Security Magic

Quick Post. I was looking at several samples of MirrorBlast and have noticed that while MsiExec is not a child process of Excel, it is still being called through loaded DLLs. Some EDR products should b able to look for this behavior. Process Path containing Excel.exe with image/module dll load of msimsg.dll might prove to be an interesting way to detect this per my twitter post. https://twitter.com/luke92881/status/1446147033388273675 There are of course other DLLs such as msi.dll and msimtf.dll (and others), however the msimsg.dll is the first one that appears to be an anomoly baselines I've run. Small List of samples with this behavior: https://app.any.run/tasks/74de3a74-f590-4bd7-aca6-c8fa7cd435fe/ https://app.any.run/tasks/9175439d-8d2c-4fa6-bcd5-a24017b97656/ https://app.any.run/tasks/134bee05-bb64-4647-8845-58b12cd31dba/ UPDATE: 10/16/2021 Interesting Anti-Sandbox FUD post on Twitter: Initial Detection Opportunity in EDR. https://twitter.com/bigmacjpg/stat...

Wanted to share a quick post on a neat downloader that goes through multiple stages of obfuscation. The sample can be found here https://app.any.run/tasks/35593a77-04d7-4df3-8e37-ba9b0ea5e691 Specifically, look at the dropped Powershell scrtipt from MsiExec in this screenshot. For the first stage of obfuscation, we can see the characters used for separator values near the end of the PS1 code. SPlIT( 'wyN{hZ-}') | % { ([Char] ( Using this we can then create a quick formula in cyber chef: Find_/_Replace({'option':'Regex','string':'[wyN{hZ\\-}]'},' ',true,false,true,false) From_Charcode('Space',16) As you can see from the above screenshot, we have some more obfuscation here. This one is fun, and as of this writing I'm not sure how to do this in Cyberchef, but luckily it is a technique I've seen used by Emotet in the past. Esentially we just need to reorder the data below according t...

Quick post, ran across a JS/BONDAT Worm variant and thought I would highlight some analysis and detection opportunities. The file I came across can be found here:  https://app.any.run/tasks/b3654b29-8858-4769-90ae-4f45a5f27c5d/ First Detection Opportunity This is a JavaScript file being executed via wscript, while this does not always mean "malicious", I find that detecting on Wscript.exe with a command line of .js does catch a fair number of malware families.  Of course, you may need to negate some false positives as you run across them, but this is a good start. Second Detection Opportunity From the above image, you can see Wscript.exe writing a .JS file. This may be a good item to key in on as well. Again, some minot false positive may exist, but those should be easy to negate. Understanding the Javascript The first thing to day with the JS is to beautify it... We can go from This: To This: right away we can see that some data about the victim is being coll...

Found an ISO file that executes VBS > MSHTA (downloaded from cdn.discord[.]com) then launching powershell. The Powershell script contains 2 Windows PE files (1 Base64 encoded, the other Base10 charcode). Sample: https://app.any.run/tasks/5032cab3-c41d-4f04-a1a7-930ca0ee0b09 Hash:d4cc124021b66445b5a8d1203d36e899 Next part of execution: https://app.any.run/tasks/73584f72-ddba-46e0-9661-5351186c659d Hash: a1987242a319ad25836ba3c211a13ba7 The executed powershell script encodings are decoded in the following images: The Base64 executable (Google Chrome.dll) is found here: https://www.virustotal.com/gui/file/4071e1852e9b0dea859d73b1736df451466a197c31e6f81dc590cc37b270b92f/detection The Charcode executable (1118.exe) Lime Keylogger is found here: https://www.virustotal.com/gui/file/c6fc9e3efaa2ee2f9c8cfca1154904819176a5e16e5341f88ec424bb727ca63b/detection The 1118.exe executable C2 is top[.]killwhenabusing1[.]xyz Honestly, not too much at this point surprised me, however,...

Update February 11, 2021: This appears to be a Danabot downloader. I ran across the following sample: https://www.virustotal.com/gui/file/d2d729f364e3232e22746fd6520caefff465e2ae605e6429205793db37088a27/detection After grabbing the downloaded executable from the link in the VBS, I ran it through a sandbox. https://app.any.run/tasks/1cc898a5-c0b1-413f-86b1-3dedd259c191/ Today I saw another one a here is that sandbox run: https://app.any.run/tasks/8173f683-8629-405a-b074-c3d1a44e04db Quick post on this, I've run across a variant of a VBS downloader that does not appear to have a lot of detection and can only find a few other similar samples. There appears to be junk comments to throw off analysis and AV detection, but otherwise its fairly easy to follow. Here is a screenshot: As you can see this downloads another file, which appears to be placed in "programdata" and registered using regsvr32. The couple samples I've worked ...

Updated January 8,2021 (Added additional Lure observations at bottom) This is just a short, quick update. It would appear that the initial vector has changed. CDN.shopify.com and Sites.Google.com no longer seem to be hosting these redirects/PDF files which contain redirects. However, after hunting on the icon hash in virustotal, I ran across another 100MB+ file with the PDF icon hash.  The file used a similar naming convention to other observed samples in the past, containing the following " rent-check-bounced-letter ". Doing a quick Google search for "rent-check-bounced-letter" gives me the results. The link for this is "hxxps://www.braveheartmarine[.]com/rent-check-bounced-letter". Running this in my lab, showed the same style of selecting "PDF" or "Doc" for download, which then lead to a series of redirects to the Exe file. I have not been very successful running these on App.Any.Run... Here is the following attempt. https:...

Over the last couple days of this new year, I've seen a couple Quasar RATs come across my path. So I decided to highlight some of the analysis here. The first sample I'm looking at is invoice.iso (8fc2bdfaf329c652090d6bcd2f88b764). As you can see from the app.any.run link this ends up dropping and executing a simple VBS file. Clearly, we see that this attempts to use "MSHTA" to navigate to the minpic[.]de link pictured above. This results in the following powershell script, cleverly disguised as a JPEG file. When we run a simple base64 decoding against this we get another URL in the minpic[.]de domain called by powershell.  hxxps://www.minpic[.]de/t/be5r/18jv5z. When we look at this page, we see yet another powershell script which again references another link in the minpic[.]de domain! When we look at this URL we find a page that contains a whole bunch of Hex code! The previous powershell script, which references this page of Hex code, als...