[Emerging-Sigs] Unknown TA Maldoc Check-In

Josh Stroschein josh at m9development.com
Tue Feb 25 10:03:36 HST 2020


Hey all,
 I was investigating a maldoc that drops a JS file for execution via wscript (process activity would be WORD.exe -> CMD.EXE -> WSCRIPT.EXE https://app.any.run/tasks/b64fd2da-42fc-407a-9aa5-f070a0281c11) - what stood out to me, in addition to the process activity, was that there was no network traffic. Assuming it was intended to drop a payload, I dug into the JS and figured out it performs some anti-analysis through observing process activity. Instead of looking for specific processes though, it gets the entire listing as a string then compares the length - too short and it stops execution. This seems fairly effective, as it impacted my sandbox and a few public ones I tested (such as Any.Run). Unfortunately, after removing the anti-analysis I can’t get the hosts to communicate so I’ve been unable to get a PCAP. I also haven’t had a chance for a more detailed write-up, but posted a few screen captures here: https://twitter.com/jstrosch/status/1232380070695710723 <https://twitter.com/jstrosch/status/1232380070695710723>.  With the help of Travis Green, I’ve come up with a signature to detect the check-in (see attached). This is my first rule contribution so any feedback would be much appreciated.

Thanks,
Josh Stroschein
@jstrosch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200225/15015e9a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: possible-TA505.rules
Type: application/octet-stream
Size: 407 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200225/15015e9a/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200225/15015e9a/attachment-0001.html>


More information about the Emerging-sigs mailing list