Harold

@haroldogden

Security research at Walmart. Tweets and opinions are my own.

Arkansas, USA
Vrijeme pridruživanja: veljača 2011.
16 fotografija ili videozapisa Fotografije i videozapisi

Tweetovi

Blokirali ste korisnika/cu @haroldogden

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @haroldogden

  1. proslijedio/la je Tweet
    prije 4 sata

    It was my pleasure to work on this with and , two excellent analysts. Malware analysis provided by the awesome .

    7 replies 30 proslijeđenih tweetova 52 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  2. 27. sij

    Splash page: "*this document is completely safety to open"

    1 reply 2 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  3. 27. sij

    OSTAP downloads base64 encoded PE from 185[.]234[.]73[.]110. Returns 503 unless you use the correct User-Agent set by cscript/wscript. Final payload appears broken, crashes on Win10/Win7. 210832d0c82409f73d3053fe7dc19a5b4bed3933f62431cdb2dd5d6ff88770d2

    1 reply 2 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  4. 27. sij

    Maldoc dropping and running OSTAP. Splash page almost got the natural English thing right. VBA uses CallByName, embedded table, Spanish language print statements to obfuscate and appear benign. 5cde4a660fae1ae13198ff5b83244a5a21bd0afdaa905ccd3b9e2202243afa22

    4 proslijeđena tweeta 7 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  5. proslijedio/la je Tweet
    23. sij

    interesting sample, using minimal macro to write to startup folder for persistence & uses IE via COM to download 2 txt files (no noisy ps or abnormal exec).

    39 proslijeđenih tweetova 126 korisnika označava da im se sviđa
    Poništi
  6. proslijedio/la je Tweet
    12. stu 2019.

    The Hybrid Enterprise idea is so amazing. It brings together complicated on-premises attack surface with the previously seperate benefits of complicated cloud attack surface.

    1 proslijeđeni tweet 2 korisnika označavaju da im se sviđa
    Poništi
  7. proslijedio/la je Tweet
    6. stu 2019.

    Looks like / has switched over to the new Rich Edit control based maldoc builder that is using. is spamming Office 2007+ maldocs while is spamming Office 97 maldocs.

    7 proslijeđenih tweetova 20 korisnika označava da im se sviđa
    Poništi
  8. proslijedio/la je Tweet
    29. ruj 2019.

    Does anyone have hashes of some Nodersok HTA samples? I'd like to check them out.

    1 reply 8 proslijeđenih tweetova 10 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  9. proslijedio/la je Tweet
    17. ruj 2019.

    Some current maldocs are dropping a JS downloader and running that to pull down the PE. Example Doc: Example JS Downloader:

    1 reply 5 proslijeđenih tweetova 21 korisnik označava da mu se sviđa
    Poništi
  10. 16. ruj 2019.

    Jscript dropped on Document_Open(), executed on Document_Close(): 03a59fc379b9256b73e13780d15753f90ee13be74059d8ed11626d5868cadb7e

    1 proslijeđeni tweet 5 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  11. 16. ruj 2019.

    Fresh downloading from 185[.]130[.]104[.]157/marga/karlmarks[.]php. Sample maldoc: aa84bf6be31b9ae7f8fae6248a9bc0a57b7a40fc1af1c6c40d81edb853d12ab5 VBA filler taken from probably to evade ML signatures.

    1 reply 9 proslijeđenih tweetova 23 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  12. 2. kol 2019.

    Maldocs delivering JS that downloads are experimenting with where to save their JS before running. Doc saves the JS to the current document's ADS: {CURRENT_FILE_NAME}.docm:tushe 9c2bc57c4cefbdc2413b69732154e22bada7e743c396752b6bd33a07caa3f33b

    4 proslijeđena tweeta 16 korisnika označava da im se sviđa
    Poništi
  13. 2. kol 2019.

    Here's a list of maldocs we've seen matching this builder style and their download URLs - based on searching on VBA built-ins "Chr:CreateObject:CreateTextFile:Shell:StrReverse:Write" Many 2nd stage hashes are for the XSL that is dropped.

    『The fact that the payloads belong to different campaigns suggests that once again Cobalt Group utilized a macro builder kit sold in underground criminal forums.』
    Prikaži ovu nit
    4 proslijeđena tweeta 10 korisnika označava da im se sviđa
    Poništi
  14. 2. kol 2019.

    Disregard, took the screenshots in the article at face value... StrReverse and Chr(34) are consistent with the July 9 Dridex maldoc VBA. The screenshot in the article was partially deobfuscated.

    2 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  15. 2. kol 2019.

    The maldoc VBA used in this campaign is the same used in Dridex campaigns a month ago, but possibly an earlier version. Dridex maldocs from ~July 9 moved "chr(34)" to not be on the same line as "Shell", and used StrReverse on the XSL file path

    1 reply 1 proslijeđeni tweet 7 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  16. 26. srp 2019.

    Analysis and emulation of a Dridex maldoc Part 2 is up! Documented how I go about generating VBA with Python, QA the result, and a video showing how to insert the generated VBA into a Word doc to emulate a Dridex maldoc.

    1 reply 44 proslijeđena tweeta 80 korisnika označava da im se sviđa
    Poništi
  17. 25. srp 2019.

    Some samples built with this VBA (They download and execute putty - password "123", just like Dridex): Don't take my word for it though, please treat all office files like malware. 3/3

    1 reply 5 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  18. 25. srp 2019.

    Progress so far in this branch of the Adaptive Doc Builder: - detailed write up coming tomorrow on how to build your own with the script output. Each doc takes about a minute. Here's an example: one of these is Dridex, the other three are from ADB. 2/3

    1 reply 8 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  19. 25. srp 2019.

    Done with a VBA builder to emulate Dridex from earlier this month. 5 code modules, 1 XSL payload that runs with wmic os get /format:"{payload_path}". Still can't figure out how to add a text box control to a form with pywin32's COM client, so it's not a full doc builder yet. 1/3

    1 reply 8 proslijeđenih tweetova 40 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  20. 21. srp 2019.

    Spending some quality time with a Dridex maldoc this weekend. While the goal is to have a new builder in the Adaptive Document Builder in the next few days, I also documented my analysis process. Here's how I pick apart a maldoc before making a builder:

    25 proslijeđenih tweetova 60 korisnika označava da im se sviđa
    Poništi

@haroldogden još nije objavio nijedan Tweet.

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·