A javascript file – Invoice from UK

It’s been quite a while I was able to analyse my spam emails. Recently, I received an email with a zip attachment claiming to be an invoice. Screenshot of the email below.


Email Analysis :

  • sender : Woodard.52@sunshine-yorkshire.co.uk
  • IP – extracted from the header : – 602ad0ccae26.softphone.blizoo.bg – Blugaria
  • Sender does not know my name so addressed me with my email id – Chances of using a phishing tool – sending random phishing emails.
  • No mention of the organisation Mr Royce is representing – Likely sunshinecare – but no mention in signature. Sunshhine care is and provides health and social care services in UK.


  • Zip file with my email id : myemailid_addition_028146
  • Contains javascript : addition-7866.js

Javascript analysis:

  • Javascript seems to be incomplete and functions are not properly defined
  • only see eveal :  eval(aZRcdUoP1.split(”).reverse().join(”));
  • aZRcdUoP1 is only defined variable however it is commented out.
  • Function aZRcdUoP1.split is not defined at all.

There is no other html files in the attachment that references the script. Uploaded the file to VirusTotal and results were interesting – 22 vendors identified as malicious – https://www.virustotal.com/en/file/b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e/analysis/1466653302/

File was also analysed using jsdetox and jsunpack and nothing was detected. It is likely that same filename was analysed previously via VirusTotal which has links or IOC’s as detected by vendors.Below are the file details:

  • MD5: ee427a22d3a6e25251bbfb7bc3823140
  • SHA1: d675fddd4e85400a8f712792f6711dbf0e003c34
  • SHA256: b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e

JS was not able to execute as by default windows script host can only execute script with less than or equal to 1022 characters. You can always change it but the solution is beyond this article.

Final words:

The email address and language is quite good but malware/js is quite old and not properly scripted. Attachment is zip and with only one js. also, the malware is widely known.

Security Controls:

  • Endpoint protections – normally all corporate organiations has it
  • Changing file extensions – If for some reasons endpoints are not updated or not available on the system, a good way to make sure foreign files do not execute on the system, one can change their default application – for example an .js file on the system can be opened in notepad – can change from group policies. This will make sure any foreign/malicious javascript that managed to get into the system will open as text file which will not infect the system and notify user of a file which should not be there.
  • Email gateway tuning – must be properly tuned to make sure these type of emails are considered spam – mostly all properly tuned will do so – mentioned email/IP can be updated on the security devices.

The Vendor, The MSSPs and The Consultant

I have been waiting for quite a while to write something about my experience with vendors, MSSPs and consultants. This is my own opinion and is not targeting any specific entity. I have worked with multiple vendors, MSSPs and consultants and what I have always noticed is, the “OUR” attitude. I do understand they are here to make money and sell their services/solutions, but there is nothing wrong in sprinkling it with some honesty.

  • Vendors – Buy our products and you will be safe.
  • MSSPs – Subscribe to our services and you will be safe.
  • Consultants – Implement our recommendations and you will be safe.

We all know once you are connected to Internet eventually there would be someone to target and successfully gain access to your systems. Its not about ‘if’ its about ‘when’ (SANS GCIH). There are no “PERFECT” systems. There are ways to access air-gapped systems too. But this is beyond this article.

I see, Vendors are for detection and prevention – MSSPs are more reactive – but lot of customers and few eyes and sometimes those eyes are not much experienced – Consultants – How many consultants have actually used the product that they are endorsing/recommending – wouldn’t it be good if they are recommending a product/solution that they have actually used.

This attitude is one of the many reason why organisations get breached – ofcourse security awareness and correct implementation of security controls is also required – but imagine, if all three work together and provide honest, correct and pro-active solutions to customers, it would be a completely different picture. Also, organisations need to heavily invest on people. Lot of organisations are relying on outsourcing their security, and completely depending on them. This concept is wrong and every organisations should have security team with expertise in multiple areas internally to have additional eyes on the organisation.

Understand, our adversary – CYBER CRIMINALS – work as a team and with a strategy and we should too.

CIF – Feodotracker threat feeds

Good Day guys!!!!!.

Was able to write another yml script to collect feeds from Feodotracker and has been uploaded on my github account and also a project that I am honoured to work on with CSIRT (with guidance of Wes Young) – BEARDED AVENGER. This is a new version of CIF.

Threat feeds is provided in RSS format and therefore RSS parser have been used. YML script is available on my github account – https://github.com/makflwana/CIF-Threat-Feeds-and-parsers

Happy Hunting!!!!!!!

CIF – cleanmx threat feeds

Good Day today indeed. Have finally got some time to work on my skills for CIF and writing configuration (YAML scripts) to fetch open source threat feeds.

Started with a disabled configuration (/etc/cif/rules/disabled/cleanmx.cfg) for cleanmx. The cleanmx.cfg file provided should be referenced for the remote sites and id for cleanmx, that will require to write yml script.

The threat feed is provided in XML format and remote site link can be fetched either from the config file or directly from the cleanmx site (support.clean-mx.de). I will always recommend to check the links for the feeds on the browser regularly to see whether it is responding and whether it is correct link to fetch the feeds. Sometimes they change.

YML script is available on my github account – https://github.com/makflwana/CIF-Threat-Feeds-and-parsers

I will be writing more scripts to fetch open source threat feeds. If you guys have any threat feeds that are open source and not covered yet please let me know.

Happy Hunting!!!!!!!

CIF – Collective Intelligence Framework – My deployment

Morning Everybody!!!!

Been working on crafting my skills in Threat Intelligence and available open source system. As the title says I have been working on CIF from CSIRT and wanted to share my experience and my personal future developments.

Following are few screenshots of the system :

threat feeds ioc type applicationscif map

CIF comes with few default threat feeds and parsers. The scripts have parsers and remote hosts that are sending feeds. IOCs (Indicators of Compromise) such as IP address, URL, MD5 etc are fetched from the feeds. The scripts are written in YAML – human reabable text based language.

Visualisation is provided by Kibana (works on kibana 3 – shown above and Kibana 4 ) and ElasticSearch (1.4) is as database. Working on getting this to be updated on 2.x – requires full cluster update.

Experience :

  • I am running on a VM, Ubuntu, and have no issues. Sometimes do have to restart apache2, elasticsearch and cif services to populate custom dashboards and real-time data. Although one can make it as automated task by scripting or configure in cron tab.
  • System responsiveness is very good and intelligence feeds are quite good. Can be easily integrated with SIEM for additional context.
  • If you are security researcher and able to identify new IOC, you can update them on csirt.io and than it can be pulled as feeds onto the system – https://csirtg.io/users/makflwana/feeds

Future work:

  • I am currently working on more feeds – open source and writing parsers for them. I will be updating them on my github account : https://github.com/makflwana
  • STIX and TAXII – if i can
  • Working with CSIRT with regards to cif v3 – Bearded Avenger

Final words:

This is an excellent open source initiative from CSIRT (http://csirtgadgets.org/) in providing us with a framework and platform to share intelligence. One of the reason why hackers are one step ahead is they have better information sharing than organisation fighting against them and most of that is free and available in underground – dark net as we say. Meanwhile, vendors charges thousands and millions to share threat information.