Category Archives: Malware

[ n00b Post ] How to check if you have the MS-017-010 Windows Security Update installed

There are so many blogs out there that encourage users to update their Windows OS in particular MS17-010 to protect them from falling victims to WannaCrypt.

But as a normal home user, how do they know whether their machine already have the latest security update and protected from this?

I’ll write in details on how normal home users can check whether they systems are updated or not.

  1. The number in the security update file is usually tied up with the KB (Knowledge Base) number. We can find the official Security Bulletin here: “Microsoft Security Bulletin MS17-010 – Critical 

    Figure 1:
     Screenshot of KB numbers

  2. The numbers in the brackets are the KB numbers. Now that we know the security update file that we should install.  Let’s check for the security updates that we have installed on our Windows machines.  We can use one of the built-in tool by Microsoft to do just that.
    Figure 2:  systeminfo command

    Once we do that, you should see something like the image below:

    Figure 3: Screenshot of returned output from systeminfo

  3. As you can see, my VM didn’t have the latest Security Update.  Windows 7 require “4012212” or “4012215” depending your Windows 7 version.
  4. By clicking on the earlier mentioned link, can click on the relevant Security Update file that we should install.
  5. In my case, the link that I should click on is : should see the following image:

    Figure 4: Downloading of Security Update file

I hope this is a simple to understand guide for home users.
I promised that i would write technical blog posts again. 😀

Best Regards
Jacob Soo

[ Technical Teardown : “Your 2016 Tax Report From IRAS”. In Word 2003 XML Document (.xml)? ]

Several days ago, i saw this “Old Technique” being used again. But i wasn’t interested with it until today when i saw that it’s trying to spoof as Inland Revenue Authority of Singapore (IRAS)

So what is this “Old Technique” that i’m talking about.  It’s basically using the good old “Word 2003 XML Document” trick.  But i’ll walk you through the entire process

[ Sample used in the analysis ]
MD5: 25abc03eb402c1b6b99543cca626c78d
SHA256: 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

[ Part 1 : Getting Started ]
For those who want to follow along, this is a linkg to the email file 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious email with Visual Studio Code.

As we can see from the above image, the attacker seems to be  sending this spoofed email as  if they are from IRAS and we can find out several things from the email headers


  • Date: Wed, 26 Apr 2017 06:51:42 +0800
  • From (possibly spoofed): “Inland Revenue Authority of Singapore “<>
  • Subject: [IRAS: IMMEDIATE ATTENTION] Your 2016 Tax Report!!!
  • Message-ID: <77724133945041300816867@WIN-2TAK14O2BL3>

However, if we analyse it properly, we know that the attacker probably sent this from this IP address :

Received: from
( [])

Based on the above image, we can see the contents of that email message that it’s trying to do social engineering on the victims and asking the victims to open the “doc” file



[ Part 2 : Email attachment ]

Now let’s try to look at the attachment and we can see this.  No worries, let’s Base64 decode it.

What is interesting after Base64 decoding it, i don’t see a .doc file.  Rather, what we could see is an XML file as shown here.


When you open a Microsoft Office Word 2010 XML document, Microsoft Office Word 2007 XML document, or a Microsoft Office Word 2003 XML document, your Microsoft Internet Explorer will not display the document by using the default Internet Explorer. Instead, if you had Microsoft Office installed.  Microsoft Word will open the XML document instead.  Why is this so?

Let’s take a look at the image above.  Starting from Word 2003, Word documents are built using XML in what Microsoft calls the WordprocessingML. Basically Windows will detect this XML (because of the mso-application declaration) and will launch Word if you double-click it.  Microsoft got a good Overview of WordProcessingML here.

But let’s inspect this XML file first.


First thing that caught my eye is this.

It’s seems like it’s asking victims to “Enable Content to view” Smells like Macros again.

If we were to look further down, we can see the reference to “/word/vbaProject.bin” as shown in the image below.

Ok, more Base64 decoding to do. Once we decoded, we can spot the familiar “D0CF11E0A1B11AE1

Ok, now let’s save this Base64 decoded file and use Profiler to parse it again and we should be able to see this.

Ok, let’s deobfuscate this Macro and we should get back something like the following:

So basically it’s just downloading the payload from http://travelbag[.]ca/lk/lk/kdabz.exe

The hash of this malware is “305B32DDC8786A56FABDA1114F6BF549AEB1B283FB3915D6076D49A7E5265FCB

Since that malware is developed in .NET, i shall leave the reversing of the malware as an exercise to the readers.

[ Part 3 : Side Note ]

I know some of you are wondering did attackers made this by hand?  I highly doubt so.  I don’t want to encourage script kiddies in replicating this but it’s really simple 🙁

Thanks & Regards
Jacob Soo



[ Technical Teardown: Analysing MalSpam Attack – 標的型攻撃メール ]

Yesterday afternoon, there is an alert about MalSpam attack happening in Japan.

Malware authors have been sending malware via zipped attachments in spam emails for a long long time but many people are still puzzled at why/how it works. I will try to fill in the required information about where to look out for information and how decode some of the information.

Firstly, we are going to learn how are a bit about the .msg file format and how is it used to store a message object in a .msg file, which then can be shared between clients or message stores that use the file system.

In order to analyze the .msg file without Outlook, we can read more about the file format from:

The purpose of this post is to give a better technical understanding of how attackers makes use spam emails to spread malware.

[ Sample used in the analysis ]
MD5: 3370c5c8d0f42a33a652de0cc2f923ed
SHA256: 8613d560b4ab064bb6380fd999b65ef1a436b1f16161ef8789137691e8844587

[ Part 1 : Getting Started ]
For those who want to follow along, this is a linkg to the .msg file 8613d560b4ab064bb6380fd999b65ef1a436b1f16161ef8789137691e8844587

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious .msg file using Profiler.


Each “__substg” contains valuable pieces of information. The first four of the eight digits at the end tells you what kind of information it is (Property). The last four digits tells you the type (binary, ascii, Unicode, etc)

  • 0x007d: Message header
  • 0x0C1A: Sender name
  • 0x0C1F: Sender email
  • 0x0E1D: Subject (normalized)
  • 0x1000: Message body

Since this is a forwarded email (SOC-Mail00135 【注意:標的型攻撃メール?】FW 固定床炉処理日報),  we can see that it’s most probably a spoof email from a Japanese Institution.


[ Part 2 : Email attachment ]
Since we can’t do proper email investigation, let’s look at the attachments.  Let’s look at “Root Entry/__attach_version1.0_#00000000” and refer to the specifications again.

  • //Attachments (37xx):
  • 0x3701: Attachment data
  • 0x3703: Attach extension
  • 0x3704: Attach filename
  • 0x3707: Attach long filenm
  • 0x370E: Attach mime tag

If we were to look at “__substg1.0_3704001F”, we will see that the filename of the attachment is called “” and the display name “__substg1.0_3001001F” of the attachment is called “”.


Now let’s look at the actual data located within “__substg1.0_37010102” as shown below.

We can see that the zip file contained a .docx file, “vhlwspyw.docx

Now, let’s press “Ctrl+A” to select the entire contents. Then copy it into a new file as shown in the image below


We can now analyse the .docx but let’s use Profiler instead since it can already parse this entire Outlook file and identify what is inside the attachment.

As we can see from the image below, the docx contained an embedded OLE object which is actually a Javascript file.

The extracted Javascript looks like this.

After deobfuscation, its using PowerShell to download the payload from http://ca[.]tradelatinos[.]co/js90.bin?LIOv

However the payload is unavailable when i tried to grab it, but i’ve found these other js90.bin for same campaign.

Hashes of Malicious .DOCX

Hashes of Malware

These are all Ursnif or Dreambot and there are articles and reversing tutorials on them.  So i shall leave it as an exercise for the readers.


Some of the subject titles of the emails are:

「付け出し」,「 発送の御連絡」,「のご注文ありがとうございます」,「固定床炉処理日報 」 , 「給料振込の件」

Thanks & Regards
Jacob Soo

[ Technical Teardown: Exploit & Malware in .HWP files ]

This article will focus on teaching analysts on analysing malicious JavaScript code within the HWP files and a walkthrough of how we can analyse .HWP files that was used to deliver malware.

[ 1st Sample used in the analysis ]
MD5: 8EB5A3F38EB3DE734037AA463ADE7665
SHA256: D0361ADB36E81B038C752EA1A7BDC5517B1E44F82909BC2BD27B77B2652667EE
As of writing, the detection rate for this sample according to VT is 12/54

[ Part 1 : Understanding OLE compound file ]
We need to first understand how OLE compound files work.
Inside these OLE compound files, there are folder (storage) and file (stream). We will use SSViewer( to take a look into the interior of the malicious .hwp file.

Most of the Streams in .hwp files are “zlib compressed“. We can see from the image below that the structure in .HWP files differs from .doc files.

However, today we are going to focus on “DefaultJScript“. You may ask why that? Well, think of “DefaultJScript” as VBA in Office documents.



[ Part 2 : Getting Started ]
For those who want to follow along. Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment.

Now, let’s start getting our hands dirty…and open the suspicious .hwp file with Cerbero Profiler.

As we can see from the image below, the data within “DefaultJScript” looks gibberish. So how do we make sense out of it?


As i’ve mentioned earlier, most of the streams within .hwp are “zlib compressed
So let’s “Select All” within the “DefaultJScript” stream and press “Ctrl+T

Now let’s add “Unpack Zlib” and remember to check the “Raw” checkbox and add it as shown in the image below.


Then let’s press “Preview” and have a look.


After decompressing the raw bytes, we can start to see some readable words. But it seems to be in Unicode.

Now let’s add in another filter to remove the “00” bytes.
Select “Replace“, change the mode to “Bytes” and add in “00” for the “In” value as shown below.


We should get back something like the one shown below.


If we were to analysed the decoded JavaScript, we can see more interesting stuff as shown in the image below.


So it seems that the JavaScript is doing Base64 decoding of the very long string and dropping it as “msvcr.exe”
I wrote the following Ruby script to decode the Base64 String.

After Base64 decoding the string, the output file looks like this,

The hash of this malware is 765834b1b780dacda8baa671c76328445cb8278099bad375ee22130f48920a7a
We won’t be going through this malware this time round.

[ 2nd Sample used in the analysis ]
MD5: a986a3fdf2afba98de21f0596a022b9b
SHA256: bd8fa7793f2192d4ff3979526955d5d6c965218eb0c0fe579f8ef0602357d5a9
As of writing, the detection rate according to VT is still pretty low. 3/53

[ Part 3 : Getting Started on analysing Exploits in .HWP files ]
This is a .hwp file containing an exploit (Most probably CVE-2013-4979 or CVE-2013-0808).
I drew a diagram like the one shown below to illustrate the general idea of how this exploit works.


For this particular exploit, the first thing we should be looking at is BinData/BIN0001.EPS as shown below.

There is an unknown error upon opening the document using hwp2010.

Nevertheless analysis can still be done by extracting the EPS files from the doc
Let’s do a quick network check by opening the eps file using hwp2010 and we can see that the exploit was indeed executed and connect to www.ethanpublishing[.]com/ethanpublishing/phpcms/templates/default/member/account_manage/teacup.jpg if we use FakeNet or similar tools.

We suppose that teacup.jpg” is most likely the payload. However, the jpg file is no longer found using the url so we cannot conduct further analysis on it.


Let’s go on to focus our analysis on the vulnerablity that was exploited by the eps file.

Opening the file eps file in the text editor we can identify a few components of the exploit.
The green block represents a NOP sled using 0xB5.
The blue block represents a NOP sled using 0x90.
The red block represents the shellcode.


Following the shellcode is this line of post script command

This command would execute a “Heap spray”. 500 blocks of the NOP sleds and shellcodes would be ‘sprayed’ in the memory. The NOP sleds and shellcodes is allocated as a string with a length of 65535 characters.

Next we want to determine which vulnerable process is the exploit targetting.
We do so by trying to search for traces of the NOP sleds and shellcodes in the memory of the vulnerable process.
At first it looks like the vulnerable process is likely hwp.exe or HimTrayIcon.exe


However, we could not locate any trace of NOP sleds and shellcodes in both processes.

At this point, I wonder if other child processes could be created by Hwp.exe. These child processes could have termininated after the execution of the shellcode.

One ‘trick’ we used was to modify the start of the shellcode with the opcode “0xEBFE” which is actually an infinite loop. This would allow the process that executed the shellcode to run continously without terminating.


Now we can attach our debugger into the gbb.exe process and we located the NOP sleds and shellcodes


Now after locating the vulnerable process, we have to debug into it to locate where the vulnerable code is exploited.
We now located the code in where hwp.exe created the gbb.exe process.


We shall modify the “CreationFlags” to CREATE_SUSPENDED. This would allow us to attach debugger at the start of the execution of the gbb.exe process.


After tracing the code we located the instructions in gsdll32.dll that executed the NOP sled “0xB5B5” which is MOV CH,B5


From the vulnerable instructions, we can more or less conclude that the vulnerablity is indeed based on CVE-2013-0808
For more information on CVE-2013-0808, you can read it up this article by CoreSecurity.

In the meantime, we hope you enjoyed reading this and we would be happy to receive your feedback!

Best Regards
Jacob Soo & peta909

[ Sharing ] Where’s Wally! – Tracking where did victims come from.

I’ve written about shortened urls for 4 times. Twice in this blog and twice in an older website that i didn’t maintained anymore.

I have seen recently that a lot of people still blindly click on shortened URL that they see in FaceBook, forums or “familiar names” on their smartphones.
Today, i will do a quick short post about 2 recent shortened URLs, what’s the purposes and where did the victims come from.

[ Case Study #1 ]
The 1st link here is where : https://bitly[.]com/1TVH4va will lead to : http://onedayonemillion[.]com/postdk[.]apk
This .apk file is actually MazarBot.

You can read more about MazarBot here:

As alot had been written about MazarBot, we also want to know more about the url and the following url will show the statistics of where did victims come from.

As you can see from the image below, there are 5, 037 clicks on this shortened url since 25th May 2016.
4,569 clicks on 25th May 2016 alone.

8 of the clicks were coming from FaceBook and 15 clicks were from forums, mobile, etc. The rest are direct, meaning click on this shortened url. Possibly via sms, WhatsApp, etc.

We can also see the Geographical distribution of the victims who clicked on this shortened url.

Basd on the image above, it seems like most of the people were from Denmark and some parts of Europe.
One thing that puzzled me and got me curious…. why is the author of MazarBot targeting Danish people?


[ Case Study #2 ]
The next shortened url which we will be looking at is https://bitly[.]com/22kQ0Am

Again, let’s check the statistics and where is the final url by appending “+” without the double quotes as shown here:
h–ps://bitly[.]com/22kQ0Am will redirect to h–p://dl[.]dropboxusercontent[.]com/s/rlqrbc1211quanl/accountinvoice.htm

Nice, the link is on DropBox. Let’s download the page using wget or anything that you prefer.
I decided to use wget as i already have it on this particular machine.

I just did a quick wget to check what is inside this accountinvoice.htm and i got back the following:

You can change document.write to console.log or alert to get back the unescape string. But for the benefit of non-technical users, you can just go to
and paste the escaped string and decode it.
You should get back the following:

Great, it’s doing a redirect. Let’s do a base64 decode and we should get back this.

Hmmmm…seems like it’s a Phishing link more than an ExploitKit link since the title is “Sign In“.

As i don’t want to alert the phisherman too much, i tweak my wget as followed:

After i grab the page, we can see that it’s indeed a “Google Drive” phishing page.

I hope this short post will serve as a good reminder to all not to blindly click on shortened urls unless you totally trust the source or verify it yourself.

Happy Reversing
Jacob Soo

[ Walkthrough : X-CTF 2016 – Worm ]

Quest: A malware was caught infecting “NUS GOVT” thumb drive. Encryption was used to encrypt outgoing data. Please submit the answer in the following format: XCTF{SHA1 of (key1 + key2 + key3)}

File: add4f352cbcb62fffe01eccf78a912b8

SHA1 Hash: 16e9245a14e223b83fde700aa6904e2f487ef07b

Let’s begin by firing up IDA Pro to see what we can find.

Going through the IAT, we can see that SetupDI… are called. A quick reference to MSDN reveals that these functions are used to enum plug and play devices.

SetupDiGetDeviceRegistryProperty function retrieves a specified Plug and Play device property.

Figure 1. Imports

Cross-referencing (Press x in IDA Pro) the function reveals much more stuff… It seems like the malware is trying to find a USBSTOR device. This definitely makes sense since the quest already stated that the malware infected a “NUS GOVTthumb drive. Let’s do a breakpoint later in ollydbg to see what is really going on.  Further down the disassembly, we can see that it is trying to match with a String “NUS GOVT“. Just take note of this for now.


In the strings, we could see interesting artifacts as well… looks like the malware is trying to infect via autorun.inf… OK let’s take note of that for now. We could also see stuff like wsock32.dll, Ws2_32.dll… but in imports, we did not see any functions with relation to these libraries. Probably GetProcAddress is being used…

Figure 3. autorun.inf in strings