Started tracking this activity when I observed a lot of malicious doc files submitted in VT with dhash value 6801012121018101. 6801012121018101 is the dhash value of the image file (mentioned below) that’s used in the DOC file and all files having this image can be searched in VT using main_icon_dhash:6801012121018101 More info about main_icon_dhash – […]
Details Started Tracking this activity when observed the encoded payload (f9ee2a922e43f7e080d14019a42d983004313499d2cb1fd3619d0d6eba417be1) that translates to the empty script similar to that in the Unit42 Blog about Aggah Campaign (https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/). Was interesting to see the Detections for this script. Observed that the Pastebin account belonged to HAGGA Began tracking the related URLs in VT and observed that […]
1) Sample Details: MD5 – 5ab2c99e5b4673494c2b37da10442bc3SHA-1 – 00d379f6e1d040a185f7c7d678879360a1570b47SHA-256 – 05e1e27194872ea82491a474afd2273bdad56e2b61172453ef3e771be6965c82 $ file PT798800-TT000768-11.doc PT798800-TT000768-11.doc: Microsoft Word 2007+ 2) Right away we see the suggestion provided to enable macro and a “100% Virus Satisfaction Guaranteed Seal” with a check mark next to ‘No Download’ (seems legit :p). 3) There was a lot of Junk Code like […]
1) Sample Details: Hash: MD5 – 40e2f412a8f47b43e7d2336e22bec6f4 SHA-1 – 10a4c26ba2b0ed617ba367d41feef975e2dc30b7 SHA-256 -128623cda77296ec4cd94eef06068de95b7128dfdb16a4e6f8d7269da218d8ed File: $ file rents.xls rents.xls: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: ������������ Windows, Last Saved By: ������������ Windows, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 20 13:33:43 2018, Last Saved Time/Date: […]
Thanks for joining me! Good company in a journey makes the way seem shorter. — Izaak Walton
