Lost in Security (and mostly everything else)

Brad has a new one out and I figured that I would take a break from studying to crank this one out. Artifacts for this exercise can be found here. Hope that everyone has a great Thanksgiving this week! Executive Summary ================= Based on what is in the PCAP, there are two issues going on. The first issue is that the user went to a compromised site called www[.]spoofee[.]com which had a malicious script injected into it which directed the user to another site which used a Flash exploit from the Rig EK (exploit kit) against the client system. This…

Continue reading

So it has been a while since I have updated the blog. The joys of trying to study for the SANS GCIA while also working and trying to squeeze in some time for the family as well. So I thought that I would pick up on the latest exercise that Brad published (granted it was from last month). As usual, the artifacts found in this investigation can be found in my Github repo located here. Once I have taken the test (and hopefully passed it), I can get back to writing more stuff and trying to figure out how the…

Continue reading

So it has been a while since I have written something for the blog so I apologize for that. With that being said, here is a quick example of some malspam leading to a Cerber3 infection. Like it’s previous versions, the delivery method for this one was via email with a malicious attachment. In this case the zip file was password protected, which contained the malicious Word document. All the artifacts that I could gather along with the PCAP can be found at my Github repo here. Indicators of Compromise ======================== rDNS: 0.234.184.31.in-addr.arpa – 52uo5k3t73ypjije.dk0urs.bid btc.blockr.io (Port 80) http://80.82.64.45/~yakar/msvmonr.exe (Port…

Continue reading

For this blog post I am covering what looks to be a new variant of Locky ransomware called “Zepto” which also uses Nemucod as it’s downloader. As of right now it looks like the main attack-vector from Zepto is from emails pretending to be something else (in this case a JPG in a zip archive) attached to an email as you can see below: For some more information about this new variant of Locky please check out The Register’s article about it here. Also, the artifacts from this investigation along with the PCAP and Process Monitor logs can be found…

Continue reading

Here is another example of Nemucod/Kovter that I saw at work. It very much resembles another one that I saw and wrote up a while ago (see http://www.herbiez.com/?p=535). For more information about how Nemucod/Kovter keeps it’s persistence on the host system then please read this excellent blog post on MalwareBytes’ blog here. Since the MalwareByte’s blog covers the filesystem aspect incredibly well, I am not going to talk about it here since this one mimics what is seen in the blog post. Also, if you would like to see the artifacts found in this investigation, please see the Github repo…

Continue reading

So this past week I went trolling through the email filters at work to see what “goodies” I could find that it had blocked. A lot of the ones that I had tested and played around with either 1) did not work since the callbacks where already fixed, or 2) would not detonate fully on my test VM. Yesterday I was finally lucky to find one that was fully operational and worked. The email was very simple and had a zip file attached to it that held a javascript file which lead to a Cerber infection. For all the artifacts…

Continue reading

Here is another example of some malspam I was able to find the other day while at work. From what I can tell this is the standard Nemucod/Kovter malware (since it drops other malicious binaries on the system) with a version of XXXCrypt embedded in it. I was able to find some more information about this malware (which looks very close to the sample that I have below) over on Fortinet’s blog post here. There was one thing that was different that Fortinet’s blog did not talk about – the presenece of some PHP files. Another blog from Reaqta talks…

Continue reading

Below is a write up of a malicious email that I received the other day that looks to be Nemucod/Locky combination based on the results from the upload of the PCAP form Virustotal. Unfortunately it looks like this one did not fire completely as I did not get the “all your files are encrypted” message, and from looking at the PCAP there was just one GET request and nothing more. Possibly because this was several days old and the callback domains/IP addresses had already been taken offline (just a theory since several DNS calls were made and no DNS record…

Continue reading

The other day while working we started to get a wave of malspam hitting the company. Looking into this malicious Word document revealed something was a little different than what I was used to seeing from Dridex Word malspam. The thing that really made me scratch my head was the fact that I was not seeing any traffic that looked malicious, and one of the files that was dropped had the same hash as the Windows “calc.exe.” The next day while waiting for the family to get ready to go out, I started Googling around for some of the things…

Continue reading

This post is covering some Locky malspam that I was able to find while working in the SOC the other day. For the artifacts and such from this post, please see the Github repo located here. IOCs: ==== 5.39.70.7 / cmobilier.com 193.124.185.87 File name: export_xls_5F0.zip MD5 hash: 11e29168d188a4af060772422bb8a1d2 Size: 8KB VirusTotal: http://www.virustotal.com/en/file/88ba0118c53b1c9119084bd0700db0c01f39cfe1f2b5d71ed10c4c14bd93c42f/analysis/ Detection ratio: 11 / 57 First submission: 2016-05-10 09:10:35 UTC Within the zip archive there are 3 javascript files that look identical. The 3 files have the following characteristics: File name: transactions 4337328.js / transactions 4337328.js – copy.js / transactions 4337328.js – copy (2).js SHA1 hash (same hash…

Continue reading