch 2) sample. The maldoc can be found here. Analysis ========== With this, I started off with the tried and true OleTools suite to see if I could get anything from this sample. Unfortunately I got a lot of Python errors when trying to run this. I then tried to run it through OfficeMalscanner and got nothing back as well. Looking at the Word doc via “file” I could see that there was a macro in the file and…

2020-07-31 Deobfuscating IcedID Macro Script

August 2, 2020 August 2, 2020Code

Summary ========= This is just a quick writeup of how I managed to get the macro script decoded out of what appears to be an IcedID malspam campaign based on what I am seeing from URLHaus and this tweet from @p5yb34m. The link to the artifacts for this can be found at my Github here. Analysis ========= I am a huge fan of Philippe Lagadec’s OleTools suite for maldoc analysis (thanks for the awesome tools). So if I am not using OfficeMalScanner on my Windows VM, then I am using olevba or one of the other tools in the OleTools…

2020-07-17 ZLoader Malspam (Excel 4 Macros)

July 21, 2020 July 21, 2020Code, Packet Analysis

Summary ======== This is a late posting since I was originally playing with the malspam back on the 17th. In this case I was looking at some emails that were caught by the mail filters. Looking at the attachment in the email a little closer I noticed that this was one that I had not seen before but had read about on several different occasions – an Excel 4 macro. The interesting thing about this attack vector is the fact that it doesn’t rely on an embedded VB macro in the Excel spreadsheet per se, but uses the native built-in…

2020-05-27 Netsupport RAT Malspam

May 29, 2020 April 30, 2022Packet Analysis

Summary ======== Yesterday when reviewing the spam filters I found an email with a malicious attachment (.slk file) that setups the system to be infected with what looks to be a NetSupport RAT (based on the information found in the PCAP). I Checked the usual OSINT resources (ie: Hybrid Analysis, Malshare, MalwareBazaar, Anyrun, URLHaus, VT) for the hash of the attachment. Unfortunately there were no hits or results found. The initial link also had no hits yesterday either. The only hit from this malware was for the IP address 207.148.12.140 but that was in the forms of passive DNS results….

2020-04-06 Qealler RAT Malspam

April 7, 2020 April 7, 2020Packet Analysis

Meta ===== From: Bharti Ladwa Subject: EFT Supplier Number: 0003697 Link in the email: hxxps://jfreecss.co.uk/ Malware type: Qealler ———————- Basically this is a Java RAT. Below are some additional resources that explain how this type of malware works. http://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer http://securityboulevard.com/2019/10/hiding-in-plain-sight-new-adwind-jrat-variant-uses-normal-java-commands-to-mask-its-behavior/ http://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/ Earlier today I came across a phishing email that had contained an embedded image which had a malicious link in it. Once it was clicked on, the site automatically redirected to another site which then proceeded to download a JAR file. I tried to deobfuscate the Java code in my VM but did not get anywhere fast. Knowing that…

2020-03-25 Agent Telsa Malspam – Covid-19 Themed

March 26, 2020 March 26, 2020Packet Analysis

Meta ===== From: World Health Organization Subject: COVID 19: Passaggi Medici Per Essere Sicuri Link in the email: hxxps://onedrive[.]live[.]com/download?cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21177&authkey=AIGcwdd1XE_CXLM Unlike the other one that I documented here I could not find any method of persistence in this infection. Also, once the EXE from the ISO has been extracted and executed, it created a child process of “RegAsm.exe” to do the heavy lifting while terminating itself as you can see in the below image. This is the process that made the callouts to the couple of IP addresses seen (including data exfil via port 587). Outside of that this was your…

2020-03-23 Agent Telsa Malspam

March 23, 2020 March 23, 2020Packet Analysis

Meta ===== From: Procurement – site@hamnc.com Subject: Purchase Order Attachment: Company Profile, Product Specification And Trial Order.pdf.img Running this in my VM I am seeing the usual call to get the external IP address of the system (api.ipify.org) and then the data exfil via mail.gandi.net over port 587 (TCP). The interesting thing is the persistence that was setup. Persistence was setup via the Windows Task Scheduler as seen below. The file that is being used in the Task Scheduler has the same hash as the file in the attachment. The location of this file (doQsVLzQv.exe) can be found in the…

2020-03-20 More Predator The Thief Malspam – Covid-19 Themed

March 20, 2020 March 20, 2020Code

Meta ===== From: *.xyz Subject: Various Covid-19 Attachment: covidXX_form.zip This looks to be related to Predator the Thief malspam based on the final script that gets executed which looks very close to the sample that I posted about over here. The zip file and VBScript can be found in my Github repo here. Here is the code in the actual VBScript. And then with it decoded (first pass). Which leads to this final code being runned on the system. Reference ========== – http://urlhaus.abuse.ch/browse.php?search=show1.website – http://malshare.com/search.php?query=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c – http://bazaar.abuse.ch/browse.php?search=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c – http://app.any.run/tasks/8f771d9c-355f-4262-bac0-0a1927f52222/ – http://gchq.github.io/CyberChef/#recipe=Reverse(‘Character’)From_Base64(‘A-Za-z0-9%2B/%3D’,true)Remove_null_bytes()&input=PT1BQTNBd2FBVUdBNEFRYUFBQ0EwQndjQWtHQU1CQWRBNEdBbEJRYkFVSEFuQmdjQUVFQXRBQUlBa0dBdEJ3TkFFREF5QkFJQU1IQXpCUVpBTUdBdkJnY0FBRkF0QUFkQUlIQWhCQWRBTUZBZ0FBSUFzREEzQXdhQVVHQTRBUWFBQUNBMEJnZUFVR0FyQmdhQUFDQWxCQVpBOEdBakJRWkFRR0F0QUFJQXdHQXBCQWRBVUhBMEJnY0FVR0FqQkFJQXNEQWlBQVVBMEVBRkJBVkFvREEyQmdiQVVHQWtBZ0lBQUNBb0JBZEFFR0FRQlFMQUFDQXVCd2JBa0dBMEJRWUFNR0F2QkFUQTBDQTBCUVpBTUZBZ0F3T0FJQ0F0QndiQU1HQXVBUWVBOEVBWkJBVUFrR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBQWRBb0hBbEJ3YUFvR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBUWJBOEdBakJnTEFrR0F0QndOQUVEQXlCQVhBQUZBTkJRUkFRRkE2QWdkQTRHQWxCQUpBSUNBZ0FnYkE4R0FwQkFkQUVHQXVCUWFBUUhBekJRWkFRRUF0QUFJQVFIQWhCQVpBNENBNUJ3VEFrRkFRQlFhQThDQWxCQWRBa0dBekJnWUFVR0EzQmdMQUVEQTNCd2JBZ0dBekJ3TEE4Q0E2QUFjQVFIQTBCQWFBd0NBMEJRWUFRR0F1QUFUQUVHQTVCUVpBZ0VBdkFRWkFRSEFwQndjQUlHQWxCd2RBNENBeEF3ZEE4R0FvQndjQThDQXZBZ09BQUhBMEJBZEFnR0FzQUFkQUVHQWtCZ0xBTUZBQkJnY0FVR0FQQndMQVVHQTBCUWFBTUhBaUJRWkFjSEF1QVFNQWNIQXZCQWFBTUhBdkF3TEFvREF3QkFkQVFIQW9CQUlBVUdBakJnY0FVSEF2QndVQTBDQWdBZ2NBVUdBbUJ3Y0E0R0FoQmdjQVFGQXpCQWRBa0dBQ0JRTEFRSEF5QlFZQVFIQVRCQUlBc0RBeUJRWkFZR0F6QmdiQUVHQXlCQVZBTUhBMEJRYUFJRUFnQVFaQXdHQTFCQVpBOEdBTkJRTEFRSEF5QndiQUFIQXRCUVM Artifacts ========== Email hashes ————- 182a2cc132f77bacda747c8b36ae82d807e5a3cee01c734deb29f2598b992918 —— ahpwzh909165720504.eml b23c073099a90b2d42c12c05ed86b09fc8ca563b044a411db55a066ce717cb69…

2020-03-18 Deobfuscation of MalDoc script – Possibly Predator the Thief

March 19, 2020 March 19, 2020Code

Meta ====== From: Debt Collections Agency Houston Subject: Collection letter for Account Identification number 021621495WZ Attachment: Word file I came across a piece of malspam that caught my eye. I did not try to run this since it was not responding in Any.Run and based on the results from URLHaus, the site was taken offline. Looking at VT and some other sites, I was not able to find any more information about this maldoc. The fun part with this one was trying to figure out what the macro was doing without having to execute it. Based on what I saw…

2019-10-16 Emotet maldoc deobfuscated

October 16, 2019 October 16, 2019Code

This sample is from a batch of emotet emails that I found in the email filters back on Monday afternoon (2019-10-14). While all the documents had a different hash (attached to this write-up), the macro that was executed was the same. Based on the URLs found in this sample, this looks like it was from “epoch 2” of emotet as documented here. This write-up is to document how I managed to deobfuscate the macro script. Artifacts =========== Analysis ========= To make this easier, I decided to use OfficeMalScanner to get the files that contained the macro code. Looking at those…