Anti-Analysis in JavaScript Executed by Windows Script Host (WSH)

It’s common to see malicious office documents drop a JavaScript (JS) file to be executed by the Windows Script Host (WSH). The JS can then be used to create the necessary objects to create HTTP requests to retrieve and execute the next stage payload. For example, here is a document that drops the JS and executes it via CMD -> WSCRIPT (you can also see the use of CSCRIPT): What caught my eye with this sample was that there was no associated network traffic. While that doesn’t guarantee that the document didn’t achieve it’s objectives, I felt it was worth…

Read more

Getting Started with Burp Suite – Browser Setup

Burp is a Java-based application that can be downloaded from the PortSwigger website. There is a limited-use free version, along with paid versions available. For this write-up, I’ll be using the free version. You can also use Kali Linux as Burp is already installed. In Kali, you can launch Burp by selecting the icon in the dock: Starting Burp Suite You may receive a warning about the installed version of Java – this is ok to ignore. You may also be informed of an update for Burp, this is also safe to ignore for now but it’s usually best to…

Read more

Malware Analysis – Triaging Emotet (Fall 2019)

This is a summary of initial (triage) analysis of Emotet droppers and the associated network traffic from the fall of 2019. This write-up provides the tools/techniques for assessing the malicious samples and gathering initial indicators of compromise (IOCs). While Emotet will certainly continue to evolve, the approach outlined here will provide a solid foundation for anyone looking to continue to analyze Emotet (or similiar). Please Click Enable Content Since resuming operations in September 2019, Emotet has not failed in regaining a foothold as a dominent botnet.[1] To accomplish this, Emotet regularly utilizes macro-enabled Microsoft Office documents to retrieve and drop…

Read more

How to Disable Microsoft Error Reporting

If you’ve ever encountered the following dialog – you know that an application has crashed in Windows. As the dialog indicates, Microsoft is checking for a solution to the problem – which means it’s communicating back to Microsoft servers. While this may not be a problem for your enterprise environment, it’s additional noise that you typically don’t want/need in your malware sandbox. The following screenshot shows example HTTP traffic reporting the error. If you’re running an IDS such as Suricata – Emerging Threats also has a couple of signatures that can help you identify this traffic/behavior. You can disable this…

Read more

Disabling Network Connectivity Status Indicator (NCSI)

According to this article on MSDN, Microsoft introduced the Network Connectivity Status Indicator in Windows Vista. While there may be a number of reasons to investigate this service, my motivation is in eliminating the resulting network traffic from my malware sandbox. This service performs an HTTP GET request for a text document, ncsi.txt, from any number of Microsoft hosts. While it would be easy enough to filter this traffic based off of the user-agent (Microsoft NCSI) or similar, in this scenario I find it even better to simply eliminate the behavior all together. To accomplish this, there is only a…

Read more