Lost in Security (and mostly everything else)

2019-08-23 WSHRat Javascript de-obfuscation

August 23, 2019 August 23, 2019Code

Special thanks to one of my colleagues and @nazywam on Twitter that helped me with this. The Twitter thread about this can be found here. To obtain the Javascript file, see the Any.Run link here. The other day (2019-08-20) while looking at caught emails in the SPAM folder, I came across this malspam that was referencing a request for quote (ala: RFQ). The email had an attachment to it that was Gzipped. Unzipping it I saw there was a nicely obfuscated Javascript file. Opening it up and looking through it, there was some clear text code that follows after a…

2019-07-17 AveMaria InfoStealer/RAT with interesting UAC bypass

July 17, 2019 July 23, 2019Packet Analysis

I came across this sample yesterday via my usual method – the email filters. The email is your pretty standard stuff acting as a proposal for an order. Once you open the zip file, there is an executable. From here, the fun began. For the artifacts/logs/PCAP from this analysis, please see my Github repo for this here. IOCs: ===== respainc.duckdns.org / 79.134.225.51:28 (TCP) 8.8.8.8:53 (TCP) Artifacts: ========== Microsoft.exe/Quotation.exe a07a5a3100544aceeade42e743218e6a http://www.virustotal.com/gui/file/a52f455f897f54af3e3d1505e686d391171d2f981ba7971b63cc491708b12fee/detection First Submission 2019-07-16 10:12:09 28/67 engines detected this file Path: C:\Users%USERNAME%\AppData\Roaming | %TEMP% dismcore.dll 6b906764a35508a7fd266cdd512e46b1 http://www.virustotal.com/gui/file/fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c/detection First Submission 2018-10-24 20:23:05 51/70 engines detected this file Path: %TEMP% ellocnak.xml 427eb7374887305b72f5c552837c9036 http://www.virustotal.com/gui/file/b3f421780a49cbe680a317259d4df9ce1d0cdaca3020b4df0dc18cc01d68ccbb/detection…

2019-04-12 Crypto/Clipboard Stealer Malspam

April 13, 2019 April 13, 2019Packet Analysis

Yesterday I came across some malspam that I have not seen before and thought that I would do a quick entry for it. This particular malware sits quietly in the background and looks for crypto currency addresses being copied and pasted between applications/pages. The interesting part of this is that once the user “pastes” the crypto address into the other application/tab, the address is changed to one that the bad actor controls. Playing around with this in my VM, I did not notice it sending anything outbound within Wireshark, and nothing came up in Process Explorer which kind of makes…

2019-04-02 Interesting obfuscation from Emotet

April 4, 2019 April 4, 2019Code

So yesterday while going through the mail filters, I cam across this email: Looks to be pretty standard stuff to be honest. So the first thing that I did was run this through decalage2’s Vipermonkey to see if I could get at the macro script. Unfortunately Vipermonkey died and was not able to parse this file. So using Didier Stevens strings.py script (with the -L option to sort it from shortest to longest string) I was able to find the base64 script code. Here is the cleaned up version of the script: So everything up to this point seem to…

2019-02-12 Deobfuscating an Emotet maldoc

February 14, 2019 February 14, 2019Code

This blog entry is going to cover how I managed to de-obfuscate the macro from the Emotet sample that I was able to grab. The maldoc can be found in my Github repo located here: http://github.com/bloomer1016/2019-02-12-Deobfuscating-Emotet-Maldoc. Indicators of Compromise: ========================== MD5 of Word doc: 35c716c82f9912cb1a57bf7ee72e0c53 VT: http://www.virustotal.com/#/file/9fb5e5242394557e27ca3ccfc492f7db0f7474662148a8797953df702b4d78db/detection Any.Run: http://app.any.run/tasks/0e428667-3602-489f-85ac-1f022e2c9c1f Analysis: ========= So to be honest, I was using this maldoc as a case to try to get better using oledump from Didier Stevens. This all stems from his latest posts on the SANS ISC blog (http://isc.sans.edu/forums/diary/Maldoc+Analysis+of+the+Weekend/24626/ and http://isc.sans.edu/forums/diary/Video+Maldoc+Analysis+of+the+Weekend/24628/). Unfortunately I was not able to get this maldoc de-obfuscated as easily…

2019-01-18 Emotet Malspam

January 18, 2019 January 18, 2019Packet Analysis

Just a quick post about some emotet malspam from this morning. Pretty standard from what I can tell. For the artifacts, ProcMon log, and PCAP, please see the repo here. IOC: ===== http://kcespolska.pl//Details/2019-01 69.16.238.96:80 / hxxp://greenplastic.com/hUYu36qNEQ 134.0.11.142:80 / hxxp://stats.emalaya.org/gWItwAFU hxxp://innio.biz/rg1n590 hxxp://kiot.coop/yzc2cJzANO hxxp://atkcgnew.evgeni7e.beget.tech/HkHe3fKTc 200.43.114.10:8080 TCP Artifacts: =========== File name: 190118-Untitled-1653.doc File size: 127KB File path: NA MD5 hash: 1ce19abf935240c42b5f2959861c3ccc Virustotal: http://www.virustotal.com/#/file/3553ff9236d640518f6293464d195c54e09923c8ff3778b6d396b269db26d221/detection Detection ratio: 12 / 57 First detected: 2019-01-18 14:51:05 Any.Run: http://app.any.run/tasks/c066703c-130e-4f78-bd1c-18c9f300cb98 File name: ipropwfp.exe File size: 148KB File path: C:\Users\%username%\AppData\Local\ipropwfp MD5 hash: 4ca746d87cf1b5f6135c9f99e7044b2d Virustotal: http://www.virustotal.com/#/file/8a60dc9876ad042a6c957db6414918f33b932aa1fa0bc56799100968d2a992ab/detection Detection ratio: 25 / 69 First detected: 2019-01-18 15:05:53 Any.Run: http://app.any.run/tasks/2b777d77-06bc-430d-85f9-4d4a7abea5c1 / http://app.any.run/tasks/2842a89d-1db7-4993-a2aa-c098311fcd26 / http://app.any.run/tasks/e21438cb-3261-4611-b071-abe0f20d0ca1

2019-01-03 Adwind RAT/Houdini Malspam

January 4, 2019 January 7, 2019Code, Packet Analysis

**2019-01-07** After talking with some researches about this malware via this Twitter thread, the JAR file is only the delivery mechanism for the VB script inside it. Once the JAR file has been unpacked; the VB script executed that sends traffic to 31.171.152.106:2522 is related to the Adwind RAT. The VB script, and the data POSTed to ‘goz.unknowncrypter.com’ is related to Houdini. This post stems from looking at some malspam that had a JAR file as an attachment from yesterday. I also posted some of the information over on Twitter yesterday too. To see that thread click here. Based on…

2018-11-05 DarkComet Malspam

November 6, 2018 November 6, 2018Packet Analysis

Here is a quick writeup of some DarkComet RAT malspam that I was able to find this morning. The infection method is leveraging the standard RTF buffer overflow technique (CVE-2017-11882). For more information about what DarkComet is, please see the following link: http://www.contextis.com/en/blog/malware-analysis-dark-comet-rat All artifacts can be found over at my Github repo located here. I also have the memory dump post-infection saved here since it is too large for GitHub. Plus it gives me (and others) the ability to play with some memory forensics via Volatility. 😎 IOCs: ====== 209.90.88.141 / thinker101.5gbfree.com 23.227.201.154:1604 Artifacts: =========== File name: TYN NEW…

2018-10-31 Nanocore Malspam

November 1, 2018 November 1, 2018Packet Analysis

While looking through the email filters this morning, I came across several emails that had malicious Word docs attached to them. The sender was the same for all the emails along with the document that was attached. This is a write-up of what I was able to get from the malware on my VM. After doing some research it looks as if this malware is related to the Nanocore RAT. For more information about what this RAT is, please see the following link: http://www.stratosphereips.org/blog/2018/9/7/what-do-we-know-about-nanocore-rat-a-review For all the artifacts from this investigation, please see the the Github repo located here. IOCs:…

2018-10-24 Agent Telsa Malspam

October 24, 2018 October 24, 2018Packet Analysis

This is a quick write-up of some Agent Telsa malspam that I was able to find within our email filters. For a good overview of what this malware is and how it works, please see the following links: http://krebsonsecurity.com/2018/10/who-is-agent-tesla/ http://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html For the artifacts found from this investigation, please see my Github repo located here. IOCs: ===== 208.91.199.225:587 (TCP) Artifacts ======= File name: RFQ-HMA-2120864-18.arj File size: 216K File path: NA MD5 hash: 321a93e4393042bcae84ee695def3e63 Virustotal: http://www.virustotal.com/#/file/a84aafdffc64e7755dd1025781095c3244c9f1389e2e836ac2691ac0fa1a0925/detection Detection ratio: 25 / 56 First Detected: 2018-10-21 10:43:42 File name: RFQ-HMA-2120864-18.exe / tmpG998.tmp / MyOtApp.exe File size: 260K File path: NA / C:\Users\%username%\AppData\Local\Temp / C:\Users\Bill\AppData\Roaming\MyOtApp…