As promised from my last post, here is the write up from running the malicious Javascript in my VM. Initially a couple of us on Twitter thought that this may be GEO IP specific since they could not get it to run in the US, and nor could I. I…
Just a quick post for today’s blog. Once again went digging through some emails looking for some badness and came across an email that had a zipped Javascript file in it. Seeing this I thought that I would take a crack at trying to deobfuscate the script. I’ll post later…
Trolling through the email filters today I came across this nugget. From what I can tell this looks to be related to the Adwind/JRat family of malware. This particular RAT was found in an email that is in Turkish. Kaspersky has a quick write-up about this RAT which you can…
Below is my write up from Brad’s last malware exercise. You will be able to find the artifacts from these two investigations over on my Github page which can be found here. Executive Summary ================== The brothers caused infections on their systems by opening malicious emails that were sent to…
This investigation stems from a maldoc that was sent to us yesterday. It is your standard maldoc that requires you to enable content in order to get the embedded script to run. From the looks of it, the malware that is used in this infection is Smokeloader/Dofoil. For more information…
Monday there was a file sent via email to an employee with a maldoc attached to it. The maldoc was encrypted and used the password of 3443 to unlock it. Once you unlocked the document, it asked to enable macros. It is from here that this analysis starts. This infection…
So for today’s update, a change of pace. A couple of weeks ago I came across a Tweet from someone that I follow on Twitter. Unfortunately I can’t find the one that caught my eye, but the link was to Open Analysis Live’s video. The video was covering an “user…
A little late for this write-up, but here is an example of some Kovter/Osiris malspam that I was able to find from late last week. While researching some of the URLs below I came across My Online Security’s blog post which had the domains listed below. It looks as if…
In this post I was able to investigate a Hancitor/Pony/zloader malspam message. Looking around for some more information about this infection, I was able to find the following links: – Brad’s SANS ISC Blog post talking about this exact malspam: https://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919/ – Hybrid Analysis’ report for another example of this…
For this blog post, I was able to infect my VM with Cerber from a link that I found via a Tweet that @malware_traffic retweeted from @Techhelplistcom. I am not able to determine how a user would get directed to this site though, so that part is a mystery. Overall,…