Security Magic

Some of the latest samples I've been seeing for Emotet look like the this  app.any.run report. Using CyberChef , we can decode the powershell from this sample to extract the download links for the malware From_Base64('A-Za-z0-9+/=',true) Remove_null_bytes() Find_/_Replace({'option':'Regex','string':'[`\'+()]'},'',true,false,true,false) Find_/_Replace({'option':'Regex','string':'\\]e1r\\[S'},'http',true,false,true,false) Extract_URLs(false) Find_/_Replace({'option':'Simple string','string':'@'},'\\r',true,false,true,false) > Of course some of the "replace strings" will vary, so this recipe will have to be changed in certain places at times. Some other additional items to look at, from an EDR perspective might be: Rule 1: ParentProcess contains Rundll32.exe AND process contains Rundll32.exe AND ProcessPa...

Just a quick update, I've been hunting this malware for a bit, you can see details on this malware on my previous post or the write-ups from Morphisec or Red Canary . Today, using the same methodology I typically use, I did a google hunt. (site:cdn.shopify.com "free-tempalte"). This often yields some results, it used to get more live results from (site:sites.google.com), but those seem to be dead lately. Quickly I found one called "Hole in One Certificate Template Free" hxxps://cdn[.]shopify[.]com/s/files/1/0499/5570/0887/files/hole-in-one-certificate-template-free[.]pdf?v=1602361119 I notice a lot of these, maybe all of them have the pdf?v=[0-9] pattern. This may be normal for PDFs hosted here though. I was hoping to find some new samples, many I've found lately were leading to the same EXE, incidently, the same DLL and C2. Today however, I found a new sample. It mostly runs the same, however, this time the Icon Hash is no longer mimicing ...

As I continue to hunt for various lures and redirects for the Jupyter Infostealer, outlined in my previous article , I am amazed at the vast array of searches that lead to the malware! I took a game I enjoy and decided to search for that, using known "initial" pages where the redirects have been seen. Oh.... they got Dragon Quest too! This makes me sad.... As it is, I've found several other links just like this and so far all of the ones I've found in the last couple days end up landing on the same file Hash (different name of course) as the one in my previous article . Hash: da2eb36e763ecf1a47532e9f8efeacb7 Again, also many redirects involved, mostly .tk TLDs. I suspect these large droppers are being rotated out on some schedule, monthly perhaps. So maybe I won't run into a new sample dropper and .DLL for a bit. If anyone finds anythign different, please let me know!

*Updated March 10, 2022 (Detection rules for new variant observed March 2022.) I have had the opportunity to track the .NET Backdoor, dubbed by Morphisec as Jupyter Infostealer A.K.A Solarmarker I was excited to see this writeup since this was a malware family that myself and other researchers on twitter were discussing for a couple weeks prior to the Morphisec article, before there was an attributed name to the malware. This was in October, and we were all sharing some bits of information we had on this, since that time I have also been using custom YARA signatures to perform live hunts and retro-hunts in VirusTotal to continue to keep up on this malware. Recently I had seen Red Canary wrote up about this, dubbing it Yellow Cockatoo . Again, I was very excited to see some more attention being paid to this malware, I enjoyed both the writeups. Red Canary and Morphisec provided excellent information! Since I've been tracking this for sometime, and commenting on all new sampl...

Just before New Years I created a small challenge for my co-workers. I won't share the exact challenge here, but the details were as follows: 1. A JPG of a snowy scene where the person pictured is saying "Rar!", a clue to look for the header of a RAR file. 2. Text in the picture saying to remove the [SNOW] 3. EXIF data on the JPG which has the letters S N O W scattered throughout to create a minor obfuscation. So, extract the appended RAR file from the JPG, use something like the Linux command "tr -d [SNOW]" to remove the characters from the exif data, which reveals the password to extract the RAR file. Here's where I kind of made it a bit harder, the PNG file inside the RAR is XOR encoded with the key "FireWorks". In an attempt to make this somewhat obvious, or to provide some sort of clue, I appended a bunch of NULL bytes to the end of the PNG prior to encoding the whole file. As you can see from the image above, this is what the end o...

In the spirit of trying to update more this year, I'm going back through some old samples that I've written decoders for. The following sample can be found  https://app.any.run/tasks/b4f51d23-6346-478b-9b1a-4fd6970274a2/ In particular, reference the following screenshot. In this example, the malware is using a custom alphabet that starts with aKCC.... and ends with $A5x. The rest of the script runs through the character placement in the alphabet (73;17;66...) finds the character that matches the location that corresponds to that number and places the character there. With this knowledge we could manually go through and decode this. However, the would take a bit of time, so I wrote a quick python script, which is provided on my website www.lukeacha.com, check out the tool here: http://www.lukeacha.com/downloads/emotet-decoder3.zip I wrote a CTF challenge based on this sample, so downloaded file actually has the solve for the CTF I wrote last year, However, if you want...

This week I have been asked twice about setting up a lab for those who are new to security, or colleagues who are less familiar with detection/response. So I figured that I would setup a quick, and somewhat "dirty" virtual machine for demonstrating at least some basics to seeing how Network Security Monitoring (NSM) looks to an analyst who sees these types of events.  As a quick note, I don't do a deep dive in this segment on how to strip out executable from PCAP or perform analysis of the executable, this is more of a demonstration of how you could setup a VM to replay malware PCAPs and see what alerts fire. The following assumes a little bit of knowledge with virtual machines and setting up an OS. OK, to begin, I downloaded the most recent version of Security Onion . Taking that ISO, and using VMWare, I setup a new Linux Virtual Machine (Ubuntu based 64bit). Once the OS is loaded to the desktop, simply select to Install Security Onion. I went with a lot of def...