The annual FireEye Flare-On challenge is something I really look forward to, with great excitement and impatience. I strongly suggest to everyone to spend sometime on past challenges, as they are an excellent source of knowledge and a chance for skill development. From all Flare-On challenges I recall Flare-On 5 during 2018 which is considered the most difficult challenge, so difficult, that the organizers mentioned, that in the future the challenges will be easier. One such challenge was the leet_editr (challenge number 5) which became my nemesis as I was not able to complete the challenge and thus move forward.
This week a captured AutoIT malware got our attention. It happened that we had some experience with AutoIT scripts, thanks to Fireeye Flare-On 7 (2020) challenge #6 (CodeIT), but never had the chance to analyze a real scenario.
In this small post, the process followed during the analysis, will be presented.
Quoting AutoIT web site
AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g…
During October 2020, Greece was targeted by an Emotet malware campaign. A significant number of emails containing Emotet malware was received by almost every organization in Greece. Based on ESET’s report during October 2020, Greece was the country with the largest contribution in Emotet botnet by approximately 18%. What caught our attention, is the infection rate and the level of credibility the related Emotet phishing emails had.
We considered it as a great opportunity to enhance our reverse engineering skills by trying to fully analyze Emotet but also identify the operational activities of this specific campaign. In this post we…
Two weeks ago a malicious MS Word document was blocked from a sandbox (SHA 256 - 1aca3bcf3f303624b8d7bcf7ba7ce284cf06b0ca304782180b6b9b973f4ffdd7). The sample looked interesting because by that time, VirusTotal had a limited detection rate. Both VirusTotal and Any.Run identified the sample as CVE-2017–11882, one of the infamous Equation Editor exploits. Let’s take a look.
RTF is a quite complex structure by it self. On top of that, adversaries add additional obfuscation layers to prevent both analysts and various analysis tools to detect the malicious objects.
Firing up oletools/rtfobj and Didier’s rtdump, looking for OLE objects did not result to anything useful.