Posts

Showing posts from March, 2023

HOW DO YOU LIKE DEM EGGS? I LIKE MINE SCRAMBLED, REALLY SCRAMBELED - A LOOK AT A RECENT more_eggs SAMPLES

Image
BACKGROUND The topic of discussion have been covered quite well in the past years. With some  analysis focusing on the human element and actors behind the tools  and  other analysis attributing to different groups  and some focusing on  the malware  and  final payload . This blog will just focus on some recent samples related to what i think is  more_eggs  and my attempt (successful or not, I will let you be the judge of that) at analyzing them and some questions I have. I won't be discussing any attribution or provide my thoughts on that in this blog.  HIGH LEVEL ANALYSIS OF SAMPLES This all started with a tweet -  https://twitter.com/jaydinbas/status/1633063201607675909?s=20 File Name : Axiance_Full_Reports[.]zip Hash : 631f92c9147733acf3faa02586cd2a6cda673ec83c24252fccda1982cf3e96f6 The file is a ZIP file that include an LNK file and a JPG. The LNK as you would expect includes an obfuscated code within it that is consistent with these types of campaigns. && c!QlGg!!dFsw!