Profile picture
Steve
@stvemillertime
, 8 tweets, 6 min read Read on Twitter
This is malware analysis 101 for most folks, but I thought I'd share a quick thread on easy .NET analysis using a recent wave of a malicious xlsx downloading PUBNUBRAT. cc @issuemakerslab @blackorbird and @navSi16 who all tweeted about this in Jan. #threathunting #dfir
88017e9f2c277fa05ee07ecc99a0a2dc (홍삼6품단가 .xlsx) is a doc that has multiple follow-on payloads including 05683b9a13910d768b7982d013c31cb9 (U3.conf)... see also 홀리데이 와이퍼(Operation Holiday Wiper)로 귀환한 로켓맨 APT 캠페인 by @alac blog.alyac.co.kr/2089
05683b9a13910d768b7982d013c31cb9 (U3.conf) is a backdoor that uses the PubNub API (a legit service) for C2 (see @MITREattack's T1102). It's a .NET binary and without its config it doesn't do much a sandbox. How do you detect network C2 over PubNubApi?
For quick and easy example of what it does, we pull it up in a utility such as .NET Reflector, dnSpy or dotPeek and look at the decompiled main function.
We see that the Main does a lzip decompress of the resource 'app.' We manually extract the 'app' resource (2b12f34291ba5f4e9a0a9b6b533f8b59) and use something like lzip.exe to decompress it.
Finally, we arrive at the binary d16fb1be17f2e972f1104481e9cd1368 (application/x-dosexec) and we see that it has very clear overlaps with #PUBNUBRAT based on plaintext strings and "new" PUBNUBRAT PDB path F:\Project\Util_3\Ant\obj\Release\Utils_3.5.pdb <- good for #threathunting
It is an easy, albeit manual, pivot for people triaging malware and doing research and all quickly doable within @FireEye's own #FlareVM github.com/fireeye/flare-…. Hope that was instructive (or at least a good reminder) for life in .NET.
@threadreaderapp unroll
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Steve
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#threathunting #dfir #PUBNUBRAT #FlareVM

More from @stvemillertime see all

Profile picture
Steve
@stvemillertime
The basis for #SwearEngine is that malware developers are developers too. The catharses in their malware code manifest in a multitude of coarse expressions. Thus we can use the presence of swear words as a "weak signal" to surface interesting files. #threathunting
You may balk at #SwearEngine for being #basic but consider that this rule, looking for PEs with one single "fuck", detects malware samples used by APT5, APT10, APT18, APT22, APT26, Turla, FIN groups, dozens of UNC espionage clusters. Too many to list.
At least one single "fuck" is present in some samples of the following malware families: AGENTBTZ, ASCENTOR, ZXSHELL, SOGU, TRICKBOT, GHOST, VIPER, WANNACRY, WARP, NETWIRE, COREBOT, REMCOS, VIPER, ORCUSRAT, PONY, etc. I can't even name the coolest ones. There are hundreds.
Read 6 tweets
Profile picture
Steve
@stvemillertime
Hopefully the 2019 @CrowdStrike “heat map” and global prevalence of @MITREattack will set a precedent for how vendors publicly discuss TTPs, allowing defenders to prioritize detection efforts based on evidence rather than cool factor: crowdstrike.lookbookhq.com/web-global-thr…
The @CrowdStrike report does not discuss the biases nor provide real hard numbers on the TTPs, which I know from experience are hard to deduplicate on intrusions (some are over represented and some are under represented). Maybe @_devonkerr_ or someone can shed some light here.
I’d like for someone to explain how data was collected, where the gaps are, and how the global prevalence (GP) measurements vary w/r/t malware families, actor groups, fluctuating GP for TTPs over the last couple of years. What is rising and falling? What can’t @CrowdStrike see?
Read 5 tweets
Profile picture
Steve
@stvemillertime
Mal devs themselves introduce some of the funniest & hi-fi (although short lived) detection opportunities. Amongst several applicable HTTP methodologies, we see "Content-Type:application/octect-stream." Don't manually type out your HPTP headers for your C2 protocolols. #dailypcap
This network traffic comes from newish backdoor ExileRAT (compiled 2019-01-30T07:05:47Z) 606e943b93a2a450c971291e394745a6 that was hanging (with a multitude of other evil) on recently #opendir "http://27.126.188[.]212" There are ties to a humongous cluster of probs CN espionage.
The attackers from IP 27.126.188[.]212 are rollin' deep with kit. get_robin.py (1) looks to be some derivative of github.com/bhdresh python toolkit and also does some logging of connections. Sc.dat (2) is HTML that does JS get and creates a scheduled task for the exe.
Read 5 tweets

Related threads

Profile picture
Bartek Pytlas
@bartekpytlas
My article on mainstream accommodation of radical right politics by conventional gov. parties Fidesz and Smer, as well as counter-strategies of far-right ‘originals’ after 2015 is out (in German). Here a #thread with an English summary. link.springer.com/article/10.100…
I show that Fidesz and Smer did not ‘just’ adopt restrictive asylum positions but justified them with nativist narratives of defense/threat to ‘Nation’ from constructed 'Others' and ideas. RR originals, even in HU, were however able to react by ‘repackaging’ their nativist supply
The essay builds and expands on insights developed in my book which has received the Gero Erdmann Comparative Area Studies Award 2018 from the Zeitschrift für Vergleichende Politikwissenschaft @DVPW_Vergleich routledge.com/Radical-Right-…
Read 21 tweets
Profile picture
diaryofanaijagirl.ng
@DANGposts
Here’s my 2018 testimony. Out of many, I’ll share this one.

#thread
In November 2017 I had an idea to produce a masterclass series that would be watched for free by all and paid for by brands that care about educating and enriching people’s lives. I didn’t know any brand that wanted to come on, I wasn’t even looking.
I just knew that if I concentrated on doing a world standard job, the work would speak for itself.

Listen, that was a bit Naive.

January 2018, I went on a limb and bought equipment for shoot: Cameras, lights, etc. I was ready but only two instructors had agreed to do it.
Read 17 tweets
Profile picture
파룬
@balloon_wanted
#Thread: Press Conference today regarding TheEastLight's recent events regarding the band's abuse and assault by Producer A and CEO KimChanghwan "B" (leader Lee Seokcheol) and his lawyer at Choyeongrae Hall
(181019)
Lee Seokcheol shares that both he and his brother, Lee Seunghyun have endured being beaten by Producer A

Lee Seokcheol shared that Kim Changhwan, their CEO, was aware of the situation and would watch the two of them be beaten up in the 5th floor studio
Seokcheol shares for the past 4 years, beginning in 2015, he and the members would be clubbed by a baseball bat, the abuse would occur everywhere within the company, studios, practice rooms
Read 37 tweets
Profile picture
Ali Khan
@coffeeandcrm
#Thread on new features and updates announced in release notes of #MSDyn365 Oct'18: docs.microsoft.com/en-au/business…. This is an excellent longread. Thread is just #TLDR for #CE specific/related features

#PowerApps #CDS #Flow #USD #Sales #FieldService #USD #Portals #AzureML
Starting with #MSDyn365 #Sales updates:
1. Playbooks: Think of it as Barney Stinson's playbook. Basically set of "automated repeatable sales activities" that help in winning opportunities. Looks like it'll be a set of activities which could be assigned to users
2. #MSDyn365 #Sales will feature deeper integration with LinkedIn, including capability to send InMail and adding LinkedIn related step in Business Process Flows

3. Out of the box @MicrosoftTeams integration
Read 31 tweets
Profile picture
Abhishek Murarka 🐂💹
@abhymurarka
💪A thread on amazing Twitter threads 😍👇
In the process of revamping my #Twitter profile (dormant earlier), I have come to appreciate the wonderful underutilized platform it is!
Some threads contain crisp knowledge capsules that can help many. Starting 1 on such curated content
1. I largely rely on this: threadreaderapp.com to find content
2. What I wish to share is what coincides largely with my interests- #Learning, #Investing, #Behavioralpsychology (#mentalmodels, #bias, etc), #Businessbooks, Industry insights/case studies, Life experiences, etc
3/n
 While it will be difficult to structure the order of content here, I will try to block threads by category (as noted above & more). Feel free to comment with any good thread that you would have come across. Cumulative learning always helps.
#vicariouslearning
Read 37 tweets
Profile picture
Adam Parkhomenko
@AdamParkhomenko
Quick Thread/Action Re: Net Neutrality
1/ DNC CTO Raffi Krikorian released the following statement in response to reports that Donald Trump’s FCC will reverse net neutrality rules:
2/
Read 4 tweets

Trending hashtags

#SOTU #Escobar #Hinduness #SanatanaDharma #DigitalNetworking #IdleNoMore #Pharmaceutical #openminded #mobile #MSM #ThirdTerm #NigeriaDecides2019 #discrimination #dedication #AmericanEconomy #India #Jaipur #VicePresident #Election2016 #MachineLearning #RSO #products #CRPFJawan #Relationships #innovation
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!