Anti-Analysis in JavaScript Executed by Windows Script Host (WSH)

It’s common to see malicious office documents drop a JavaScript (JS) file to be executed by the Windows Script Host (WSH). The JS can then be used to create the necessary objects to create HTTP requests to retrieve and execute the next stage payload. For example, here is a document that drops the JS and executes it via CMD -> WSCRIPT (you can also see the use of CSCRIPT): What caught my eye with this sample was that there was no associated network traffic. While that doesn’t guarantee that the document didn’t achieve it’s objectives, I felt it was worth…

Read more

Getting Started with Burp Suite – Browser Setup

Burp is a Java-based application that can be downloaded from the PortSwigger website. There is a limited-use free version, along with paid versions available. For this write-up, I’ll be using the free version. You can also use Kali Linux as Burp is already installed. In Kali, you can launch Burp by selecting the icon in the dock: Starting Burp Suite You may receive a warning about the installed version of Java – this is ok to ignore. You may also be informed of an update for Burp, this is also safe to ignore for now but it’s usually best to…

Read more

Malware Analysis – Triaging Emotet (Fall 2019)

This is a summary of initial (triage) analysis of Emotet droppers and the associated network traffic from the fall of 2019. This write-up provides the tools/techniques for assessing the malicious samples and gathering initial indicators of compromise (IOCs). While Emotet will certainly continue to evolve, the approach outlined here will provide a solid foundation for anyone looking to continue to analyze Emotet (or similiar). Please Click Enable Content Since resuming operations in September 2019, Emotet has not failed in regaining a foothold as a dominent botnet.[1] To accomplish this, Emotet regularly utilizes macro-enabled Microsoft Office documents to retrieve and drop…

Read more