Malware Analysis – Triaging Emotet (Fall 2019)

This is a summary of initial (triage) analysis of Emotet droppers and the associated network traffic from the fall of 2019. This write-up provides the tools/techniques for assessing the malicious samples and gathering initial indicators of compromise (IOCs). While Emotet will certainly continue to evolve, the approach outlined here will provide a solid foundation for anyone looking to continue to analyze Emotet (or similiar). Please Click Enable Content Since resuming operations in September 2019, Emotet has not failed in regaining a foothold as a dominent botnet.[1] To accomplish this, Emotet regularly utilizes macro-enabled Microsoft Office documents to retrieve and drop…

Read more

How to Disable Microsoft Error Reporting

If you’ve ever encountered the following dialog – you know that an application has crashed in Windows. As the dialog indicates, Microsoft is checking for a solution to the problem – which means it’s communicating back to Microsoft servers. While this may not be a problem for your enterprise environment, it’s additional noise that you typically don’t want/need in your malware sandbox. The following screenshot shows example HTTP traffic reporting the error. If you’re running an IDS such as Suricata – Emerging Threats also has a couple of signatures that can help you identify this traffic/behavior. You can disable this…

Read more

Disabling Network Connectivity Status Indicator (NCSI)

According to this article on MSDN, Microsoft introduced the Network Connectivity Status Indicator in Windows Vista. While there may be a number of reasons to investigate this service, my motivation is in eliminating the resulting network traffic from my malware sandbox. This service performs an HTTP GET request for a text document, ncsi.txt, from any number of Microsoft hosts. While it would be easy enough to filter this traffic based off of the user-agent (Microsoft NCSI) or similar, in this scenario I find it even better to simply eliminate the behavior all together. To accomplish this, there is only a…

Read more

Finding Usernames with Burp Extensions

What Does this Extension Do? This is a relatively simple Burp extension that I created a while back to learn more about how to actually create extensions. The functionality is straight-forward: it parses the HTML looking for email addresses. Additionally, it can generate usernames from the list of emails found. The ideal use case is when an website (or organization) uses first.last@organization.com format – as some combination of the first and last name will also serve as their username. For example, jane.doe@example.com may have the following usernames: jane.doe jdoe doej doe You can find a demonstration of this extension in…

Read more

Anti-Analysis in an Office Document

Please note: This was a blog post I originally authored for Bromium. Due to changes in how they host their blog content, it has fallen into the archives and become somewhat difficult to find. I’m posting this content here mainly as an archive. Office documents have been a favorite method of distribution for malware authors for several years. While most malware authors go to great lengths to hide the intention of their macros through obfuscation, it is seldom that I’ve encountered macros that also exhibit anti-analysis techniques. I recently examined an office document that contained such capabilities. You can find…

Read more