Category: Lab Notes

Down the Rabbit Hole

I regularly check each of our sandbox environments for reports with suspicous yara rule hits and yet no IoCs or network traffic. If any of these reports are maldocs, then I attempt to deobfuscate them and discover whether a sandbox check resulted in the failure to detonate. During one of …

Continue Reading

Ansible Reuse Made Easy

While none of the the configuration management tools I’ve used are perfect, Ansible is by far my top pick.  There is a bit of a learning curve though.  I think most people’s experience with Ansible goes something like this:

  1. Review the technically correct and verbose docs.
  2. Decide to google for
Continue Reading

Connecting the Dots

While reviewing the backlog of blogs and news articles that always accumulate over the holidays, I stumbled across an interesting Dridex downloader sample discussed here. I had recently analyzed a similar sample, but the XLM macro was obfuscated and stored in a single cell in the spreadsheet. What peaked …

Continue Reading

Time for another spelunking session. While scanning our data for any samples with detection hits but no sandbox detonation, I came across an XLS attachment from an Italian language email.

Figure 1 – Original Email

It was flagged as containing VBA macros and a hidden XLM sheet, so let’s examine …

Continue Reading

To GIMP or not to GIMP

Previously, I wrote a little doodad on scripting GIMP to reduce the timesuck of repetitive image manipulation and gave an example script on creating square, black bordered thumbnails of images with the thumbnailed image maintaining the proper aspect ratio. Yeah, kinda mediocre skillset-wise, but there is an entire index of …

Continue Reading

The Dead Have Risen

On July 17, 2020 the Emotet botnet sprang back to life from a five-month hiatus—by far the longest break of the preceding few years.  We assess it is possible that COVID may have thrown a monkey wrench into their plans, but we cannot be sure of that.  While this is …

Continue Reading

Fell Deeds Awake

Malicious documents exploiting CVE-2017-11882 continue to be used by malicious actors, but it has been a few years since I took a deep dive into their mechanics. A quick spelunk through our dataset produces quite a few, but I wanted an RTF example with minimal RTF obfuscation and came across …

Continue Reading

Getting Organized

I have this awful habit of testing concepts in poorly designed code with no logging, alerting, or comments, then somehow, they end up in production.  Not real production, but it fills a need, saves time and effort, and several others want to use it, so it’s available for anyone who …

Continue Reading

As we have noted before, attackers will leverage any file format they can to evade security protections put in place by their targets. (https://cofenselabs.com/all-you-need-is-text/).

On Jun 11, 2020 we noticed an odd file extension show up in our analysis pipeline.

It was a jnlp file. The jnlp extension is short …

Continue Reading