Lost in Security (and mostly everything else)

This post is covering some Locky malspam that I was able to find while working in the SOC the other day. For the artifacts and such from this post, please see the Github repo located here. IOCs: ==== 5.39.70.7 / cmobilier.com 193.124.185.87 File name: export_xls_5F0.zip MD5 hash: 11e29168d188a4af060772422bb8a1d2 Size: 8KB VirusTotal: http://www.virustotal.com/en/file/88ba0118c53b1c9119084bd0700db0c01f39cfe1f2b5d71ed10c4c14bd93c42f/analysis/ Detection ratio: 11 / 57 First submission: 2016-05-10 09:10:35 UTC Within the zip archive there are 3 javascript files that look identical. The 3 files have the following characteristics: File name: transactions 4337328.js / transactions 4337328.js – copy.js / transactions 4337328.js – copy (2).js SHA1 hash (same hash…

Continue reading

Another day at the office and another malicious Word document sent to a user in hopes of them running the macro. From what I can tell from my investigation below this malware has been talked about over at SANS ISC via Brad and looks to be a new type of ransomware called Cerber. With that being said, my investigation into this malware is WITHOUT any files being encrypted on my test VM and some of the other characteristics of this infection (my VM talking to me about it being infected). So after opening the Word document and enabling the macro,…

Continue reading

So here is my answers for the latest exercise from Brad. This one threw me off a bit as I thought that I was missing something when reviewing the PCAP since I was not seeing the “usual” things that I have come to expect from Brad when doing these exercises. It reminded me of when I was in school and would get through an exam with plenty of time to spare. I would then look around and see that the rest of the class was still chugging through the test. Then self-doubt would kick in. Did I miss something, or…

Continue reading

So here is another one from Brad. Talking to some of the other guys on the team, we all came to the conclusion that this one seemed kind of “generic” (for the lack of a better word); which leads me to believe that I missed something somewhere. LOL. The whole second guessing yourself really does suck at times. But anyways, here is my write-up of this latest one. Enjoy! About the Investigation ======================= – Date and time range of the traffic you’re reviewing. > 2016-02-28 22:38:13 – 2016-02-28 22:46:27 Elapsed: 00:08:14 – IP address, MAC address, and host name. >…

Continue reading

So it is another day at the office and I was looking at some of the malspam that we had received. So I decided to open one up and have a play. Let’s see what this one email is all about: As you can see, this is one of the “Notice to appear in Court” emails that has been going around for some time now. Let’s see what is in the zip file: Yay, it is another script file. Looking at it you can see some of the domains it tries to use and some other bits of information. I…

Continue reading

Happy New Year to everyone. Hope that you all had a great Christmas and New Year! With that being said, time to get back into the swing of things and working on the exercises from Brad. For the first one out of the gate, Brad has some traffic from three different hosts in one PCAP. The following is my write up of the exercise. As always, you can find the artifacts from my write on my Github page for this particular exercise. – Date and time range of the traffic you’re reviewing. > 22:05:47 – 22:17:18 Duration: 00:11:31 – IP…

Continue reading

So here is the latest malware exercise from Brad. I will not lie – for some reason this one threw me for a loop. Personally I think it was because I did not have my usual Saturday morning cuppa when I started working on this one. But the emails that Brad included really threw me off for some reason – even after running all the javascript attachments in my VM and seeing that there was no match with the infection traffic in the PCAP or in the Snort rules. With that being said, here are my results for this one….

Continue reading

IoC from this investigation: ============================ myson123456[.]ddns[.]net 178.32.72.136:2550 Here is another example of an email that most users get claiming that they (the user) has something that they need to action on. In this case it is a malicious Java file. Thankfully most email gateways block these types of files from every reaching the user base. Let’s dig in. The Java file has the following characteristics: File Name: payment..jar Size: 118KB MD5: f4b463e4df4ef274a198bfb07ed3e6cd SHA256: f4c93ab532e53274bd97c00fccba3b231de0832e743879380f7af7bf81aef60f Virustotal Link: http://www.virustotal.com/en/file/f4c93ab532e53274bd97c00fccba3b231de0832e743879380f7af7bf81aef60f/analysis/ Detection Ratio: 25 / 54 First Submitted: 2016-02-07 21:28:02 UTC Malwr link: http://malwr.com/analysis/Y2FmYjEwNGM0MjM5NDBmYWI3YTdjYjJkOTRjY2M5OWY/ Since this is a Java file, I usually like to…

Continue reading

Today while investigating the normal events of the day we got some employees that got sent some phishing emails (related to the latest round of Dridex) with a Word document attached. The email is shown below: The attached Word document has the following properties: The interesting thing about this Word doc, and a couple of the others that came in as well, was the fact that I could not extract the contents from the doc via 7Zip, and OfficeMalScanner did not recognize it as an OLE file either as you can see below: So I opened it up in Notepad++…

Continue reading

Hello and Happy New Year to you all. Now that the holidays are done, it is time to get back into the swing into things and start with the malware exercises. So here is another one from Brad (the first of the year actually). As usual, to find the artifacts from my investigation into this, please see my Github for this exercise here. The following are my results. – Date and time range of the traffic you’re reviewing. > 22:05:47 – 22:17:18 Duration: 00:11:31 – IP address, MAC address, and host name for each of the 3 computers in the…

Continue reading