Lost in Security (and mostly everything else)

2017-07-25 Malspam Leading To Emotet Malware

Herbie July 25, 2017 July 25, 2017Packet Analysis

Today’s post is based on a malicious email that I saw in out email filters. The email (seen below) had a simple link in it that took the user to a site that automatically started a download of a malicious Word document. Odd thing is that when you visited the site in IE8, it would not allow you to connect. The link seemed to work just fine in Chrome or via Malzilla. From what I am able to gather based on the network traffic within the PCAP files along with the results from the Virustotal and Hybrid-Analysis links, it looks…

2017-07-03 Malspam Leading To Geodo/Emotet Malware

Herbie July 4, 2017 July 4, 2017Packet Analysis

This write up stems from a user getting a malicious Word document via an email for an invoice. Running the PCAP file through Network Total, I saw that that this was tagged as Geodo/Emotet malware. Googling around for Emotet, I came across a Forcepoint article in which they did a great walk-through which you can read about here. Their article seems to cover most of what I was seeing from the network traffic perspective. Fortinet has two more articles (http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 and http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-2) that goes into really good detail about how this malware works. For the artifacts from this investigation, check…

2017-06-23 Loki Bot Malware Using CVE 2017-0199

Herbie June 24, 2017 June 26, 2017Packet Analysis

Looking for some malspam yesterday and I came across something that looks like it was exploiting the CVE 2017-0199 vulnerability in MS Office RTF files. FireEye did a nice write-up of this which you can read here. Googling to see if anyone else had seen these domains before, I was able to find that @Security Doggo had a sample back on the 14th of June for the dev[.]null[.]vg domain and that Sophos has written about the domain toopolex[.]com domain in their “Troj/Fareit-DEB” report. Running the PCAP through Network Total’s tool, I saw that it is labeling this infection as part…

2017-05-31 Cleaned Up Script from Jaff Ransomware

Herbie May 31, 2017 May 31, 2017Code

So last week I came across some malspam that used a PDF with an embedded Word document in it that encrypted my test VM with Jaff ransomware which I discussed here. Trying to figure out how the script worked, I came across some aspects/things that I had not seen done before. Here is my walk through of this script. I started with the cleaned up scripts that made up the macro by using OfficeMalScanner against the Word document. Once I had the scripts, I walked through the code starting with the “ThisDocument” script. This is where the malicious macro will…

2017-05-26 Jaff Ransomware From Malspam

Herbie May 26, 2017 May 31, 2017Packet Analysis

So yesterday I came across some malspam that used a PDF with an embedded Word document in it that encrypted my test VM with the Jaff ransomeware. It looks like Brad (@Malware_Traffic) received something very similar to me which you can read about here. As a side note, I did get the script from the Word doc via OfficeMalScanner, but I am still trying to go through it since it does not make complete sense to me. If I make any progress on that I will do another blog post about it. Thankfully the malicious URLs are not obfuscated and…

2017-05-22 Blankslate/GlobalImposter Malspam

Herbie May 22, 2017 May 22, 2017Packet Analysis

As promised from my last post, here is the write up from running the malicious Javascript in my VM. Initially a couple of us on Twitter thought that this may be GEO IP specific since they could not get it to run in the US, and nor could I. I could only seem to get it to work when using European endpoints. Turns out that I forgot to delete the *.tmp file that got created when running the Javascript script when I started bouncing around different VPN locations. As of this write-up, I was able to get the malware to…

2017-05-19 Deobfuscating Malicious Javascript

Herbie May 19, 2017 May 19, 2017Code

Just a quick post for today’s blog. Once again went digging through some emails looking for some badness and came across an email that had a zipped Javascript file in it. Seeing this I thought that I would take a crack at trying to deobfuscate the script. I’ll post later on what traffic comes from the script when running it on my VM. Until then, you can find the malicious javascript and the cleaned up script files here. At first glance, this Javascript file made no sense since Notepad++ was treating most of the script as a comment since it…

2017-05-15 Adwind/JRAT RAT from MalSpam

Herbie May 15, 2017 May 17, 2017Packet Analysis

Trolling through the email filters today I came across this nugget. From what I can tell this looks to be related to the Adwind/JRat family of malware. This particular RAT was found in an email that is in Turkish. Kaspersky has a quick write-up about this RAT which you can find here. As usual, you can find the artifacts from this investigation over in the Github repo here. The Google translation of the email states the following: Subject: Could you take a look at all your orders? Body of email: Could you take a look at all your orders? Hello,…

Malware Exercise 2017-04-21 Double Trouble

Herbie May 5, 2017 May 5, 2017Packet Analysis

Below is my write up from Brad’s last malware exercise. You will be able to find the artifacts from these two investigations over on my Github page which can be found here. Executive Summary ================== The brothers caused infections on their systems by opening malicious emails that were sent to them via their shared email address. Marion’s system received the Cerber ransomware infection and has encrypted different files on his system, while Marcus’ system has a generic malware infection which may have caused data exfil over a TOR network connection. About the Investigation ======================== Overall, the brothers system’s should be…

2017-05-03 Smokeloader/Dofoil malware from Malspam

Herbie May 3, 2017 May 3, 2017Code, Packet Analysis

This investigation stems from a maldoc that was sent to us yesterday. It is your standard maldoc that requires you to enable content in order to get the embedded script to run. From the looks of it, the malware that is used in this infection is Smokeloader/Dofoil. For more information about this type of infection, Forcepoint had a good writeup about it which you can read about here. Granted it is not an exact match for this infection, but helps to explain some of the behavior that the malware used. I also had some fun trying my hand at de-obfuscating…