+ -

Pages

Thursday, October 11, 2018

Some more reports on my AZORult analysis

https://cyware.com/news/new-azorult-variant-being-used-by-hacker-oktropys-to-spread-aurora-ransomware-6e5c7a5b

https://threatravens.com/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/

https://www.tecnoup.com.mx/como-se-introduce-un-malware-en-un-pdf/


5 RakshaTec: 2018 https://cyware.com/news/new-azorult-variant-being-used-by-hacker-oktropys-to-spread-aurora-ransomware-6e5c7a5b https://threatravens.com/a...

An in-depth malware analysis of QuantLoader by Vishal Thakur

https://hk.saowen.com/a/c873d629bc59d277a3b02dc022a0a35bf66553b00b16fa55b8c9d26fd88daa3e
5 RakshaTec: 2018 https://hk.saowen.com/a/c873d629bc59d277a3b02dc022a0a35bf66553b00b16fa55b8c9d26fd88daa3e

AZORult campaign analysis by Vishal Thakur

https://www.silobreaker.com/silobreaker-daily-cyber-digest-20-august-2018/
5 RakshaTec: 2018 https://www.silobreaker.com/silobreaker-daily-cyber-digest-20-august-2018/

AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys

https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/
5 RakshaTec: 2018 https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/

MAJOR CHANGES IN EMOTET MALWARE

Some of my work got picked up by third parties and was reported on.
https://socprime.com/news/major-changes-in-emotet-malware/


5 RakshaTec: 2018 Some of my work got picked up by third parties and was reported on. https://socprime.com/news/major-changes-in-emotet-malware/

Thursday, May 31, 2018

Malware analysis: decoding Emotet, part 1

First part of my analysis of the Emotet Banking Malware is now available on the Malwarebytes Blog.

https://blog.malwarebytes.com/threat-analysis/2018/05/malware-analysis-decoding-emotet-part-1/
5 RakshaTec: 2018 First part of my analysis of the Emotet Banking Malware is now available on the Malwarebytes Blog . https://blog.malwarebytes.com/threat-...

Tuesday, May 15, 2018

Shodan IOC ingestion into ThreatConnect

Added the scripts to ingest IOC downloaded from Shodan into ThreatConnect.

https://github.com/vithakur/shodan-tools
5 RakshaTec: 2018 Added the scripts to ingest IOC downloaded from Shodan into ThreatConnect. https://github.com/vithakur/shodan-tools

Saturday, April 28, 2018

Amex Phishing Campaign, JS encoded in htm file | April 2018


Let's take a look at this new credSteal phishing campaign that is actively targeting users globally currently. The campaign has been carefully crafted and the JS delivery method is clever (although seen widely before as well). 
The entire page is presented off the back of the Document.write function from the JS code that is called in by the initial html. 

The malicious JS is not being detected as malicious by any AV engine at the time of this post (SHA-256: 21e9e71186e3bc725c4bf88da1192eff25335a408a5aede56787a3295df501d3). 

Pretty neat - let's take a look. 

Here's the phish that comes in: 


There's the htm attachment, which the user is directed to download to disk and then launch locally (no call-out required):
Let's take a look at the html code:


As you can see above, the HTML is simply calling the JS script, which is hosted externally. Upon execution, this script will load the entire fake HTML page that will submit user-input to the C2. 

Let's take a quick look at the code from swf.js - it is important not to get over-whelmed by the code here. It may look a bit too much, but is quite easy to decode. All we need to do is change one function in the code and it'll sing to our tune!


But first, let's take a look at the HTML file that is downloaded from the phishing email. As always, they try to steal as much PI as possible (even the email account with password). When opened in a browser, this is what it looks like:




When we inspect the form code, we can clearly see that the POST request goes to the collection engine hosted at "manoda.se" - this is where all the stolen information is sent to. 



And now, let's take a look at the function in the JS code that loads the entire fake page onto the browser. 


Once the loop has been executed, the value of var x is ready to be executed. In this case, 'document.write' is used to convert the code into HTML and display it in the browser. Using this JS code itself, we can get the script to decode and display the entire obfuscated code.

The simple trick is to change the 'document.write' to 'WScript.echo' - that's it. Run the script, it'll simply display the entire de-coded HTML in a pop-up window. You can also output the result into a text file using CScript. 



The delivery method has been around for a while now - it surely helps with not having to go through the proxy/firewall for at least one step. 

Here are some usable/actionable details:

FileName: swf.js
SHA-256: 21e9e71186e3bc725c4bf88da1192eff25335a408a5aede56787a3295df501d3


https://justforgame[.]it/vserv/swf.js

http://www.manoda[.]se/socket/license/lib/etc/spoof.php


5 RakshaTec: 2018 Let's take a look at this new credSteal phishing campaign that is actively targeting users globally currently. The campaign has been...

Tuesday, April 10, 2018

Malware Alert: Schneiken Double Dropper

** UPDATE **
I have now published a full analysis of this malware. As of now, (17 APR 2018) there is still no AV detecting it successfully and there is no name for it so I'm going with 'Schneiken'. 

There is a new malware actively being served through phishing campaigns at the time of this post.

This is the Schneiken dropper - which is an interesting malware, written in VBS and comes with multiple layers of code obfuscation. It drops TWO RATs on the victim's disk - the Duhini RAT and the RATTY JRAT. Both RATs are embedded into the vbs dropper.

I'll be posting a detailed analysis of this malware soon and will update this post with the link to that.

Here are the details in the meantime:

Flow:
Phish > HREF > PDF > HREF > ZIP > VBS > JRAT + Duhini RAT

MD5: 47f21544a7479cae3e20488731ba6aa6
SHA256: d5f56058608f8dabb9d19c432c751f99f994edd056b2846ac51915258494598a
Filename: TT COPY.vbs

JRAT that is being dropped by this malware:

RATTY.jar
MD5: 9b93c76d2dacf7adaacfc1e99dae8089

Deobfuscated/Decoded files: https://github.com/vithakur/schneiken
 
5 RakshaTec: 2018 ** UPDATE ** I have now published a full analysis of this malware. As of now, (17 APR 2018) there is still no AV detecting it successfully...

Wednesday, April 4, 2018

An in-depth malware analysis of QuantLoader

Published this article on QuantLoader, if interested, have a read here:

 https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/
5 RakshaTec: 2018 Published this article on QuantLoader, if interested, have a read here :  https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-dep...

Wednesday, February 28, 2018

Olly Tutorial

https://drive.google.com/file/d/1g_SOOq1g24KzmmKfb39RruMA9AxAQSsc/view?usp=sharing
5 RakshaTec: 2018 https://drive.google.com/file/d/1g_SOOq1g24KzmmKfb39RruMA9AxAQSsc/view?usp=sharing

Wednesday, January 10, 2018

Python - useful links

http://timgolden.me.uk/python/wmi/cookbook.html

wmi Cookbook

These examples assume you are using the WMI module from this site. The following are examples of useful things that could be done with this module on win32 machines. It hardly scratches the surface of WMI, but that’s probably as well.

The following examples, except where stated otherwise, all assume that you are connecting to the current machine. To connect to a remote machine, simply specify the remote machine name in the WMI constructor, and by the wonders of DCOM, all should be well:

5 RakshaTec: 2018 http://timgolden.me.uk/python/wmi/cookbook.html wmi Cookbook These examples assume you are using the WMI module from this site. The foll...
< >