Skip to main content

Posts

Featured

Locky or Trickbot - Campaign and Infrastructure Analysis

The malicious email contained the base64 encrypted 7z compressed file in the email body! and did not arrive as an attachment. I am unable to comprehend why would the attacker send encoded malicious attachment in email body.


The mail with subject "Supplement payment <somenumber>" was received from an ip assigned to an Indonesian dyndns service provider:




The email domain of the sender was "rec.ca". IBM X-Force Exchange shows the malicious attachments which were sent from this domain



We can see that these are 7z files.


This is the webpage for reg.ca


I copied the base64 encoded hex to a file called "infected_attach" and then decoded it and piped the output to infectedzip.7z file.


we can see that it is indeed a 7-zip archive file:

I moved the decoded 7z file to my lab and found a vbs inside it



Windows Defender identifies the vbs as VBS/Schopets


 Hash of the vbs 57030ddd567e2bc26e75ef8ac2359079



Strangely VT had 0 detection for this vbs



 I proceeded to deb…

Latest Posts