Archive by Author

Video: Maldoc Analysis: Excel 4.0 Macro, (Sun, Mar 17th)

In this video, I provide more context to diary entry “Maldoc: Excel 4.0 Macros” by showing how to distinguish VBA and Excel 4.0 macros. Then I proceed with the analysis of the Excel 4.0 macro sample.   Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 […]

Leave a comment Continue Reading →

Maldoc: Excel 4.0 Macros, (Sat, Mar 16th)

I’ve received several samples of malicious spreadsheets with Excel 4.0 macros over the last weeks, like this one: 7df15be35bd8fd1a98adc24e6be7bfcd. Excel 4.0 macros predate VBA. When you take a look with oledump.py, you will notice that these spreadsheets do not contain streams with VBA code: To check if a spreadsheet contains Excel 4.0 macros, you can […]

Leave a comment Continue Reading →

Binary Analysis with Jupyter and Radare2, (Fri, Mar 15th)

Jupyter has become very popular within the data science community, as it is an easy way of working interactively with Python, R and other languages. Within Jupyter you’ll create a notebook, which contains (live) code, visualisations and markdown. It is being used for data processing, numerical simulations, modelling, data visualisation, machine-learning and let’s reverse engineering to […]

Leave a comment Continue Reading →

Tip: Ghidra & ZIP Files, (Thu, Mar 14th)

I don’t know where I got the idea, but I erroneously assumed that Ghidra could help with the analysis of document files. Ghidra is a software reverse engineering framework developed by the NSA and released at RSA 2019. My test revealed the following. .doc files (e.g. Compound File Binary Format files) are not recognized at […]

Leave a comment Continue Reading →

Malspam pushes Emotet with Qakbot as the follow-up malware, (Wed, Mar 13th)

Introduction I’ve posted several diaries about malicious spam (malspam) pushing Emotet malware.  In recent years, I’ve made sure to include information on the follow-up malware, since Emotet is also a distributor for other malware families.  Not much has changed since my previous diary about Emotet malspam in November 2018.  In the past two or three […]

Leave a comment Continue Reading →

Microsoft March 2019 Patch Tuesday, (Tue, Mar 12th)

This month we got patches for 64 vulnerabilities. Two of them have been exploited and four have been made public before today. Both exploited vulnerabilities (CVE-2019-0808 and CVE-2019-0797) affects win32k component on multiple Windows versions, from Windows 7 to 2019, and may lead to privilege escalation. An attacker who successfully exploited this vulnerability could run […]

Leave a comment Continue Reading →

Wireshark 3.0.0 and Npcap, (Mon, Mar 11th)

Starting with version 3.0.0, the Wireshark for Windows installation programs are distributed with Npcap in stead of WinPcap. Prior Wireshark Windows versions already supported Npcap, but the installer still came bundled with WinPcap. Npcap is a library for packet capturing and sending on Windows, developed by the Nmap project, and is actively maintained, while WinPcap […]

Leave a comment Continue Reading →

Quick and Dirty Malicious HTA Analysis, (Sun, Mar 10th)

Reader Ahmed shared his analysis of a malicious HTA file: the reason why he had to perform static analysis, is that dynamic analysis failed: the sandbox he used reported no activity by the HTA file. It’s a rule of thumb when reversing: if you don’t succeed with one particular analysis method, try another one. Even […]

Leave a comment Continue Reading →

Malicious HTA Analysis by a Reader, (Sun, Mar 10th)

This week, reader Ahmed Elahaer submitted a malicious HTA file. He was able to deobfuscate the VBscript inside the HTA file, but had difficulties with the obfuscated PowerShell script launched by the VBscript. Later, Ahmed reached out again: he had deobfuscated the PowerShell script, and shared his analysis with us. Thanks Ahmed! I’m posting his […]

Leave a comment Continue Reading →

A Comparison Study of SSH Port Activity – TCP 22 & 2222, (Sat, Mar 9th)

I added a while ago to my honeypot TCP 2222 usually associated with SSH traffic to compare the amount of scans targeting port 22 and 2222 over a period of 7 days. What I have noticed, only about 50% more of the traffic is going to TCP 22 the default SSH service. The activity reported […]

Leave a comment Continue Reading →