Monday, March 20, 2017

Fattura Invoice PDF zip exe that uses eMailExtractor

So I'm still learning at this, but I thought I'd walk through my thought process and see if anybody wanted to explain what I did right or wrong :-) A few days ago there was this link

hxxp://www[.]coccorullo[.]it/fattura/Fattura_49922pdf.zip

When extracted you ended up with

0843d52e1df49221a095fbdd0bc4a2cb Fattura_49922pdf.exe

I believe per google translate that Fattura = Invoice so this was likely part of some Phishing email masquerading as an Invoice.

When I ran strings I saw text that seemed to indicate a different program called emailExtractor



When I ran objdump I saw text that seemed to indicate this file was perhaps originally named eMailExtractor.exe



After a google search I came up with this site hxxps://www[.]maxprog[.]com/site/software/internet-marketing/email-extractor_sheet_us.php



So my thoughts were either a.) This is just the legit software and Virus Total screaming cause it's crap ad-loaded junk or b.) perhaps the attacker just renamed or made it look like legit software in order to throw off security researchers or perhaps c.) something more is going on here, like maybe the attacker modified this eMailExtractor.exe for his evil bidding, and made it so that when the user executes, it will "collect all emails on his computer" and then send them back to the attacker somehow. An email Harvester.

Thoughts?

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, March 3, 2017

netsh for clear text wifi password

I thought this Dmitry Kulshitsky blog was it was interesting, and the fact you can type the following command

netsh wlan show profile name="MyTestWifi" key=clear

And it displays in clear text the password! (under Security settings -> Key Content)



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.