Malware Analysis Exercise – Getting Started with Excel 4 Macros

Recently, we have seen a resurgence of Excel-based malicious office documents. However, instead of using VBA-style macros, they are using older style Excel 4 macros. This changes our approach to analyzing these documents, requiring a slightly different set of tools. In this challenge, you’ll get hands-on with two documents that use Excel 4.0 macros to perform anti-analysis and download the next stage of the attack. You can find the exercise, artifacts and full walk-through on my Github at https://github.com/jstrosch/malware-samples/tree/master/malware_analysis_exercises/2021/February. Looking for more of a challenge? Try this on CyberDefenders as part of their CTF! https://cyberdefenders.org/labs/55

Read more

How-To: Installing Oledump in Windows

In this video, we’ll look into installing OLEDUMP in Microsoft Windows. Microsoft office documents are a common vehicle used by malware authors to deliver malware. These documents, used for malicious purposes, are commonly referred to as maldocs. While there has been a variety of ways in which they have been used, one of the more prevalent is through the use of macros. Macros are written in Visual Basic for Applications (VBA), which is well documented on the Microsoft Developer Network (MSDN). This API allows malware authors to hook into life-cycle events of a document, such as AutoOpen, AutoClose and AutoExit…

Read more

Creating an IDA Python Plugin for Static XOR String Deobfuscation

In this video, we’ll explore a recent XLS document that drops and executes a DLL using RUNDLL32. The DLL is small and only used to download the next stage. However, it employs rather straight-forward string obfuscation using the bitwise XOR operation. An important skill for any reverse engineer/malware analyst is to be able to create plugins to assist in statically decoding these strings and doing so across the entire disassembly database. This video is intended to get you started creating IDA Plugins with Python, recognize the importance of deobfuscating strings and work on translating assembly to a higher-level language (i.e….

Read more

Network Analysis with Arkime is now Live on Pluralsight!

Analyzing network traffic is an important step in developing a proactive threat hunting program. This course will teach you how to perform network traffic analysis using Arkime to find threats in your network. https://www.pluralsight.com/courses/network-analysis-arkime Finding undetected threats in your network through proactive network analysis requires the right tools. In this course, Network Analysis with Arkime, you’ll learn how to utilize Arkime to detect anomalous or malicious network traffic in an enterprise environment. First, you’ll gain insight into how to detect common malware delivery patterns. Next, you’ll learn how to use Arkime to identify malware command and control. Finally, you’ll utilize…

Read more

Emotet Maldoc Analysis – Embedded DLL and CertUtil for Base64 Decoding

On 11/10/2020, AnyRun posted an Emotet maldoc that utilized CertUtil to decode a DLL payload that was used for unpacking and running the Emotet trojan. This is a deviation from normal use of obfuscated base64 PowerShell command as well as embedding the DLL into the maldoc instead of retrieving from a compromised host. This video provides analysis of the document using both static and dynamic techniques, as well as a walk-through of the macro code. The original Tweet from AnyRun can be found at: https://twitter.com/anyrun_app/status/1326157565840023553 Analysis of an Emotet document that uses PowerShell from earlier this year can be found…

Read more