Lost in Security (and mostly everything else)

Deobfuscating an Emotet MalDoc Script

Herbie December 5, 2017 December 5, 2017Code

So this post covers the malicious macro script that was found in an older writeup for Emotet which you can find here. While one could develop tools to help deobfuscate the macro script like @David Ledbetter did in his blog post, I wanted to show another way of doing it – manually without any programs or scripts. I wanted to do it this way and document it since I have no talent or skill in the ways of developing programs/scripts to do this kind of work and to show that it is possible to those of us that are “code…

2017-11-17 Maldoc Using CVE 2017-0199

Herbie November 17, 2017 November 17, 2017Packet Analysis

This is a quick writeup on some maldocs that I was able to find in our email filters that used the CVE2017-0199 in them. The emails had the same attachments in them (from a hash perspective) which was a Word document and an Excel spreadsheet. The Word document had a hidden OLE object while the Excel spreadsheet had the hidden OLE object on the 3rd tab in the spreadsheet. Both these Office documents would reach out to a malicious domain and grab the HTA file which would then have code in it to go and doiwnload the actual malicious binary…

2017-11-15 Another Malspam Message Leads to New Emotet

Herbie November 16, 2017 November 16, 2017Packet Analysis

This is just a quick writeup for an Emotet malspam that I found in Triton. Nothing to detailed or anything of the sort. I was not able to obtain the initial malicious binary (73077.exe) from the Word document, so after getting all the details, I went back on a clean VM to get that file. The file 73077.exe should be the same as the one listed below – 12961.exe. The artifacts from this can be found over at my Github here. IOCs: ===== 172.81.117.237 / xanaxsleepingpills.website (GET /Invoice-number-588962/) 162.221.188.251 / www.medicinedistributor.com (GET /UVRJ/) 41.72.140.141:8080 (POST /) 69.43.168.196:443 (POST /) Artifacts:…

2017-11-01 Another Trickbot Maldoc

Herbie November 2, 2017 November 2, 2017Packet Analysis

Looking through the email filters yesterday, I saw numerous emails from the sender “secure@hsbcdocuments.com” with the subject of “We need to confirm your details.” The email was a well laid out phish with a malicious Word document attached. This Word document led to a Trickbot banking malware infection via the use of a malicious macro instead of the use of the DDE attack vector. Initially when I was looking into these emails yesterday I was not seeing anything online about them. As part of my daily morning reading, I went to ‎@dvk01uk‘s site this morning and saw that it was…

2017-10-30 Generic Infostealer Malware Using UAC Bypass

Herbie November 1, 2017 November 1, 2017Packet Analysis

A quick write-up on a generic infostealer that also uses a UAC bypass technique. I could not find much about this malware outside that it was a generic information stealing malware. For some interesting reading on how to bypass UAC within Windows, please see the following links: http://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ http://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ http://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/ For the artifacts, ProcMon logs, and the PCAP from the investigation, please see my Github repo here. IOCs: ===== 216.146.43.70 / checkip[.]dyndns.org (GET /) 37.72.171.98 / yatupaints[.]com (POST /WebPanel/api.php) Artifacts: ========== File name: PO.zip File size: 128KB File path: NA MD5 hash: 96d897d444793e2aea70cf6b28224eac Virustotal: http://www.virustotal.com/#/file/4e01b1b9f1d1068de5d461f4469c7bfc1ccc906b182ee7354b6b6879e5110fdd/detection Detection ratio: 7 / 63…

2017-10-03 Nemucod Maldoc Leads to Locky (Ykcol) Infection

Herbie October 3, 2017 October 3, 2017Packet Analysis

Quick post for today. I have been seeing a lot of malspam with malicious Javascript attachments zipped inside a 7zip archive for the past couple of days. The emails themselves all seem to revolve around the theme of a receipt or invoice as seen below. From what I can tell, the scripts are all about the same and the binary downloaded from each of the sites are exactly the same file. I am not sure if this is the case with the other emails from yesterday or the day before, but I can only assume it is. All the scripts…

2017-08-30 Trickbot Maldoc – Part Two

Herbie September 1, 2017 September 1, 2017Packet Analysis

So continuing from my update yesterday (see 2017-08-30 Trickbot Maldoc – Part One), it looks as if sometime last night while working on the writeup, and perhaps again this morning, Trickbot got cheeky and updated itself. It looks as if the file “Atpsijj.exe” is a new file with a different size and hash, and now I have a complete “Modules” folder. From a host perspective, the malware is working pretty much as I described yesterday. From a network communication perspective though, there are some different IP addresses, and from what I was able to determine from looking at the string…

2017-08-30 Trickbot Maldoc – Part One

Herbie August 31, 2017 September 1, 2017Packet Analysis

For today’s post, I will be looking at a malicious Word document that we got spoofing NatWest which led to Trickbot malware being installed on the system. After I found this sample, I started to see posts on Tweeter from people like @dvk01uk and @VK_Intel posting about Trickbot. For this initial investigation there are three PCAPs since I initially did not see much going on after the initial infection, and then after a couple of minutes I started to see more traffic and fired up Wireshark again to see what I could capture. The last one is from when I…

2017-08-28 Malspam Leads To Emotet Malware

Herbie August 28, 2017 August 28, 2017Code, Packet Analysis

For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk came across the same URLs 5 days ago. You can read that post here. Running the maldoc in my test VM showed that the initial link was still working and downloaded an executable. When running that executable on my test VM, I saw a couple of POST requests going to dead sites. First I will walk through the script that I deobfuscated and then the…

2017-08-04 Quick Post – Deobfuscating the Javascript from “Blank Slate” malspam Pushing Gryphon Ransomware (A BTCware variant)

Herbie August 4, 2017 August 4, 2017Code

Just a quick one for today. I saw Brad’s tweet about a sample of Blank Slate malspam and decided to see if I could find some today while at work. Thankfully the email filters did their job and all of them were blocked. Brad also blogged about this over on his blog which you can read about here. Instead of breaking down the traffic and such (since he already did an excellent job at that and since the callbacks are exactly the same as his), I figured that I would try my hand at deobfuscating the Javascript. Some of it…