Malware authors are constantly coming up with new and clever techniques to help avoid detection. In this maldoc, the authors employed several techniques to help complicate analysis and even evade sandboxes. The document begins with an image that instructs the user to enable content, which will cause the macros to execute. However, instead of immediately executing macro code, the document goes on further to prompt the user to click an “Unlock File” button and enter a password to decrypt the protected file. This is when the malicious behavior begins and the authors implemented RC4 to decrypt a PowerShell script. The…
Read moreNews
Disabling Teredo IPv6 Tunnelling
If you’re seeing DNS queries for teredo.ipv6.microsoft.com you may be interested in disabling it (more at MSDN and WikiPedia). On Windows 7, you can run the following command from an elevated/administrator command prompt and say good bye!
Read moreAnti-Analysis in JavaScript Executed by Windows Script Host (WSH)
It’s common to see malicious office documents drop a JavaScript (JS) file to be executed by the Windows Script Host (WSH). The JS can then be used to create the necessary objects to create HTTP requests to retrieve and execute the next stage payload. For example, here is a document that drops the JS and executes it via CMD -> WSCRIPT (you can also see the use of CSCRIPT): What caught my eye with this sample was that there was no associated network traffic. While that doesn’t guarantee that the document didn’t achieve it’s objectives, I felt it was worth…
Read moreGetting Started with Burp Suite – Browser Setup
Burp is a Java-based application that can be downloaded from the PortSwigger website. There is a limited-use free version, along with paid versions available. For this write-up, I’ll be using the free version. You can also use Kali Linux as Burp is already installed. In Kali, you can launch Burp by selecting the icon in the dock: Starting Burp Suite You may receive a warning about the installed version of Java – this is ok to ignore. You may also be informed of an update for Burp, this is also safe to ignore for now but it’s usually best to…
Read moreMalware Analysis – Triaging Emotet (Fall 2019)
This is a summary of initial (triage) analysis of Emotet droppers and the associated network traffic from the fall of 2019. This write-up provides the tools/techniques for assessing the malicious samples and gathering initial indicators of compromise (IOCs). While Emotet will certainly continue to evolve, the approach outlined here will provide a solid foundation for anyone looking to continue to analyze Emotet (or similiar). Please Click Enable Content Since resuming operations in September 2019, Emotet has not failed in regaining a foothold as a dominent botnet.[1] To accomplish this, Emotet regularly utilizes macro-enabled Microsoft Office documents to retrieve and drop…
Read more