Lost in Security (and mostly everything else)

2017-05-03 Smokeloader/Dofoil malware from Malspam

May 3, 2017 May 3, 2017Code, Packet Analysis

This investigation stems from a maldoc that was sent to us yesterday. It is your standard maldoc that requires you to enable content in order to get the embedded script to run. From the looks of it, the malware that is used in this infection is Smokeloader/Dofoil. For more information about this type of infection, Forcepoint had a good writeup about it which you can read about here. Granted it is not an exact match for this infection, but helps to explain some of the behavior that the malware used. I also had some fun trying my hand at de-obfuscating…

2017-04-03 Malspam leading to Graftor/Ursnif

April 5, 2017 April 5, 2017Packet Analysis

Monday there was a file sent via email to an employee with a maldoc attached to it. The maldoc was encrypted and used the password of 3443 to unlock it. Once you unlocked the document, it asked to enable macros. It is from here that this analysis starts. This infection chain seems very close to the one that Sophos had reported on here in this link. Like the test done in the Sophos article, I was not able to get any callback traffic generated on my test VM. Based on the Virustotal and Hybrid-Analysis links and the article from Sophos,…

Walk through of a VBS script

March 28, 2017 March 28, 2017Code

So for today’s update, a change of pace. A couple of weeks ago I came across a Tweet from someone that I follow on Twitter. Unfortunately I can’t find the one that caught my eye, but the link was to Open Analysis Live’s video. The video was covering an “user submission” of a VB script that was attached to a malicious Word doc. I watched it and it made some good sense and was pretty easy to follow. I kept that in the back of my head so when the time came and I got the chance to try this…

2017-02-06 Kovter/Osiris UPS Malspam

February 6, 2017 February 6, 2017Packet Analysis

A little late for this write-up, but here is an example of some Kovter/Osiris malspam that I was able to find from late last week. While researching some of the URLs below I came across My Online Security’s blog post which had the domains listed below. It looks as if they have been keeping tabs on these types of emails and the callbacks used as well. All artifacts from this investigation can be found in this Github repo located here. The attack is a simple one; phishing emails sent to users suggesting that the person has a UPS shipment that…

2017-01-25 Hancitor/Pony/zloader Malspam

January 26, 2017 January 27, 2017Packet Analysis

In this post I was able to investigate a Hancitor/Pony/zloader malspam message. Looking around for some more information about this infection, I was able to find the following links: – Brad’s SANS ISC Blog post talking about this exact malspam: http://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919/ – Hybrid Analysis’ report for another example of this malspam: http://www.hybrid-analysis.com/sample/827873b4d0b846e9bc372bfdac135ec7431baa809366633df4eac15235b9736c?environmentId=100 – Looking at the Virustotal comments, I saw Techhelplist had commented about this and then looked for the Tweet: http://twitter.com/Techhelplistcom/status/824283429181259776 As usual, all the artifacts, the PCAP, and ProcMon log can be found in my Github repo for this investigation here. Update After posting this blog entry out…

2017-01-25 Cerber infection

January 25, 2017 January 25, 2017Packet Analysis

For this blog post, I was able to infect my VM with Cerber from a link that I found via a Tweet that @malware_traffic retweeted from @Techhelplistcom. I am not able to determine how a user would get directed to this site though, so that part is a mystery. Overall, this was pretty straight-forward Cerber infection that one has become used to seeing. The artifacts and logs/pcap for this infection can be found in this repo here. IOCs: ===== 92.242.40.154 / sallykandymandy[.]top/search.php 11.56.22.0 – 11.56.22.31 (UDP Port 6892) 17.35.12.0 – 17.35.12.30 (UDP Port 6892) 91.239.24.0 – 91.239.24.255 (UDP Port 6892)…

2017-01-23 Dridex Malware from Malspam

January 24, 2017 January 24, 2017Packet Analysis

Here is an example of some Dridex malspam that I was able to analyze yesterday. As usual the artifacts and such can be found over in my Github repo found here. IOCs: ===== relish.net / 81.91.205.168 (Port 443) www1.relish.net / 81.91.205.167 (Port 443) u4593764.ct.sendgrid.net / 167.89.125.30 agfirstnz-my.sharepoint.com, prodnet329-325selectora0000.sharepointonline.com.akadns.net / 104.146.164.65 (Port 443) BrightSteps.sharepoint.com, prodnet324-328selectora0000.sharepointonline.com.akadns.net / 104.146.164.25 (Port 443) 212.227.105.182 (Port 8343) 91.121.30.169 (Port 4431) Artifacts: ========== File name: Bill View.js File size: 18KB MD5 hash: 16e101cd7af89f643efecd1aa59a39cd Virustotal: http://www.virustotal.com/en/file/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073/analysis/ Payload Security: http://www.hybrid-analysis.com/sample/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073?environmentId=100 File name: qqBfqaxXe.exe File size: 154KB MD5 hash: 55c2368aa15a128e946fafd700160375 Virustotal: http://www.virustotal.com/en/file/a38ea56e8849addbe6fd94c5196e02169504f9384618edb192b5e87d1a645b97/analysis/ Payload Security: http://www.hybrid-analysis.com/sample/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073?environmentId=100 Analysis: ========= When looking at…

Malware Exercise 2016-12-17 Your Holiday Present

January 21, 2017 January 27, 2017Packet Analysis

Below is my write up of the latest exercise from Brad. There are two things that I learned from doing this exercise: 1) there is a difference between TCP Stream and HTTP Stream as there is more information available in TCP Stream, and 2) how to convert an encoded file from base64 to ASCII. For this last one, I came across Matt Bromiley’s blog covering Brad’s exercise and this was included in his write-up. As usual, all artifacts for this write-up can be found over in my repo located here. Executive Summary ================= Based on my analysis, it looks as…

2017-01-05 Fareit/Pony Malware from Malspam

January 5, 2017 January 5, 2017Packet Analysis

Happy New Years to everyone! Hope that everyone had a great holiday break. For the first post of the year, here is an example of a Fareit/Pony (Suricata) or Phoenix/Zeus (Snort) trojan that I was able to find in the email filters. For more information about this malware please check out Fortinet’s post about it here. Like usual, the artifacts from this investigation can be found over in my Github repo here. Indicator(s) of Compromise ========================= 62.108.34.152 / ssstpc.usa.cc (Port 80) Artifacts from Investigation ============================= File name: PURCHASE ORDER.gz File size: 117KB MD5 hash: 83e493c4330bf53196d1ebfc1c9631f3 Virustotal: http://www.virustotal.com/en/file/b42a61b173e07385bfe0ae34153b61538ec916484f1653144223d63dee8cfc4e/analysis/ Detection ratio: 14…

2016-12-15 Crypt0L0cker Infection from Phishing Site

December 15, 2016 December 15, 2016Packet Analysis

Here is an example of a Crypt0L0cker infection that I got from my Twitter feed. Thanks go to @JAMESWT_MHT as he was the one that reposted the finding from @SettiDavide89. Below is my write up for this one. The artifacts from this investigation can be found in my Github repo. Indicators of Compromise ======================== 5.200.35.167 / t2e.sda-express15.org (HTTP) 192.208.177.163 / inotechsalamat.com (HTTP) 154.35.32.5 (Only a SYN packet – no response) 94.177.12.9 / ukakal.shokogot.com (HTTPS) 94.177.12.9 / ulehyrabydo.shokogot.com (HTTPS) 94.177.12.9 / ohwvilubiki.shokogot.com (HTTPS) 86.59.21.38 / www.mk84h3987i4822ak.com (HTTPS) Artifacts From Investigation ============================ File Name: sda_express.zip File size: 5KB MD5 hash: 1baace2a5e0f9921ca5e497ad80b60b2 Virustotal:…