Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

How did he know the payload was CobaltStrike?

👍︎︎ 1 👤︎︎ u/w3tmo 📅︎︎ Nov 29 2019 🗫︎ replies

Captions

hey guys Colin here hope you well so today I'm going to show you a super interesting sample that was sent to me from a guy on Twitter called RT Kara Hoda cool guy should definitely give him a follow goes on Twitter a twist cap and he sent me this sample which I found really interesting I thought would make a good video because it uses a lesser-known technique probably what I describe as an old-school technique for executing macros from a malicious excel file in this particular case it looks like it's designed to deliver a cobalt strike beacon and so what I wanted to show you today was firstly how to analyze this particular technique of code execution and then also how to extract the shellcode and some of the tricks that the shellcode uses in order to disguise itself as well so it's quite a packed video with some really interesting content that hopefully you'll find useful when you're threatening in your environment or if you're performing some malware analysis yourselves in your own labs so this is the sample that we're going to take a look at and RT kindly sent me the licked in link to to the any run and as you can see basically it looks like the excel file crashes and in fact when I run it in my own lab as well that's exactly what I experienced was that I opened it in Excel I ran it and it crashed as well so I had to kind of pick out all of the indicators so I'm going to show you the process that I went through and the the various research that I kind of referenced from other people who've done an amazing job a kind of document in these techniques that that really if you don't know about them you've never heard of them you should definitely get up to speed on so anyway you can pull the sample down from here I've got it at the excel file in my lab here in my lab virtual machine so let's just super quickly talk about the environment and how I get things configured which is usually the same every single time I look at malware so the first thing is I have my network traffic proxy through burp suite so if you have a look at my proxy settings here in my my internet settings you can see my network adapter is using a proxy on localhost for port 8080 and that just gives me if you have a look in my options here you can see that I scroll up a little bit I make this bigger you can see that this listener this boat sweet listener will listen by default on port 8080 and of course it's not waking up because I'm doing a video and it doesn't to play the game now here we go so here we go so you can see the proxy listener on 8080 and that will give you a nice easy view if you turn intercept off so that would be on if you turn it off you can just get a nice flow in in the HTTP history of any any kind of requests that get made from your network adapter notice though that not everything will abide by the proxy and so you can still have network connections that go out across the internet the bypass of proxy so just be aware of that in your analysis and use something like white shark or Microsoft Network Monitor or what have you anyway not not really to delve into too much that in this particular video also I like to use process hacker and I like to use which kind just kind of gives me a live view of processes on the machine at the moment so I can poke around them if I need to and then also I run process monitor and then so pokémon as most people will know gives you a view on what's going on on your file system in the registry from a network perspective pretty much everything that's going on on your machine and usually what I like to do is just filter out where the process sorry where the operation is process create and then also where the operations process exit so that's my kind of default but then you can just filter stuff around that as well so usually bear in mind as well just notice that I do use a VPN so on my host I tend to use private Internet access so I'm coming from a proxy IP address just in case I don't really want to leak my personal IP address to the to the rest of the world and certainly not to malware operators so you should definitely do that as well you can also isolate your virtual machine if you want to but sometimes you want to see the live internet connections as well so we've got I'm wanting to set up let's give it a whirl see what happened so we'll open the file and then really I'm just interested to see if I see the same thing as we saw in the in the sandbox on any run so you can see the content of the file looked like some some of salary or you know financial kind of content which would be potentially juicy and you might want to see the stuff behind it and it's all kind of like part of the fish to get you to enable the content to synchronize the data which you know may or may not be spelt right I can't really work that out so macros have been disabled will just enable them we'll see what happens on our machine you can see that Excel kind of thinks about stuff and then ultimately crashes if we have a lucky it's just the usual kind of app crash message that we get in Excel not very helpful if we have a look in assist internal see on prop 1 the treeview we see very similar kind of processes that were spawned like we saw in in the any run right so they saw DW 20 and then DW in as well which is exactly what we're seeing here so the Watson client it's just a basic Microsoft crashing processes if I go into the burp suite I don't see anything this entry is just when I open process hacker checking for updates so unfortunate doesn't look like this malware is executed in in my environment here just now but that's not to worry because obviously we're good malware analysts right and we're going to statically analyze this and see what happens and pull out all of the indicators so just get rid of process the process monitor for now you don't need that and let me just clear and my team decides to wake up we shall clear our history here in burp suite there we go and then we'll take another look at this and and see what happens now obviously as you notice we had to enable macros so you would think if you just go into developer and into Visual Basic here you would see some macros but you're no sisters there's no macros in the VBA editor and there's a good reason for that that's because it doesn't use VBA macros there are macros at play they're just not VBA ones and this when I said to you before about this being an old-school technique well Microsoft in its infinite wisdom supports something called Excel 4.0 macros otherwise known as Excel M not to be confused with XML the common kind of syntactical language what have you but xlm Excel for macros are something that you should definitely get to know about because these are super powerful but actually really problematic for the likes of antivirus vendors and another such security tool in to detect so really interesting and the way it works let me probably easier to show you a new document before we dive into the malware well if you rather than if you're going to write some Visual Basic as I say you were usually going the editor and write some code and stuff what instead of that what you can actually do if you right-click on your sheet one here go to insert you can see here you can insert a sheet that's a macro sheet and macro Excel 4.0 macro so we go will insert that and we can type in stuff like this and these are commands which will be executed now if we right-click on this and click on run and it's going to run from the current cell you can see it's going to execute that command that we give it so in this case obviously it just popped calc but there are a bunch of different commands and functions that Excel 4.0 support these this kind of macro 4.0 supports and there's too many to go through however what I will point you to let me just go to Chrome here is an amazing resource which I found through through browsing and our link this in the video this particular PDF has basically every function and all of the syntax and stuff like that behind it that you can think of and will reference this in just a second in our in our in our research or analysis of this particular file so that's how it works and then notice as well what you could also do let me do something else so you can do like two commands and you need to stop it complaining you need like a halt or a return command at the bottom but if I execute this I'm executing the first cell right so Row 1 column 1 which is all on c1 here right so click on run you can see that calc popped but also this message box or this alert box popped up as well and so the way that Excel four works is that it's going to execute this command in row 1 column 1 then it's going to go to row 2 column 1 and it's just going to go top down left to right and execute anything that's in this worksheet column and then you can reference all the columns you can make it jump around and all the rest of it but that's the kind of execution flow the same as any other programming language really top-down left-to-right is what the code is going to it's going to execute so anyway let's just clear the contents and let's go back to our malware and have a look into ways doing now in this particular case this is just a worksheet and it's not in Excel for whatever you call it a macro sheet so but you'll notice if you right-click on sheet 1 here you can unhide and they've hidden a sheet here so always check for that in your analysis so let's unhide the sheet and you can see that we're somewhere down you can see a few there's a bit of text over here in column 100 what have you onwards and there's also some text all the way over here that says enable content upload the file format so you think that's probably maybe some lame part of the fish in case you just did happen to stumble across this particular worksheet and it's just going to tell you to upload the content and you might not look all the way over here in your analysis at the at the other columns because it starts at like a hundred however also also note that when we executed or was sorry beg your pardon when we enabled macros the code seemed to auto execute and so we want to essentially find the entry point we want to find you know what's the initial instruction that's going to get executed and if you drop down here you'll notice that one of the cells has been renamed it's also open and so if you do that if you enable the same as if you're writing some VBA you would declare a function called or a subroutine called also open and that would be the subroutine that gets executed when the malware opens so the same applies for Excel for so if you name a cell in a macro worksheet that's also open that's going to be the first one that exit and so you can see here that it pointed to this one here this cell which is in row five column 102 and all that seems to be doing is concatenating a few different strings together so you can see Row 1 column 102 which is that one row two column 102 that one Row 3 and Row 4 and it just builds the string virtual alog well that's obviously suspicious and will give you an idea of what's going on here so you would imagine that this code is going to use virtual alaq at some stage but just concatenating a string isn't doing anything malicious but like I said to you before the code will go top down left to right so it's going to start here and it's going to move on to the next instruction then the next instruction and so you can see here that there's it's going to activate the update work workbook which is this one and then it's also going to then he's going to jump to Row 1 column 103 and execute and Row 1 column 103 is here and so you can see here that the next instruction is error false and then as a range here so if we go back and we'll go back to this this cool resource let me just do a ctrl + f1 error and then we can jump to it so this you can see the function in Excel for specifies what action to take if an error is encountered while a macro is running and so use error to control whether Excel messages are displayed or to run your own macro when an error is encountered so if enable logic which is the first parameter - and - error is 0 or false all error checking is cleared and if it's cleared and an error is encountered while a macro is running Excel will ignore it and continue an error checking is selected again by an error true statement or when the macro stops running so if you look back here you can see here that indeed it is false so it's going to clear all the error checking and it's just going to if it encounters an error it's just going to push on a head so it's the kind of I feel like this is a similar thing to say in like on arrow resume next that kind of statement in VBA and then we see the range right so which is row 2 column 103 to Row 3 column 103 which is which is the which are these two cells so the first one is this string which is obviously a file path Microsoft Office app - s dot XML and I've never heard of this and even when I google it let me just google it again you can see here that I don't really get any proper results with it and maybe one of you guys can can help me understand the relevance here but what I think is happening if I go to the next cell in the execution change here it tries to open this whatever is listed in row two column 103 which is this it's trying to open that XML file and if we go back to our supercool reference here have a look at F open you can see that it's in the access none parameter which is one two three so in this case it's two so it's trying to open in the file it with read-only permissions right so it's trying to open this XML file with read-only permissions but certainly on my machine that doesn't exist and so the next check that gets made is if is error Row 3 column 103 so the call to F open then jump to so if we have an error which in my case we would do we're going to jump to Row 1 column 100 which is here or if we don't have an error Row 1 column 104 which will be here so we got to kind of paths here in this if condition what I'm also going to do just quickly just to try and make things a little bit easier to read hopefully this has worked let me scroll all the way over here yeah so rather than it's all a zero showing I've just copied and pasted the the values just so you can see without having to click into each cell we can see a little bit easier what's what's going on in each of these cells so this is where we we're right so this on error so if is error you know they call to F open jump to Row one column one hundred if not 104 and so we just want to quickly have a look and see what the kind of main differences are between these two branches so we can see here there's a a call to call which is in function within Excel for that we can look at the documentation for shortly it looks like it's calling kernel32 with another parameter pass to it r5 row five column 102 which is where we are now right so the I think of where we started which was the concatenation of virtual Alex we're just going to call vertical kernel32 and get the address space of virtual a log and then execute virtual Alec as well and you can see here that we've got some we are we add string right five is it five five J's and what that means is that the J in excel for is a data type and then in this particular case it's a long integer than the first one that you feed it is going to be the return type from this particular course so we're expecting a return type from this function as a long integer and then the next for JS that we're going to see are also long integers but they are going to be the arguments that get passed to the particular function that you're calling and it seems a little bit confusing and it is just because this is probably syntax that isn't particularly common however just with just just kind of go with it I guess what I will point you towards is some research actually it's probably a good time to talk about it now so let me go back to to chrome here and there is an amazing blog from outflank and if you've never read any blogs on outflanked NL then definitely go and check them out also these were the guys that offered evil Clippy which is one of my favorite tools for for analyzing and also creating malicious documents for testing purposes obviously anyway they describe the techniques that we're talking about today in a massive amount of detail and you can see that actually when you look at some of their proof of concept code very very similar to what the bad guys are using and in fact Stan I think you read this blog details some of the techniques that he used in order to inject a cobalt payload into into an excel for macro so some of the that there are some differences though what the in fact one of the key differences here is you see that instead of in our malware we can see equals coal kernel32 bla bla bla we can see here that in in the outflank blog there's a call to register and firstly what that's essentially doing is registering a name or wrapper for a particular function and it is going to give it a name and in this particular case he calls it via lock and then the next line you can see here he just invokes via lock ie the function that's just been registered and passes in all of the parameters to virtual a lock all our code is doing is just combining that particular those two instructions in the blog so the register and then the call you can actually just all do it via the call you can just call whatever in kernel32 so virtual a lock and then you can just feed it all of the parameters as well so you can see here that on this side the same thing as well so depending on which execution path that you take and in fact wolf will follow this one just because there may be the API calls are a little bit more familiar to people so virtual a lock all of the J's and if we have a look at what we want to do is have a look at the spell arrived virtual a lock have a look at the the arguments that get passed a virtual a lock and we can understand what they mean so the first one is the is the address so the starting address of the region to allocate and we can see here that the first parameter is 0 so this is going to it's going to let the operating systems decide if this parameter is and all the system determines where to start the allocated region the next is the size so the size of the region in bytes that's going to be allocated so we can see here 880 bytes that we've asked for and then the next flag is the FL allocation type and so bear in mind this is in in here for 0 9 6 it's in decimal so because I'm rubbish it hex to decimal was decimal to hex rather let me do that decimal to hex for 0 9 6 convert that to hex we can see it's hex 1000 so we can see that the parameter is this one and allocates memory changes from the overall size of the memory and the paging file and this from this specify reserved memory pages okay so that's sounds good and then the next parameter is 64 which let me have a look what is it to do with is the okay FL protect so that is the jump down here go the memory protection for the region of the pages to be allocated and so it can be any one of the of these particular constants and in this particular case it will have a look here what is it 64 in heck in decimal rather which is 40 in hex you have a look at 40 40 it's going to wants of its going to allocate virtual memory with page execute read/write permissions which is very very common in terms of process injection so that's cool so we're going to call that first then it's going to select a range of cells and you can see the the range of cells that's been selected so on this particular branch its select in Row one column 105 to row one thousands column 105 so basically all of these all of this stuff here and then it's going to make the active cell Row 1 column 105 so it's is going to start it's going to select the range but also basically put the cursor in in the first entry and that sellers work in that range as well so it's made that selection and so you can imagine you can see here that all of this char code stuff so equals char - 1 7 + Tartu to 5 etc this is all of the shell code that's actually going to be executed by the malware so it's going to set the value in Row 1 column 99 which is over here to be 0 and then we enter into a little loop here so we've got a while loop and the next at the bottom is going to be the iterator through the loop so whilst the length of the active cell is greater than 0 so you're in this cell first to begin with and then we're going to imagine that we're going to jump down through through the course of the loop until it gets to cell which is not which is not greater than 0 ie an empty cell so it's just going to loop through all of these and then it's going to make a call here it's a kernel32 right process memory and then if we make this a little bit a little bit bigger we can kind of see what's what's going on even bigger again here we go so we can see here the quarter right process memory and we have these data types that are passed in as the parameters to the call so the first j is going to expect a long integer and then the rest of them are the different types that of the arguments to write process memories and and here are the comma separated arguments that are going to get passed in so if we have a look at write process memory here we go we can see here the first argument is the handle to the process so a handle to the process memory to be modified and that must be read/write permissions so in this case it's minus 1 and then R to c104 one two three four one two three four five okay yet so the second parameter so R to c104 which is row 2 column 104 which is this one here which is the call to virtual a lock right to the return whatever was returned from their call to virtual Alex going to be in this particular buffer if you like plus a load a zero so we in this particular cell we set the value of Row 1 column 99 to be loaded zero so for whatever reason it just adds a little ode of zeroes to it so that's the second parameter to right process memory and that's the base address so it's the in the return from you have a look here are we on virtual a lock the return value you can see here the return value is the base address of the allocated region so we're obviously going to start from we want to write the process memory from the base address of the memory which is allocated in virtual analog and then obviously what do we want to write the third parameter is the buffer so a pointer to the buffer that contains the data to be written in virtue in right process memory and that's obviously the active cell so we're going to loop through each of these and write each of the lines of text or you know whatever this evaluates to we're going to write that into the into the buffer and then how much are we going to write to the next you can see here the next parameter is the size so the number of bytes to be written well that's obviously the length of the active cell and then it's going to iterate through that list okay so and then it's just going to do that until it reaches where the active cell is not greater than zero so it's almost like a do-while loop that we're in here and then once it does that we you can see here it's gonna call crate Fred in kernel32 and what's it going to create well it's going to create a thread from the memory address space that we just allocated and then filled up with the buffer from right process memory and then it's going to jump to row 11 column 100 so if we go all the way back to row 11 column 100 which is here it's going to produce a formula on this particular at this part of the page some kind of message and I'm going to activate sheet 1 again so basically we're going to finish so the question is though what's this doing what is all of this shellcode and how can we you know this is all char code stuff how can we convert this into into shell code well firstly what what I would suggest is we get friendly with with cyber chef so let's do that now so what we should do come on sorry chef wake up there we go right just if we copy it properly oops oh why is my copy paste buffer not working copy cannot empty the clipboard no of course you can't that's annoying isn't it let me see whether I can do it any other way here we go all right I used to work okay so what we what we should do here really we want to actually just we don't all this char nonsense because this is just a big string of text that we put in here we just want to extract the number that's in between them so we can use a regular expression to help us with this where's my Machine going crazy why am i running it's making my scene go crazy I don't know so what we can do is like I completely stole this from I'll show you regex between strings won't take any credit for this expressions I'm absolutely rubbish you're creating them where you can see here that like this dude wants to know how can I get match every character between this is and sentence so he just wants the middle bit so if we take that kind of syntax apply it here but obviously we don't on this is we want stuff that's between jaw and open bracket and whatever is between a closed bracket that one okay but then we just want to adapt it slightly because we don't want to make it quite as greedy there we go so we just you can see the matches are all highlighted if we list the matches just to get a nice view on what's going on we want to treat them as decimal like I spelled decimal there we go there we go with the delimiter is a line feed and then we want to change it to hex because that's what it's where the money is right so two hexadecimal there we go so there's the hex of our shellcode and also we can do in here is disassembly actually so say two bits shell code so we here's our shell code but you'll notice that it doesn't really look there's some instructions in here and I've got some question marks and stuff like that that you know doesn't really decompile well and I'll show you why what we should do take that out copy it hopefully my copy-paste will work we'll see jump down here go into hxd create as a new file copy it in save it and we'll call it shellcode bin so we've now got shellcode which is position independent code we need a way of converting this into an executable put an executable wrap around it in order to to then debug it to run it in debug it one of the tools that I like to use is from hexa-core who developed a super simple bat file and it's called shelter exe so I'll share the link where you can get this from his website and it's just extract it here to my desktop so it's got a cool little bat file so open a command window shell to exceed bar you have to specify the architecture whether it's 32 or 64 bit and then just feed it shellcode bin and then it's done it creates me a nice little exe wrap around that shellcode so now if we stick it in X 32 dbg my machines going crazy my fans going crazy I must be doing something in the background though it doesn't like anyway so now we can stick it in 2 X 32 and we can do some analysis on it so there's some instructions here that I'm not familiar with and I'd have to go and Google I don't know what fabs means probably something to do with ABS being the absolute value of something but I don't really know but the first meaningful instruction is like moving this big hex value into EBX have no idea what F NS tnv means so more instructions I don't know we straight away what what kind of grabs my eye is this X or instruction and you can see here that like what is being XOR it is a buffer in EDI plus 14 and EBX so let's just walk through the first few few lines of this code together so we can see here that the VAD that big value gets moved into EBX whatever that value doesn't have no idea pop off EDI that's got zero in it XOR ECX that just make sure it's cleared and we can see here that d1 is moved into EDI oh sorry yeah into at the lower half of EC axis which is CL and then we subtract this big hex number from EDI so I'm no good with hex numbers as I said so let's convert here a hex to decimal what was it well F F F F F F F c FF FF FF FF C we can see here that it's minus 4 all right so we're going to subtract from EDI minus 4 so subtracting a minus number adds it so we can see here that EDI is is a memory location for 0 1 1000 which is our entry point so if we execute that we can see that it's increase by four because we've subtracted minus 4 from it a bit weird I know a second now to take a drink just in case I start coughing anyway so we've subtracted minus four which is adding forward to EDI so if you think that puts us in here somewhere right in our memory space right where we are but then we're gonna XOR the contents of EBX with whatever's in EDI plus 14 we have a look at that following done address of EDI plus 14 you can see here like it's this memory memory address four zero one zero one eight what's right by where we are and you can see here that the hex is BD 95 eighty three twenty five and notice BD 95b 325 there all of the following instructions and then you can see we're in a little loop here this little XOR loop and so if you start to let's take this next instruction you can see here that as soon as you XOR that those instructions to change so it's almost like the next instruction has been X Ord and now we're in a loop and then so if we go back to the top of the loop we can see here again it's going to subtract minus 4 from the EDI which is add another 4 to EDI so watch the value here it's going to go to 4 0 1 double-o 8 so we're gonna take the next 4 bytes there we go then we're going to go we're going to X or whatever's in EB X with the contents of EDI plus 14 so you can see here that EDI plus 14 it's down here which is 4 0 1 0 1 C which so we're now here it's gonna start xor in this part of the code to the next four bytes and you can you can and we're in the loop again and then you can see that we're subtracting Weirich soaring and then looping all of the time which is really cool right actually I fail to mention actually was that each on each iteration of the loop the bytes that you are X oaring also get added to the key so there's the XOR key which is held in EB X so it started off as this weird value here but notice that the key on each time is changing so you can't just you one key to statically onyx or all of this stuff you have to kind of go through the loop so you can see evx changing so every time we wreck soaring the bytes the output of which is fed back into the to be the X or key and then we kind of loop through this X or set and you can see all of the code kind of changing beneath you a little bit boring to to sit there and do this manually just breakpoint on the instruction after the loop press f9 and take your breakpoint off and now all of this code has been or neck sword so we've now unpacked the shell code and so we can actually poke around it and do something you know and try and find out exactly what what's going on so you can see the next out of interest just to kind of go through it in a little bit more detail the next instruction is this call to this particularly memory location f7 into it and we can see here that some of these values are being pushed and there's a call to EBP and some more calls to function calls etc what I would do first off and why I started to do I I start to think well these are weird values what would you why would you push these weird hexadecimal values to the stack so convert them from hacks and you can again use cyber share for stuff like this so when it wakes up and so if we use cyber chef we can quite easily convert the hexadecimal so was it 74 65 6 e 7465 6e from right from hex and you can see the output is 10 but don't be confused by that because it's we're gonna these are being pushed to the stack so they're being pushed and that means they're going to be popped off the stack and read in the reverse order because of our endian that's our little endian as' so what we want to do is reverse the string because they're going to be popped off in the in the in the in the reverse order so actually what we've got is net and then the next string 6960 Cardmember in the more 69 6a 69 70 769 77 so you can see when I net and obviously that's a ID at the name of a DLL so this is how it's resolved in its DLL so if we step through this here we can see that in ESP we can see the string being built up here when ina and DLL and it's going to make a call to that particular function and no doubt there are obviously a lot more API so it's going to potentially resolve as well well you can also do we still got our our burp suite intercepting the the traffic here and let me restart the the binary you can actually just run this and what you'll notice is that it will hopefully produce a c2 for it so it's going to resolve its you know DL hours and all of the instructions and the functions that it wants to use and then it's going to hopefully give us something to work with you can see it's still running and in fact the last time I ran this I got it booked on an error so you can see I've got a first chance exception something's gone wrong and I think actually that built in to the shell code is some anti debug stuff so it's probably throwing errors because it knows it's being debugged but notice I had this c2 connection to W alikom circled gif that seemed that when I first saw the I fought upgrade that's the name of the c2 address and actually if you go to it it's copy the URL I for I'm sure I recognize the name honor and I do because it's the brand of milk that I drink and I thought wonder what this is about you know surely all has not been compromised and being used as a kobold c2 blah blah blah and then I noticed if you look down here in the request the host header is a subdomain on as your edge net and so this looks to me like a prime example of domain fronting now I'm certainly not an expert on domain fronting and every time I read a blog about it it confuses me however the basics that I understand are that it you can smuggle a request to a content delivery network by using a genuine website like alikom for example and because the host header doesn't match the the request i either the actual domain that you're requesting then that's gonna smuggle itself out through a network because what you're going to see in your logs is a request all of calm that's probably going to be permitted it's not going to be a website which is going to be blocked due to its category etc but actually the request is going to get forwarded by the underlying server to this as your edge joy edge dotnet subdomain so definitely welcome to more research on domain fronting but if you went to this particular sub domain you will see that actually we get a 502 bad gateway so it looks like in this but and that's what we got here in burp suite as well so it looks like that the the code behind that beacon has been taken down and I think I'm making an assumption here I think that's probably why the shellcode or the the excel file was crashing maybe it didn't get you know to execute everything in it needed to I'm not quite sure it could be that the the architecture of my machine isn't right for this particular environment that this excel file is targeting so it might have actually tried to execute the wrong type of shellcode or the wrong kind of API call I don't know have done that fuller analysis yet however even though the kind of message really from this video and the whole point of it is even when you run your mouth where in your lab even if it crashes and if you're not getting any kind of potential infection still perform that static analysis and still kind of get all of the indicators you can because lo and behold we've managed to get ourselves a network indicator here that we couldn't get from our behavioral analysis and that's really really key and now you understand the kind of techniques the bad guys have used to smuggle their code in the network style of request that they're making etc so yeah really really fun stuff really interesting sample thanks again to to RT Kara hodo who sent this over to us I really enjoyed taking a look at it and and definitely look forward to your onward research and comments as well so hopefully that's have useful to you in terms of the techniques used and the the tools and the systems and stuff like that and yeah we'll talk soon thanks all Cheers

Info

Channel: Colin Hardy

Views: 7,432

Rating: 4.9695816 out of 5

Keywords: malware, reverse engineering, malware analysis, cyber security, apt, cobalt strike, shellcode, process injection, excel 4.0, xlm, macros, red team

Id: XnN_UWfHlNM

Channel Id: undefined

Length: 39min 47sec (2387 seconds)

Published: Tue Nov 26 2019