Tuesday, April 18, 2017

ShadowBrokers EquationGroup Compilation Timestamp Observation

I looked at the IOCs @GossiTheDog ‏posted, looked each up in virus total and dumped the compilation timestamp into a spreadsheet.

To step back a second, the Microsoft Windows compiler embeds the date and time that the given .exe or .dll was compiled. Compilation time is a very useful characteristic of Portable Executable. Malware authors could zero it or change it to a random value, but I'm not sure there is any indication of that here. If the compilation timestamps are real, then there's an interesting observation in this dataset.

Virus total shows you this value for example.



If you notice, the files in the dump range from 11/2009 to 8/2013.



And if you throw it into a pretty little graph you see a possible timeline of exploit creation.



Just an observation.



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wednesday, April 12, 2017

Collection of Google Docs Phishes seen by @neonprimetime

Below is a timelined Collection of DropBox Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://drcherian.com/alert/GD/
Folder: alert/SD
Page: Default
Source: PhishTank.com
Meta Page Title: Google Docs
Meta Page Author: None
Post page(s): Default



Seen Live on: 4/12/2017
Url: hxxp://drcherian.com/kingssss/GD/
Folder: kingssss/SD
Page: Default
Source: PhishTank.com
Meta Page Title: Google Docs
Meta Page Author: None
Post page(s): Default





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Collection of Yahoo Phishes seen by @neonprimetime

Below is a timelined Collection of Yahoo Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://ehncsopiik.club/bt/
Folder: bt
Page: Default
Source: PhishTank.com
Meta Page Title: Login - BT Yahoo!
Meta Page Author: None
Post page(s): form2mail2.php





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Collection of DropBox Phishes seen by @neonprimetime

Below is a timelined Collection of DropBox Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://devux[.]com[.]mx/drpbox/file/files/db/file.dropbox/
Folder: db/file.dropbox
Page: Default
Source: PhishTank.com
Meta Page Title: Dropbox - Sign in
Meta Page Author: None
Post page(s): submit.php



Seen Live on: 4/12/2017
Url: hxxp://vitrinedascompras[.]com[.]br/dropbox/Dropbox/doc-login/
Folder: DropBox/doc-login
Page: Default
Source: PhishTank.com
Meta Page Title: Dropbox - Sign in
Meta Page Author: None
Post page(s): dropbox.php





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Collection of Capital One Phishes seen by @neonprimetime

Below is a timelined Collection of Capital One Phishes seen by @neonprimetime

Seen Live on: 3/22/2017
Url: hxxp://capitalone[.]com[.]maxonpaving[.]com/logon/ , hxxp://www[.]pecport[.]pw/c.html
Folder: logon , None
Page: Default , c.html
Source: @neonprimetime
Meta Page Title: Did not record it
Meta Page Author: Did not record it
Post page(s): Did not record it





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Collection of WeTransfer Phishes seen by @neonprimetime

Below is a timelined Collection of WeTransfer Phishes seen by @neonprimetime

Seen Live on: 4/10/2017
Url: hxxps://alkhidmattour[.]com/BNB/WeTransfer/index.html
Folder: BNB/WeTransfer
Page: index.html
Source: @demonslay335
Meta Page Title: Empty
Meta Page Author: None
Post page(s): en.php, login.php, phone.php





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Somebody Sent out a Phish/Spam Template instead of the Phish

Saw this email. I would guess the attacker sent out the phish/spam template instead of the actual phish/spam!

From: alex@shedbar.com.br
To:
Date: 04/12/2017
Subject: {Say|Tell} No To {Fat|Being Fat}: {Act Now|Act Fast} & Get {Instant|Quick|Incredible|Fantastic|Marvelous|Outstanding} Results


{Having|Getting} the {body of you dreams|slim body|fit body|beach body} is {easier|much easier} than you {think|always thought|thought}, {all thanks to|thanks to|with the help of} the {correct|right|low carb} {diet|diet program|diet plan|nutrition plan|nutrition program}, {good|regular} {workout|gym workouts|workouts} and this {amazing|exclusive|revolutionary|advance|spectacular} {product|supplement|solution} that will {help you|allow you to|give you a chance to|give you an opportunity to|give you a possibility to} achieve {instant|quick|incredible|fantastic|marvelous|outstanding} results.
{Incredible|Revolutionary|Exceptional|Phenomenal|Outstanding|Glorious|Brilliant|Rapid-acting|Fast-acting} {product|supplement|solution} {working|suitable} for {all body types|types of bodies} has proven to {bring fast|show incredible|show fantastic|show quick|show jaw-dropping} results, {motivate|give motivation} for {ongoing|further} {weight reduction|weight loss}, improve {mood|your mood}, {reduce|decrease} appetite and {bring|provide} {all|other|many other} {positive|beneficial|great} effects.
{With the help of|Thanks to its} {exclusive|advanced|amazing|marvelous|unique|one-of-a-kind} formula {developed|created} {in collaboration|together} by {Japanese|German} and American {nutritionists|dietologists|scientists}, your {beach|fit|slim|dream} body is {only one click|one link} away, what are you waiting for?



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.