Hello and welcome to the Monday, March 2nd, 2006 edition of the Sands Inlet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

And this episode is brought you by the Sands.edu undergraduate certificate program in applied cyber security.

In Diaries this weekend, we had one by Xavier about, well, a fake FedEx email.

The problem with these FedEx emails are to many of us.

They're kind of old news and, you know, it's easy to recognize.

But think about it from perspective, not sort of how I've seen these emails work of someone that receives

a lot of or a reasonable number of these FedEx emails,

they're dealing a lot of shipping,

they're sort of a little bit desensitized to that,

and then maybe tricked, like in this case,

to opening an attachment that is actually

a 7-zip file.

Xavier walks you through the analysis of this particular malicious email, starts out with a

simple batch file and also usual sort of persistent mechanisms, then encoded PowerShell script. In the end, it's actually an

AES encrypted script. Of course, the credentials here keys and IVs are in the binary, so in that

zip file. So definitely something that you can then extract the order to decrypted.. And that's sort of what Xavier walks you through here.

The decryption part is probably sort of a more interesting and dangerous part in some ways, too,

because you, in this case, like, the easiest way to do it is just run the PowerShell script,

but then put the right break points in place.

So it really just decrypts it and doesn't actually execute it.

And the next stage, which in this case, well, turns out to be a script called donut loader.

...