Posts

fiddling with obfuscated javascript

Image
Most malware authors automate the obfuscation of their javascript downloaders, making analysis difficult. Luckily, you rarely need to completely deobfuscate the javascript to progress with your analysis. If you can identify the primary function used to handle obfuscated strings you can then use a few quick tricks to obtain interesting data from the javascript file without having to run it. Identifying the deobfuscation function at a glance: Most of the deobf functions I see contain a lot of string and character manipulation functions & methods. Some to look for include: parseInt() toString() substr() String.fromCharCode() charCodeAt() UCHAR() More info on common javascript obfuscation methods and the functions utilized can be found here:  https://github.com/bl4de/research/blob/master/javascript-malware-obfuscation/Simple_JavaScript_malware_code_obfuscation_examples.md#basic-obfuscation-methods---expressions-comma-operator-parseint-and-tostring-method Here is an exampl

Loki-Bot from malspam .iso

Image
Files: File name: GMT_20190319060920563.com.exe MD5: 3902567752c57bf36107a01990a5cc92 SHA256: 5986a088e86b2d169b3234aadf47ecddce1b8ac24e050b1423ef14ed5f06e609 Filesize: 446464 bytes File name: GMT_20190319060920563.iso MD5: c2dbe612409ef3dffded940c99cdac66 SHA256: 660e9d2de6f0223c50dfdfe512984f6a8f8400facebbca62db941a2566672458 Filesize: 507904 bytes File name: objectfrabjous.exe MD5: 89ca09b33506f659a39f8bed88103d55 SHA256: b70a7ef290cca5af3631d40e4253dd53ee8da6c8a32fe3a2e563ca27c88932b6 Filesize: 446464 bytes File name: objectfrabjous.vbs MD5: 33a60c46d369c821118edd398c45f949 SHA256: 42bc0ecf7ed5710d8c7417b19c6605c7c6cec2d6b43e9f765922bde1f3bb1339 Filesize: 110 bytes Download  (password: malware) URLs: hxxp://gentography[.]ml/david/Panel/five/fre.php hxxp://gentography[.]ml/david/Panel/five/PvqDq929BSx_A_D_M1n_a.php IPs: 104.27.191.40 (cloudflare) Details: This sample caught my eye as it has similar exploit behavior to the REMCOS Rat I analyzed previous

maldoc dropping Remcos RAT

Image
Files: File name: PLURILITERAL.exe MD5: 6687f5ca89833f38157110f58bba8785 SHA256: 2fdb33e0895ec644222e153ab7ce485c76c8afa07c039b2c4e54aecba1e33c28 Filesize: 274432 bytes File name: PLURILITERAL.vbs MD5: 0495f6d9da19698aa3e4f55ac7f48278 SHA256: efd1a1a236041eea5b7db330b7ca304bb48b052bf2dbefb59395287a64dc1196 Filesize: 108 bytes File name: qwerty2.exe MD5: a85b0bf02ef1504f8cdf2e113294c888 SHA256: c263a793764bedabdf4aebbcc662627f7372e70ad573d42bdb752003b6a70976 Filesize: 274432 bytes File name: Resume.doc (named removed, password:1234) MD5: 8d95ababf5c6566fe65095abf8acff81 SHA256: d4c144873b11177071a5e99f70970afc36bc7a3163b6feee2945d8d37edcb8a9 Filesize: 37888 bytes Download (password: malware) URLs: hxxp://209.141.34[.]8/test1.exe hxxp://toptoptop1[.]online:2404 hxxp://toptoptop2[.]online:2404 hxxp://toptoptop3[.]site:2404 IPs: 103.1.184.108 209.141.34.8 192.64.119.33 Details: Sample source is a password protected malicious .

BACKLOG: NanoCore and AgentTesla double tap (maybe triple?)

Image
Files: File name: LFPEHS.exe MD5: 450c0d7521b121a919e62401d50a2182 SHA256: 1d9526fe126321b49469341dbac0c9bbb247f896f4f836d93b4f361183e93a5e Filesize: 207872 bytes File name: MMCRLC.vbs MD5: 266f15a950f233e279095158cb2cfe8f SHA256: d391a3570354b37aafe3340aa92da365d533b4edd1adb80fffab14d0cee29a67 Filesize: 858 bytes File name: S007591119000628_XLSX.exe MD5: 792f42f7a4ba4d37015d658e1573cff2 SHA256: c4acc931c61a4b4da44510e645913f78588e2b655bf45790219407cb0b1c3132 Filesize: 1852424 bytes File name: S007591119000628_XLSX.ISO MD5: 2482a65df50ca7ef9d7445dcd5985ada SHA256: bc603a3b6ebf6e1312ad79e8e409c93ac53bfdedb65d961db6bf57cf947a19dd Filesize: 2424832 bytes File name: XAAHKP.exe MD5: 39ee891b8bdbd9ba987b5c4faafb84bd SHA256: 286803e00ea5f401dc94c9b25130716598210f33e4bf4465fb9fa0490231b176 Filesize: 207360 bytes Download  (password: malware) Quick note: These files all originated from the exe inside S007591119000628_XLSX.ISO. No internet connection needed. URLs:

.doc dropping NanoCore

Image
Files: File name: BoA_ach_e.remit_notice_0313.doc SHA256 ba01bcf05c68bf2ea9468550cf8405debbe6ef17757c11e0c162544941e39ddf File size 594.0 KB ( 608256 bytes ) File name: jofb.exe SHA256 4275e436de46df0103a63939e24f533f24c46f66c916b38700e49dbe463a9114 File size 423.5 KB ( 433664 bytes ) Download  (password: malware) URLs: hxxp://www.elec-tb[.]com/tmp/jofb.exe hxxp://cassb.ddns[.]net:5050 IPs: 185.112.35.3 178.239.21.201 Details: This sample came attached to an email as a Bank of America themed macro'd .doc file "BoA_ach_e.remit_notice_0313.doc":   Upon enabling content, the macro immediately calls out to a payload site (my setup is not internet connected): I downloaded the payload manually and took a look at the payload site: It is an Iranian electrical product site that appears to have been around for awhile. Appears to be a compromised victim site. I executed the payload while observing ProcessHacker. Process behavior

What is this all about

I have a few goals for this blog: Hone my skills by analyzing malware on a regular, more frequent basis. Learn new analysis tools and techniques Contribute to malware OSINT via social media and other sharing methods Eventually, progress to full blown reverse engineering of malware I'm hoping to keep things useful and simple. My biggest influence is  https://www.malware-traffic-analysis.net/ . Brad provides useful malicious IOCs and traffic analysis on a near-daily basis. Big fan. Some techniques you will see here may be considered amateur. I'm open to feedback. Here we go. Love, casual_malware