This is taken from my project Invoke-PEAnalysis.

PE File Types

To begin with, Portable Executable (PE) is the name given to executable images developed for the Windows operating system. Most commonly, you will see these as EXE files. These files are made up of various information sections called headers that describe the functionality and behavior of the executable file. These headers also contain the location of various data in the file. By parsing these headers and data, it is possible to extract pertinent information about the executable without ever running it. This is called Static Analysis. Of course, you can’t see everything an executable does through static analysis. However, you can see what it’s importing from the system, what sort of API calls it’s making, what it’s exporting, and other key details.

Read more...

Before we start talking about logging bypasses and why they generally suck at bypassing logs, I’ll provide a little context on PowerShell logging and ScriptBlocks.

PowerShell ScriptBlocks are collections of statements or expressions to be executed. These ScriptBlocks are Objects of the System.Management.Automation.ScriptBlock type. They can be invoked, executed with a call operator, or otherwise executed via typical PowerShell methods. ScriptBlock Logging is a policy that logs all script input and the processing of commands, script blocks, and functions.

Read more...

Bitwise NOT commands are often used in PowerShell malware samples to obfuscate commands. A bitwise NOT operation flips all the bits in a given byte sequence.

<# 
Bitwise NOT operations will flip all bits  
As an example, consider the following:

$byte = 00000101 | binary for 5

Performing a bitwise NOT operation flips all of the bits

$byte = 11111010 | binary for -6 (two's complement)

#>

$dec = 5

-bnot $dec # will print out -6

PowerShell

Read more...

Several days ago, a Github profile allegedly containing leaked documents on the Chinese government’s cyber offensive capabilities was posted. This repository contains multiple chat logs, call records, various images, and other files. Threat intelligence researcher and comfy VTuber, AzakaSekai_ has been translating and sharing information from these files on Twitter and infosec.exchange. VXUnderground has collected various posts from AzakaSekai and deposited them into their collection. So far, it appears that multiple 0 days, hardware devices, and victim lists have been found in the data. I’ve gone through what little I could locally translate and found discussions concerning the sale and demo of at least one 0 day. There are numerous images within the data as well, although all are in Mandarin. Some of these have been confirmed by AzakaSekai to contain victim information. More information can be found at the various links in the post. A backup of the GitHub data is attached. I’ve thrown together an incredibly simple HTML viewer file to read the chat logs. LibreTranslate is a good self-hosted Google alternative that can translate uploaded files.

Read more...

This week I was browsing MalwareBazaar for interesting samples and came across a GuLoader VBS upload. I’m still pretty new to malware analysis and I haven’t done anything with VBS files, so I thought I’d take the chance to go through the malware and see what it was doing.

Note: This ended up being a very long post, even with truncated code samples…

GuLoader (or the sample I used) has three stages.

Read more...

This quick and easy PowerShell module was designed to facilitate search queries between a Gravwell search API endpoint and a local client. It supports pre-configured JSON profiles for running repeated searches and queries.

Profiles can be saved in the following format. The ServerIP and Key attributes are required in all profiles. However, query parameters can be run during invocation.

JSON

{
  "ServerIP": "<IP>:<port>",
  "Key": "<key>",
  "Query": "<query>",
  "Duration": "<hours>h",
  "Format": "<format>"
}

Following are some example invocations.

Read more...

Jupyter InfoStealer is fairly common these days. We certainly see a lot of users downloading it in various forms. It’s typically spread through Search Engine Optimization (SEO) poisoning, convincing users that they’re downloading some legitimate software. Often, we see it masquerading as PDFs or other files as well. It’s pretty common to see it deploy a decoy file that pretends to be whatever the user was looking for. Sometimes, this is even the correct file! (As far as I can tell, people are looking for weird things lol)

Read more...

This is a compilation of the last two weeks of traffic analysis. As always, this is a low-interaction honeypot that deploys FTP, SSH, Telnet, HTTP, HTTPS, IMAP, and VNC honeypots. Data is collected into a SIEM where it is correlated with location data and sent to a data visualization tool for report generation. Raw data is provided at the bottom of this post.

This past two weeks saw the United Kingdom as the top connecting country. This is largely due to the 88.91k connections from 144[.]126[.]206[.]248 on the VNC honeypot.

Read more...

Honeypot statistics from November 10th - 16th. This is a low-interaction honeypot that is deploying FTP, SSH, Telnet, HTTP, HTTPS, IMAP, and VNC honeypots. Data is collected into a SIEM where it is correlated with location data and sent to a data visualization tool for report generation. Raw data is provided at the bottom of this post.

This week there have been 108.06k connections observed. Of this, there were 3196 unique addresses. They were primarily from China, the United Kingdom, and the United States. China made up 36% (38.84k) of all traffic.

Read more...

awdwadawdawda