#Hollyholic
Explore tagged Tumblr posts
Text
Couldn't find a gun to do it with..
Hoochie-mama mata-hari 5000.
She has a pretty face, and i like her dimples. I'd eat the lent of her naval. She always looks different. Sometimes i think she maintains a broader smile than usual out of passive aggressive anxiety. I worry about her; and end up sad that she thinks i should cower like a child in her company, or the company she projects. She enjoys different flavors of camaraderie, and shaves off the most negative social situations for me to feed on and ponder. She's an adult about it though and doesn't make it a big deal. You have to be careful not to get caught up repeating the same thing every day; but then again it's like, hard to stay sane w/out some sort of daily routine. Idk. She's alright just giving up and letting me win most of the time bc she's just tired as fuck and occupied in her own life.
She dislikes guys who sport a cocky attitude, and that's why she just doesn't talk to me, i guess. Maybe I'm just irrevocably naive and ignorant to her. You gotta' be optimistic in these days and times; especially after trump.. I've done time in jail and it's truely a hurtful place to wind up in. It leaves you w/ a migraine, muscle spasms, aching neck, swollen gall bladder from shitty food, and a hurting pain in your lower body. It's like, "step on in and believe my belief that i actually have rights. The water is fine." It's bullshit, this is just practice, nobody listens to me; *sigh* Why do i have to babysit this stupid shit? There's also some random obstanate, bitchy teenager who thinks it's fine to commit cival assault following me around. Hung up on your stupid ass a long time ago, clear? Stupid naval-gazing bullshit..She tells me Kinnison's just the white Rick James; fulfilling relationships aren't for me; idk how to work a woman's emotions; id have a hedge-fund account. On a lighter note whar's the deal w/ airline food? Women get new clothes more often than men who wear socks until they're worn out.
Her innate superficiality & superiority is weakened and compromised the moment you think about her. Searching for something meaningful, here; anyone care to say anything? Wotd: Camouflage. It sounds French even though it isnt'; sort of' like French dressing not tasting French. Don't want to' commit character assassination here so i guess I'll just sum it up promptly & admit I ponder suicide sometimes. Also I did a run-out on Lynn the other day. It was a run-out & not a run-in so yeah. Can Harvard & Princeton go back to semi-valley & Atlanta? Fun fact of the day: I have a Russian clone named Jessie. Also there's an evil munchkin brunette i don't like who's married to a guy named Steve who brags about exhausting people's supply and hunting them town for sport. Merry 4th of July everyone; what's that got to do w/ me calling that guy premium pine? Not a helluva' lot...
So anyway; there's a reddit post i can't find about a conflict in Asia that led to a Puerto Rican conflict, and that's sorta' annoying me. And I; never mutilated Dr. Thriftwood's reputation; sorry.
#myshare#maintaineyecontact#Hollyholic#stucco#wellarawe#oddferverver#earlycelebration#recyclemycorpse
0 notes
Text
↳ INSTAGRAM: @ljholls uploaded a photo and tagged @wrenschue LJHOLLS the rumors are true, gays cannot sit correctly! happy 17th wren, enjoy ur filler year u beautiful, witchy, bitch! ↳ 700 LIKES, 20 COMMENTS
HOLLYHOLLS: wren, how you’re will schuester’s spawn will never add up to me! anyhow, happy birthday.
1 note
·
View note
Text
My Jennifer and Needy enamel pin designs.
https://linktr.ee/hollyhollance
0 notes
Link
I have listings on Depop that want you!!!
Quite a few CDs that are ‘swaps’ from my collection.
0 notes
Photo
Thank you @hollyhol for the most fun, and spontaneous weekend!!! My face and stomach still hurt from laughing and smiling so much! Can’t wait to see what kind of trouble we can get into in July! (at Nohu Rooftop) https://www.instagram.com/p/CP53Sa1FpBq/?utm_medium=tumblr
0 notes
Text
Original Post from Trend Micro Author: Trend Micro
by Noel Anthony Llimos and Michael Jhon Ofiaza (Threats Analysts)
We have been tracking Trickbot banking trojan activity and recently discovered a variant of the malware (detected by Trend Micro as TrojanSpy.Win32.TRICKBOT.TIGOCDC) from distributed spam emails that contain a Microsoft Word document with enabled macro. Once the document is clicked, it drops a heavily obfuscated JS file (JavaScript) that downloads Trickbot as its payload. This malware also checks for the number of running processes in the affected machine; if it detects that it’s in an environment with limited processes, the malware will not proceed with its routine as it assumes that it is running in a virtual environment.
Aside from its information theft capabilities, it also deletes files located in removable and network drives that have particular extensions, after which the files are replaced with a copy of the malware. Based on our telemetry, this Trickbot campaign has affected the United States the most. It has also distributed spam to China, Canada, and India.
Figure 1. Infection chain
In a sample email, the spam purports to be a subscription notification involving advertising providers, even telling the user that it submitted an application for a three-year subscription and settled a sum of money with the sender. The mail then explains that several more fees will be charged to the user’s card in the coming transactions. It ends by prompting the user to see the attached document for all the settlement and subscription information. The document in question contains the malicious script.
The distributed Word document presents the user with the following notification (see Figure 2) that states the content can be viewed by enabling macro content. It’s worth noting that the document hides the JS script in the document itself and not in the macro. It does this by disguising the script through the same font color as the document background.
Figure 2. Document asking users to enable macro
The script is obfuscated and contains different functions. In order to decrypt a function, it will use another function that will convert it to a single character.
Figure 3. Function for decryption
Upon successfully deobfuscating the file, we were able to analyze it and observed some interesting behaviors. Upon execution, it will display a fake Microsoft error to trick the user with an error message that pops up after enabling the macro. But actually, the JS file is already running in the background.
Figure 4. Fake Microsoft error
For persistence, the malware creates a copy of itself into the Startup folder as Shell.jse. The JS file also checks for running processes — what’s particularly notable is the malware’s anti-analysis or evasion characteristic, which checks for the total number of all the running processes in the victim’s machine, which means it will not proceed with its execution if there are not enough processes running.
If the running processes are under 1,400 characters (length of the string), the malware assumes it to be an indicator that it is running in a virtual or sandbox environment. It will also check for the existence of processes usually used for analysis. Aside from these, the malware inspects if the environment it runs in relates to specific usernames.
Figure 5. A snippet of checked processes and usernames
Figure 6. Code error shown if anything matches the check
Here’s a list of processes and debugging tools the malware checks for in the affected system:
AgentSimulator.exe
B.exe
BehaviorDumper
BennyDB.exe
ctfmon.exe
DFLocker64
FrzState2k
gemu – ga.exe
iexplore.exe
ImmunityDebugger
LOGSystem.Agent.Service.exe
lordPE.exe
ProcessHacker
procexp
Procmon
PROCMON
Proxifier.exe
tcpdump
VBoxService
VBoxTray.exe
vmtoolsd
vmware
VzService.exe
windanr.exe
Wireshark
Upon further analysis, we’ve also compiled the usernames the malware checks for based on the following strings:
Emily
HAPUBWS
Hong Lee
Johnson
milozs
Peter Wilson
SystemIT | admin
VmRemoteGuest
WIN7 – TRAPS
For the malware’s payload, it will connect to the URL hxxps://185[.]159[.]82[.]15/hollyhole/c644[.]php then checks for the file to be downloaded. If it is an executable file, it will save the file to %Temp% as {random}.exe and execute it afterwards. If the file is not an executable, it will then save it as {random}.cro in the same folder. The .cro file will then be decoded using certutil.exe, saved as {random}.exe in the same directory, and executed. Upon further research, we discovered that the downloaded .exe file is a variant of the Trickbot malware.
Figure 7. The file is saved, random names get generated, and .cro is decoded using certutil.exe
Aside from stealing system information such as OS, CPU, and memory information; user accounts; installed programs and services; IP configuration; and network information (configuration, users, and domain settings), this Trickbot variant also gathers the following credentials and information from applications and internet browsers.
Application credentials
Filezilla
Microsoft Outlook
PuTTy
Remote Desktop (RDP)
VNC
WinSCP
Browser credentials and information (Google Chrome, Internet Explorer, Microsoft Edge, and Mozilla Firefox)
Autofills
Billing info data
Browsing history
Credit card data
HTTP POST responses
Internet cookies
Usernames and passwords
This malware also uses a point-of-sale (PoS) extraction module called psfin32, which identifies PoS-related terms located in the domain of interest. The module uses LDAP queries to search for PoS information on machines with the following substrings:
*ALOHA*
*BOH*
*CASH*
*LANE*
*MICROS*
*POS*
*REG*
*RETAIL*
*STORE*
*TERM*
The variant also appears to drop shadnewdll, a proxy module that intercepts and modifies web traffic on an affected device to create fraudulent bank transactions over the network. Additionally, according to security researcher Brad Duncan, the module shares similarities with the banking trojan IcedID, which redirects victims to fake online banking sites or attaches to a browser process to inject fake content in phishing schemes.
In such cases where the malware fails to connect, it will search for files with the following extensions in the removable and network drives. These extensions are file types used by Microsoft Office and OpenDocument:
.doc
.xls
.pdf
.rtf
.txt
.pub
.odt
.ods
.odp
.odm
.odc
.odb
Files with the aforementioned extensions will be saved in the %Temp% folder as ascii.txt. The said files will all then be deleted and replaced with a copy of the malware and the extension .jse (but is actually a JS file).
Figure 8. Scanning for files and replacing it with a copy of itself
Defending Against Trickbot: Trend Micro Recommendations and Solutions
Information-stealing malware Trickbot has become a cybercriminal mainstay for infecting machines and compromising emails, and has been used to reportedly steal more than 250 million accounts. This new development shows how cybercriminals can constantly tweak an existing banking trojan to add new capabilities. Users, however, can prevent these attacks by simply following best practices against spam. Aside from awareness of the telltale signs of a spam email such as suspicious sender address and glaring grammatical errors, we also recommend that users refrain from opening email attachments from unverified sources.
Users and enterprises can also benefit from protection that uses a multilayered approach against risks brought by threats like Trickbot. We recommend employing endpoint application control that reduces attack exposure by ensuring only files, documents, and updates associated with whitelisted applications and sites can be installed, downloaded, and viewed. Endpoint solutions powered by XGen security such as Trend Micro Security and Trend Micro Network Defense can detect related malicious files and URLs and protect users’ systems. Trend Micro Smart Protection Suites and Trend Micro Worry-Free Business Security, which have behavior monitoring capabilities, can additionally protect from these types of threats by detecting malicious files such as the document and JS file involved in this campaign, as well as blocking all related malicious URLs.
The Trend Micro Deep Discovery Inspector protects customers from threats that may lead to C&C connection and data exfiltration via these DDI rules:
1645: Possible Self-Signed SSL certificate detected
2780: TRICKBOT – HTTP (Request)
Indicators of Compromise (IoCs)
SHA-256 Trend Micro Pattern Detection Trend Micro Predictive Machine Learning Detection Note 0242ebb681eb1b3dbaa751320dea56e31c5e52c8324a7de125a8144cc5270698 TrojanSpy.Win32. TRICKBOT.TIGOCDC TROJ.Win32.TRX.XXPE50FFF031 Trickbot 16429e95922c9521f7a40fa8f4c866444a060122448b243444dd2358a96a344c Trojan.W97M. JASCREX.A Downloader.VBA.TRX.XXVBAF01FF004 Document file 666515eec773e200663fbd5fcad7109e9b97be11a83b41b8a4d73b7f5c8815ff Trojan.W97M. JASCREX.AB Downloader.VBA.TRX.XXVBAF01FF004 Document file 41cd7fec5eaad44d2dba028164b9b9e2d1c6ea9d035679651b3b344542c40d45 Trojan.W97M. JASCREX.AD Downloader.VBA.TRX.XXVBAF01FF004 Document file 970b135b4c47c12f97bc3d3bbdf325f391b499d03fe19ac9313bcace3a1450d2 Trojan.W97M. JASCREX.AC Document file 8537d74885aed5cab758607e253a60433ef6410fd9b9b1c571ddabe6304bb68a TrojanSpy.JS. NEMUCOD.BONINGH Dropped JS file (with .dat extension) 970b135b4c47c12f97bc3d3bbdf325f391b499d03fe19ac9313bcace3a1450d2 Spam email hxxps://185[.]159[.]82[.]15/hollyhole/c644[.]php Malicious URL
Check Point Research also tweeted about this campaign last July.
The post Latest Trickbot Campaign Delivered via Highly Obfuscated JS File appeared first on .
#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */
Go to Source Author: Trend Micro Latest Trickbot Campaign Delivered via Highly Obfuscated JS File Original Post from Trend Micro Author: Trend Micro by Noel Anthony Llimos and Michael Jhon Ofiaza (Threats Analysts)
0 notes
Photo
Was SO great seeing your face last night!!! @hollyhol #nyc #spottedpig #westvillage #friends #reunitedanditfeelssogood #missyou #cantbelieveweweresittingnexttoraulplauren #myfriendsarebetterthenyours (at The Spotted Pig)
#spottedpig#westvillage#reunitedanditfeelssogood#cantbelieveweweresittingnexttoraulplauren#friends#nyc#missyou#myfriendsarebetterthenyours
0 notes