SANS FOR500 training write up #DFIR #forensics

I’ve always had an interest in digital forensics. The idea of being able to investigate $whatever_happened and prove it, always fascinated me. The last week of July, I was able to finally participate in some top notch digital forensics training at SANS Fire 2017 FOR500 – Windows Forensics Analysis.

Provided material

First off, the material was great. Who doesn’t like getting a 128 Gb USB key with a lot of goodies? The SIFT workstation was loaded with a great amount of tools (many to which I hadn’t heard of, many I’d always been curious of).

The extra cases seem like they’ve got potentially interesting things to dive into as well.

Day 1

Day 1 was all about Advanced Data Triage. The “What? When? Where? How?” of any investigation is where the data triage starts. The concept put forth on day was spot on and a great place to start. “Analysis” is one thing, “proper analysis” is a whole complete different thing. This gives a good foundation to get you in the “proper analysis” mindset.

Data extraction, file carving and registry forensics was also on tap for the day. These were all presented in an easily understandable way with some exercises building off of the original scope of the “investigation”.

Day 2

Day 2 was a serious deep dive into the Windows Registry. I knew you could tell A LOT about what has happened (many of the things covered I had recognized between classes I took and just “poking around”) but, there were many things as well that were completely new to me. (I suspect part of it has to do with the advancements from Windows 7 to Windows 10.)

Day 3

Day 3 was all about Shell Items and I’ll admit, I struggled here. This was the first time going THIS deep…. And it was good. I am going to rereview (and potentially rerereview this section).

My head still hurts and I think by now, I’m ready to start the “resaturation” process.

DFIR Netwars

When I found out I could participate in this, I was pretty pumped. I made sure to register and start downloading the material as soon as I knew where to go.

Netwars is essentially SANS version of CTF and this would be my first DFIR focused/related CTF.

So, I download… and I download…

AND I JUST FOUND THE DUMBEST WAY TO SUCCEED AT DROPBOX DOWNLOADING OF HUGE FILES (and not just “Right click, Save As)..……

DISCLAIMER: This could be an issue with my ISP (but I’ve never EVER had a problem downloading before this) or this could be an issue with Dropbox.

There were at least 3 files bigger than 8Gb that were part of the Netwars Dropbox share for various things (virtual machine, .e01 image, 7zip of an Android image).

Whenever I tried downloading, it bombed out around 8 to 9Gb.

The one file (win7-c-drive.E01 to be precise) is 9.7Gb (again… 9689019743 bytes to be precise).

It was an important file. A file needed to reiterate the knowledge I gained through this training.

But alas, Dropbox, you failed me.

After 5 tries over a 2 day period, it became a point of principal to download this.

Default, out of the box, you get 2Gb on a free account. Through various promotions and such, I’m up to 8.25 GB.

I say this because when you download a file from Dropbox you have two options:

  • Direct Download
  • Save to My Dropbox

Knowing I had less than 9Gb, I knew Save to My Dropbox wasn’t an option.

Or was it……….? (More on that in a moment…)

Being the fact that I’m on a Debian laptop, I thought “if anyone knew how to resume a failed download or ensure a complete download, it would be the Linux community”.

I couldn’t find anything obvious.

I installed the Dropbox client with the theory of, could I link someone else’s folder and download it that way? (You’re close…. Keep trying….)

So, just when I think I give up, I choose “Save to My Dropbox” WITH THE LINUX CLIENT RUNNING… (FWIW, I suspect the same would hold true for those who have a Windows OS)

Let me guess your first thought…. “How can this fool save to his Dropbox when his account doesn’t have enough space? 8.25 Gb < 9.7Gb! Don’t he know how to math?!”

I thought the same thing.

Then I saw…. The client…. Downloading the file.

So I tried this method 4 other times and it worked successfully 4 other times.

  • 9.2 GB (9156831212 bytes)
  • 9.4 GB (9432995952 bytes)
  • 15.6 GB (15571648976 bytes)
  • 9.7 GB (9689019743 bytes) ← The original headache

There is one (obvious) catch.

When you exceed the space you have alloted on your account, you can’t add anymore files….. but it doesn’t mean you can’t download. 😉

SOOOOOOOOOOOO…. Due to back issues and download issues, I couldn’t do much, but I did land 51st place (hey… that’s only an hour of being able to do any of the challenges… and cursing the one file that would never come in time).

Day 4

Day 4, Email retrieval/analysis was extremely interesting. The additional artifacts was extremely fascinating as the “picture” you’re trying to paint with the overall analysis, I dare speculate that in the Windows search, Thumbnail analysis, Recycle Bin, Event Log and Windows Prefetch analysis, the real finer details emerge in this section.

Day 5

Day 5 was all about Internet Browsers. Again, this section was very interesting and I definitely gained some new knowledge.

Day 6

Day 6 was the “project”/”challenge” day. I initially wanted to participate so I could apply what I had learned, but counting the fact I was on Simulcast/”GoToMeeting”, that communications between those on the same team.

Unfortunately (fortunately?) I appeared to be the only one from the Simulcast folks who was interested in doing the challenge that day. Most everyone else was going to do the challenge in their leisure time.

By about this time, my brain was already burnt and I was overdue to hang out with my family. So, we went to an arcade (and my 5 year old son “beat me” at Mario Kart…. Twice… ).

Overall

Overall, I’m very pleased with the class and the experience. The GoToMeeting/Simulcast was a great platform to use to attend this training. I’d highly recommend FOR500 (or any other SANS class) as the training is up to date and very relevant. It’s not the “print hello world” style of learning, which I despise. I want to get elbow deep and learn the concepts and real world examples. The overall basis of the investigation the whole five days was centered on could easily be a scenario anyone could run across in the real world.

Lessons learned

Counting this was my first Simulcast SANS training, I thought I’d share some of the observations I made during this week.

  1. Make sure to get plenty of sleep. My 5 year old has a habit of working every angle possible to stretch out bed time. Couple that with my particular mindset (one to where if I get really into something, it can cut into my sleep) and Wednesday I was jonesing for some carbs in a big way!
  2. Have a comfortable seat. Nothing makes the concentration break more than getting uncomfortable in your seat.
  3. If your personal laptop is a Linux one, make sure to have a second laptop or a tablet handy since GoToMeeting apparently doesn’t like Linux.
  4. Be prepared to feel like you’re drinking like this

  5. Don’t be afraid to ask for some help.
Advertisements

Derbycon 2015 wrap up

Before I get to my Derbycon 2015 wrap-up, I got to set the stage (bear with me, I’ll try not to ramble on too long).

Intro

In 2009 two big things happened in my life. The first big thing, the floor was dropping out from under me with losing a job in IT due to the economy and due to no fault of my own. It was a terrible time and IT support jobs were drying up. The job market was going through a major shift. Which leads to….The second big thing, It was time to reinvent myself as the work I was doing was boring I and I wanted to avoid another situation like this. I discovered the growing field of Information Security. So the journey began, which lead me to Bsides Detroit 2011. I’d found my new passion. Also that year, I attended the first Derbycon in 2011. I was all in and that experience helped me grow career wise and as a person.

(Too long? I tried to get to get to the point, trust me….. It’s relevant…..)

About a year ago I started my current role. When the opportunity was there to submit my training requests, I had only one thought: DerbyCon.

Friday

My plane arrived late Thursday night taking the most scenic route possible (Detroit to Phiily, Philly to Louisville). Unfortunately I didn’t get as much sleep as I had hoped. I wanted to make it for the start.

Welcome to the Family begins. As I’m listening to the intro, no truer words had been spoken. This conference was like a big family. Infosec is a small community I’ve found out starting back to 2011 when I attended my first security conference and nothing resonates that home any deeper than after you’ve attended a few conferences.

First up,Jordan Harbinger from the Art of Charm and Social Engineering podcast delivers the keynote. Jordan isn’t a technical guy, he even says so. He’s started his own company The Art of Charm and it’s about building social capital and becoming better socially, and as his LinkedIn profile says regarding Art of Charm; “Where ordinary guys become extraordinary men.” So out of the chute, it’s about relationships, family. Jordan killed it on the keynote.

Next up was “Information Security Today and in the Future
HD Moore – Ed Skoudis – John Strand – Chris Nickerson – Kevin Johnson – Katie Moussouris hosted by David Kennedy

This was a great panel and a lot of good conversations. It’s well worth checking out.

Next up was lunch. You can run hackers all day long but you got to break and throw them a burger or two along with some caffeine.

After that, I attended HallwayCon. The ever illustrious infosec conference staple where those who aren’t watching a talk start their own conversations, recharge phones and tablets (part of what I did).

Next on the list I had hoped to see “Python for Infosec”, but, I didn’t get in in time and had figured “I’ll catch it on video”, so I went over to “Stealthier Attacks and Smarter Defending with TLS Fingerprinting” by Lee Brotherson. This was a very interesting presentation and I did definitely walk away having learned a thing or two…. and looking forward to trying to carve out time to investigate the tools he released. As I’m writing this I found out the Python for Infosec talk had no audio. #sadpanda

Next on the agenda,Honeypots for Active Defense – Greg Foss from LogRhythm. This was a great talk as I do love to hear others implementing and talking about their findings with honeypots. Greg has definitely sparked some ideas I took notes on that I do plan on working on soon.

So after that talk, the next talk that intrigued me was Red vs. Blue: Modern Active Directory Attacks & Defense – Sean Metcalf “@PyroTek3”. Sean is seriously a mad crazy smart dude and one of only 100 who hold the Microsoft Certified Master Directory Services. This talk showed me how deep Active Directory can go. It was definitely a great talk and I highly suggest watching it.

Next up, back to HallwayCon, this time due to the close tightness which the seating in the previous talk had. My only complaint on DerbyCon this year… a lot of the talks were VERY packed. So after one of those, I had to step out and enjoy some personal space.

My next talk I went to, was down in the Stable talks.

Backdooring Git – John Menerick was a very good and interesting talk as one of things on my list is to learn more about Github.

Detecting phishing attacks with DNS reconnaissance – Mike Saunders This one was extremely good. It’s definitely sparked some ideas combined with the DNSMiner talk (but more on that one later).

Hacking Web Apps – Brent White – Another good talk. I am weak when it comes to the web app space and I try to challenge myself to see more web app related talks to try to pick up more.

Sticky Honey Pots – Paul J. Vann – So by the abstract alone it sounded intriguing. What made it even more intriguing, the presenter was a 9th grader!! The kid was very smart and advanced and had a very good presentation. It hit home with me as my son just started preschool. I look forward to exposing him to the hacker culture and conferences to see if he likes it.

At this point, my day was done. I’m not much of a bar guy and counting I had only 3 hours sleep, I went back, wound down and called it a night.

Saturday

Decent night of sleep was had. Relaxation was achieved. Off to Day 2.

OSINT for AppSec: Recon-ng and Beyond – Tim Tomes “lanmaster53” – This one jumped out at me as I am weak in the AppSec area and I knew only the surface level of Recon-ng. WOW, am I ever glad that I did attend this one.

Introducing the RITA VM: Hunting for bad guys on your network for free with math. – John Strand – Derek Banks – Joff Thyer – Brian Furham – This talk was one of the top 5 that I was looking forward to and it did deliver. I can’t wait to dig into this project further. It was a great great talk.

Next, was back to HallwayCon. I had visited some vendor booths, gained too many tshirts and topped off the phone charge again. It would help if I wasn’t tweeting so much or reading other tweets during some talks.

Gray Hat PowerShell – Ben Ten (@ben0xa) – Ben always delivers a great presentation. There are some people who exude the confidence and have the charm for a group of people. Ben is one of a few Powershell masters I’ve talked with being a part of Misec.

WhyMI so Sexy? WMI Attacks – Real-Time Defense – and Advanced Forensic Analysis – Matt Graeber – Willi Ballenthin – Claudiu Teodorescu – The Powershell lovefest continued. While this talk wasn’t specific on Powershell, Matt Graeber is an admitted Powershell fanboy. These guys are mad wicked smart and gave a great presentation on WMI.

Next up, to the Stable talks again.

Tool Drop: Free as in Beer – Scot Berner – Jason Lang – It was a great presentation and to learn some strategies people use in scripting out a tool to solve an immediate problem.

At this point I joined up with Mr @malware_traffic himself and some of his friends for lunch at Gordon Biersch Brewery Restaurant. The burger was pretty good.

After that, I wanted to catch Medical Devices: Pwnage and Honeypots – Scott Erven “windshield wipers” – Mark Collao. This was a pretty fascinating talk and it reflected on how vendors still fail with default passwords and other areas of fail.

I originally wanted to catch How to ruin your life by getting everything you ever wanted. – Chris Nickerson but after a few too many talks that were tighter than the airplane ride I flew in on, I thought “Catch it on video”. I found out later that it was an extremely moving and powerful talk. I just watched it today, and no offense to the guys who did the medical devices talk, I am kicking myself for not attending. The talk Chris gave is extremely moving and powerful because he ain’t putting on any schtick. I was completely blown away and have some mad serious respect for the guy and all he’s done for the industry that saved me from a mundane career of fixing Windows issues and building standardized corporate images.

So by this point, it was back to HallwayCon. It was during HallwayCon that I ran into some of the Misec guys, including David Schwartzberg (@DSchwartzberg, one of the nicest guys you could ever meet). He was participating in the scavenger hunt. One of things he was looking to do was to get 25 people running backwards up the escalator. After he talked with the DerbyCon security staff, we did it. I made a big mistake in participating only for one reason, I didn’t ask someone “Hey can you keep an eye on these backpacks?” and after adding in some of the conference swag, my backpack wasn’t the lightest. So the line started and I brought up the end of the line. Running up a fast escalator being out of shape = hard. Running up a fast single lane escalator being out of shape with a heavy backpack on your back = sheer stupidity. But, I did complete it. I almost face planted at the end as those last few steps were rougher than I expected. But… during the run, by the time I got to the top, I had apparently dropped my Fitbit Flex strapped loosely to my wrist (apparently too loose).

But, due to DerbyCon being about family and the overall culture of the tight knit Infosec community, someone picked it up for me.

One mission I had on the trip down was to get some Kentucky Bourbon Barrel Ale. I had heard great things about it and since it didn’t seem like Michigan had any, when in Kentucky, you seek out bourbon (ale in this case for me). While it wasn’t Kentucky Bourbon Barrel Ale, it was GoodWood Brewery Bourbon Barrel Ale was on tap in the lobby. I have only one word to describe this beer:
Holycrapthatwassomefantasticbeermmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.

It was dinner time and I had met someone over at Dish on Market to have dinner with. It was definitely a great conversation I had with@ammonsphoto. After some dinner then I headed back to my room for the night. My back was a bit sore and I definitely didn’t feel up to partying, besides, my hotel was 20 minutes away, so…

Sunday

Is That a Router in Your Pocket or are You Trying to P0wn Me? – Michael Vieau – Kevin Bong – A very interesting talk. I had learned that using OpenWRT it was possible to remove some stuff for those tiny router flashes and be able to put in the tools you want.

Next, DNS Miner – A semi-automatic Incident response and threat intelligence tool for small – over worked security teams – Doug Leece – AJ Leece. This was a talk that really captured my attention prior and I’m glad I went. I do plan on looking more into this project as I can see some interesting things coming from this.

Next, LongTail SSH Attack Analysis – Eric Wedaa. Mr Wedaa did a great job to capture attention as honeypots always get peoples attention at security conferences, especially if the presentation is good.

Next? Lunch of course, then some HallwayCon as well, of course.

Last talk of the day for me was Intrusion Hunting for the Masses – A Practical Guide – David Sharpe. Another talk I found fascinating by the abstract and it definitely delivered.

And so the conference was done as closing ceremonies began.

I made the mistake of not getting in line soon enough. So there was an additional room that you could see what they were showing on the screen but you couldn’t see those on the stage. So at this point, I threw in the towel and headed off to the airport.

Last but not least

DerbyCon 2015 was great. I can see why many people make this their main conference. It has a great environment (a bit tight during some talks) and good people going as well as putting on the conference and volunteering as well.

Earlier I had summarized briefly to the path that lead me to Information Security. It’s conferences like this that make me glad I moved my career to Information Security. I never witnessed or knew of any regional conferences for Windows support folks. It’s conferences like this that help inspire me and other folks to contribute to the community as a whole.

I’m glad I got to meet some new people and such and grateful was the knowledge and ideas I gained.

Hope I can make DerbyCon 2016.

Dear Google (rant of a disappointed Android fan)

Dear Google,

The time has come for my next phone upgrade and although I am an Android fan, we’ve got to take a 2 year break and I’m giving Apple another chance.

When I first got a smart phone I went with Android on the T – Mobile G1. It was different than the iPhone and AT&T had it exclusively. You won me over with all the things Android could do.  But you lost me on the shitty battery life.  So when the time came around for a new phone, I wanted better battery life and the iPhone wasn’t just at AT&T.

I really didn’t want to get an iPhone. The stigma of “the cult of Apple” was strong.  I didn’t want a “status symbol” that a lot people treat their iDevice as. I wanted functionality. I despised with an unbelievable loathing and burning hatred iTunes. But……. The reviews on battery life for iPhone were great compared to the available Android phones at the time. So I went to the “dark side”….. and it was good.

I had no really big issues with this phone.  I had a few small complaints but I was not converted to “fan boy” status. I can be honest about technology I use.  The battery life was great.  It was phenomenal the day my son was born and would not have been able to last 1/3 of the way through what I put it through that day.

As my contract was getting close to being done,  I started looking again at Android.  Around this time is when I discovered the fact that Samsung and the beginning of the size increase of the phones,  call it the “pre phablet” time. Now you’ve got my attention!! But how is it on battery life??!! After some research I’m convinced and get a Samsung Galaxy S4. I’m back with Android!!

As I was playing with my new S4, and I am noticing some things that bug me and in many ways I’m probably not the first to complain about these.

1. Bloatware (Carrier AND vendor provided).
I’d honestly be fine with the bloatware if I could uninstall it but if I can’t then it bothers me. But what makes it worse is the Samsung Hub.

The Samsung Hub is was their app store. Everyone has an “app store”. It takes up 50 Meg on my phone. Sometime in 2014 they took down the Hub….. but you can’t get rid of it! REALLY?! I have to keep an app that prompts a message saying “We’re sorry. If you want apps install Galaxy Apps….. but you can’t get rid of The Hub”.

Don’t get me started on the Sprint apps.

2. Security updates
We all know the story. Vendors don’t push out updates so they can push you to just upgrading handsets.

But really Google it’s time to take a page from Apples book. Everyone takes pages from everyone’s play book. Apple has taken plenty from the Android’s play book with the notifications and the Apple watch and a lot of other interesting features that started with Android. Microsoft has taken a page from the Unix world with Powershell. Let’s be honest….. Everyone does it!!

1. Bloatware – Limit vendors and carriers with the restrictions they cannot set it where the user can’t uninstall the crapware. If the app is so good people can leave it on but give them the choice. Yes, Apple has some apps you can’t get rid of short of rooting/jailbreaking the phone but they’re not defunct app stores or something like that, they’re just a few stupid apps (Maps, Stocks, Safari to name a few).

2. Security updates – Why Google hasn’t taken the route of making updates available via their site is beyond me. I’m sure I’m looking at it to simplistically and easily admit to not being an Android specialist and knowing and understanding their overall ecosystem. 
If Apple hadn’t taken another page for the Android vendors play book with the 6 Plus, I wouldn’t be saying this but…..

You’ve lost me for this cycle. I’m getting an iPhone 6 Plus. While I do appreciate the openness of the Android platform,  vendors and carriers are screwing it up for you and inspiring people who aren’t fanboys and those who will buy a NotApple product before anything.

When the time comes when my 6 Plus is to be replaced,  I will entertain the next batch of Android phones that will be available.  I don’t expect the security updates issue to be addressed or even the bloatware issue to be addressed but if you ever want to TRULY come up with the one and true iPhone killer, you need to make some changes.

Phishing email #malware analysis PWS:Win32/Zbot – Part 3 (host behavior: 1 of 2)

Host based analysis

Objective

This is a continuance of the overall Phishing email malware analysis PWS:Win32/Zbot blog posts I wrote;

  1. Part 1 – This was the introduction into the spam email I luckily checked to find this little gem in a password protected attachment (and they were nice enough to include the password too!!)
  2. Part 2 – This was the network behavior analysis I ran on this malware as it does try to “call home”.

The goal for Part 3 is to get a better understanding of what is going on under the hood when the malware is executed. This was intended for all intensive purposes to be one post using the data I extracted from a Process Monitor run, but to include the file, process, and registry activity on top of putting it all together (the data pertinent to the malware) would have been a bit much, so I took a queue from Tarantino (after asking a few friends opinions) and decided to split it into two parts.

(I thought I would try something different. Due to the width of this theme, you’re going to have to scroll over in the frame below to get to the good stuff. )

A quick note

My apologies for not getting this done sooner. I guess my only defense is “life happens”. Reality, it was part Converge/Bsides Detroit, part “life with a toddler”, with a mix of everyday life (including an upcoming job change for the better).

I had originally thought that this would be something I could run through real quick, but I had overestimated. I had originally captured 3 samples using Process Explorer. Each sample had about a notch over 1 million events. I had originally just started attempting to comb through manually thinking “this shouldn’t take long” and then I started discovering that it’s either use filters or forget it. While my CSV scripting skills leave a bit to be desired to comb through data, I’ll call this incentive for next run to see if I can get it done faster. So, with no further ado, here we go.

Process Activity

If you don’t feel like scrolling, here is the embedded spreadsheet.

So what can be gathered from this information?

  1. 9:45:03.5627178 PM – the process is created by double clicking the Invoice_06.04.2014.pdf.scr and it runs it was with a /S switch
    • Are there any other switches that can be ran via the command line?
    • This is color coded in green
  2. 9:45:04.5837508 PM – Invoice_06.04.2014.pdf.scr starts the upeqe.exe process at C:\Users\keith\AppData\Local\Temp\Etteva\upeqe.exe
    • This is more than likely the malware setting up persistence by running the backup of itself that was made.
    • The File System activity should be able to identify when this copy is made.
    • This is color coded by the blue/”dark cyan 1″ (according to Google Docs) line
  3. Invoice_06.04.2014.pdf.scr and upeqe.exe create threads
    • I had this in another sheet but decided to remove it. Unsure if it’s even important or if this is “normal” activity
  4. 9:45:05.6715395 PM – Invoice_06.04.2014.pdf.scr creates a process and runs “C:\Windows\system32\cmd.exe” /c “C:\Users\keith\AppData\Local\Temp\CQV2090.bat”
    • What is this batch file doing? This one has me really intrigued.
    • This one is color coded red with yellow letters.
  5. 9:45:05.9865492 PM – Invoice_06.04.2014.pdf.scr process exits with Exit Status: 0. 
    • Once it has made a backup of itself and ran it, is this the beginning of the end of Invoice_06.04.2014.pdf.scr?
    • This is color coded light purple
  6. 9:45:06.0210210 PM – conhost.exe starts this process, Command line: \??\C:\Windows\system32\conhost.exe “7004549161928483034-634817172-12620106904102454541647554162437855351-2089999309”
    • What is this? Does it mean anything? Is this normal?
    • This one is color coded by the orange line
  7. 9:45:07.1049881 PM – winmail.exe process starts, Command line: “C:\Program Files\Windows Mail\WinMail.exe” -Embedding
    • Malware initiated this process as I didn’t open WinMail.exe
  8. 9:45:20.7850986 PM – RunDLL32.exe starts this command, Command line: C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll
    • This happened because the Windows firewall was set default and it prompted to allow or block upeqe.exe access out
    • I let it out…. of course!

File Activity

If you don’t want to deal with the scrolling, you can open the document here.

So what can be gathered from this information?

  1. 9:45:03.2873373 PM – Invoice_06.04.2014.pdf.scr is executed. (We can tell this from the IRP_MJ_CREATE operation.)
  2. 9:45:03.6118215 PM – The prefetch file is created. (I’m unsure why it says “NAME NOT FOUND” in the results.)
    • The first line with the green fill
  3. 9:45:03.6509365 PM – Invoice_06.04.2014.pdf.scr tries to run about 13 or 14 different DLL’s from the same folder. The result is “NAME NOT FOUND”. (This one makes senses why it says it.)
    • I filtered on these in specifics due to the interesting nature. What I don’t have showing is right after each DLL fails from the C:\tools\Malware\tazdrummer\Invoice_06.04.2014 folder, it runs it successfully from C:\Windows\SysWOW64 folder.
    • These lines are filled in with blue
  4. 9:45:04.1169446 PM – C:\Users\keith\AppData\Local\Temp\Etteva folder is created.
    • This is color coded in purple.
  5. 9:45:04.1173293 PM – upeqe.exe file is created at C:\Users\keith\AppData\Local\Temp\Etteva
    • This is where the malware has created a copy of itself.
  6. 9:45:04.1257302 PM – hyil.raj is created at C:\Users\keith\AppData\LocalLow
  7. 9:45:04.1258986 PM – hyil.raj is deleted at C:\Users\keith\AppData\LocalLow ?
    • What the heck is this?
    • It gets created to get deleted?
    • This is color coded in orange.
  8. 9:45:04.5805563 PM – Invoice_06.04.2014.pdf.scr had an IRP_MJ_CLEANUP operation.
    • Looking up IRP_MJ_CLEANUP to get a better understanding, I originally had the initial impression that when IRP_MJ_CLEANUP was completed, it meant the file was closing all handles. This isn’t necessarily the case.
    • Further down at 9:45:21.2195979 PM, the same operation is completed, but this time it’s initiated by the cmd.exe process.
    • This may be interesting to come back to.
    • I suspect this is where it’s performing the clean up once it’s established persistence.
    • This is color coded with red fill and yellow letters.
  9. 9:45:04.5912261 PM – The upeqe.exe prefetch file is created.
    • Again…. NAME NOT FOUND… I’m unsure of this. A prefetch WAS created… right?
    • This is color coded in green
  10. 9:45:04.5972809 PM – upeqe.exe exhibits the same behavior as what was documented in item # 3
    • These lines are color coded the same blue as well.
  11. 9:45:05.1700510 PM – We have our what appears to be our first registry editing. upeqe.exe is writing to C:\Users\keith\NTUSER.DAT
  12. 9:45:21.2195979 PM – cmd.exe had an IRP_MJ_CLEANUP operation at this path,C:\tools\Malware\tazdrummer\Invoice_06.04.2014\Invoice_06.04.2014.pdf.scr.
    • I suspect this is where it’s performing the clean up once it’s established persistence.
    • This is color coded with red fill and yellow letters.
  13. 9:45:05.5885604 PM – Invoice_06.04.2014.pdf.scr creates C:\Users\keith\AppData\Local\Temp\CQV2090.bat
  14. 9:45:05.5889865 PM – Invoice_06.04.2014.pdf.scr runs C:\Users\keith\AppData\Local\Temp\CQV2090.bat
  15. 9:45:05.5890497 PM – Invoice_06.04.2014.pdf.scr deletes C:\Users\keith\AppData\Local\Temp\CQV2090.bat
    • I don’t know about you, but I want to see what’s in that file.
    • In the Process Activity, at 9:45:05.6715395 PM, Invoice_06.04.2014.pdf.scr runs the C:\Windows\SysWOW64\cmd.exe process and runs this command: “C:\Windows\system32\cmd.exe” /c “C:\Users\keith\AppData\Local\Temp\CQV2090.bat”
    • These events are color coded in orange again.
  16. 9:46:05.5233069 PM – upeqe.exe accesses DNSAPI.dll
    • This one really piqued my curiousity. Is this really important?
    • This is color coded with light red fill and orange letters

Summary

From the information pulled and analyzed from the Process Monitor log extraction, we can see that this piece of malware is rather busy and there is definitely “more than meets the eye” behind the scenes.

We can see the following so far;

  1. Double clicking the malware it runs with a command line switch of /s
  2. It creates a copy of itself in a semi hidden location (you’re not going to see it by default in the standard user folder structure view, but if you know where to look, you can find it)
  3. The malware somehow runs the copy of itself
  4. A batch file is created for a short time and then is gone.
    • Is this how the malware starts the process for the copy it made?
  5. The malware is apparently gathering information.
    • Why else would it run the default mail program?
    • What other information is it looking for?
  6. I have to include this…. Unless you’ve set up some major filtering and know what events you’re looking for regarding a particular event happening at the analysis time, use filtering afterwards as it will save on your sanity combing through potentially multiple hundreds of thousands of events.

My goal for the next few blog posts will be as follows:

  • Part 3 (2 of 2) – In this I will give an analysis of the registry activity I analyzed from the Process Explorer log extraction. I also am aiming to tie all of the important events into a timeline to show how the malware progressed through the system. (At least that is the goal… after all, the original goal was this would be one blog post, not a Kill Bill style posting).
  • Part 4 – In this blog post I plan to do an analysis of a memory image I took that was used in the Bsides Detroit 2014 Tri City CTF using Volatility.

Etc.

I’d love to hear feedback on these postings. While this is my first full analysis I’ve done and documented, I’d love to hear if I’ve missed an obvious step or if I’m on the wrong path with how I am analyzing this malware sample. I’m using this process as a learning experience and want to continue to grow in skill and knowledge from it, so I’m open to any feedback.

Phishing email #malware analysis PWS:Win32/Zbot – Part 2 (network behavior)

Network behavior analysis

Objective

  • To the malicious software the most comfortable environment to run

    • The focus is to study from a network perspective to allow better detection signatures and rules set up to allow further detection

First run – Lab configuration

  • Windows XP SP2 – VirtualBox

    • Network configuration – Attached to Internal Network

    • Static IP address – 169.254.236.200, Gateway – 169.254.236.100

    • Snapshot taken – Network configuration in place, BGInfo giving the network information on the wallpaper

      • Malware is running on this system

  • Debian 7.06 – LXDE

    • Network configuration – Attached to Internal Network

    • Static IP address – 169.254.236.100

      • Wireshark capturing data

First run – Running of the exec

  1. Malware is ran. Fifteen to twenty seconds after the malware is ran, the malicious traffic attempts start.

  2. Then (and seemingly this has happened only one other time during dynamic analysis (run, watch, restore) it calls out to the following IP’s.

    • 174.16.157.26

    • 130.37.198.90

    • 203.80.102.213

    • 88.68.117.47

    • 75.99.113.250

    • 184.166.216.26

    • 212.235.62.68

    • 172.245.217.122

    • 24.231.61.81

    • 27.110.203.125

    • 221.193.254.122

    • 183.87.238.127

    • 198.50.128.48

    • 82.127.150.123

    • 85.64.52.205

    • 24.78.17.137

    • 79.119.228.199

    • 219.77.136.199

    • 76.234.37.14

  3. Malware attempts to look for www.google.com and then www.bing.com

    • Which two sites are most likely to be allowed through any corporate web filtering and be seen as “normal activity”?

  4. Which two sites are most likely to be allowed through any corporate web filtering and be seen as “normal activity”?

  5. Next the domain generation algorithm calls begin.

  6. Somewhere in the mix, the hard coded IP’s are attempted to connect to between a bunch of DGA URL calls.

  7. Infected system was restored.

First_Run-Part1

First run – Observations

  1. There is a short time between when the malware is ran and when the network activity starts

  2. Initial run included hard coded IP addresses in the chain of events

    1. Hard coded IP’s

    2. Google and Bing

    3. DGA URL’s

  3. There is a definite domain generation algorithm as the URL’s didn’t seem to follow a pattern

    1. Two seperate runs, it didn’t seem to repeat a URL.

Second run – lab configuration

  • Windows XP SP2 – VirtualBox

    • Network configuration – Attached to Host-only adapter

    • DHCP IP address – 192.168.56.102

    • Snapshot taken – Network configuration in place, BGInfo giving the network information on the wallpaper

      • Malware is running on this system

  • Debian 7.06 – LXDE

    • Network configuration – Attached to Host-only adapter

    • DHCP IP address – 192.168.56.103

      • Wireshark capturing data

    • iNetSim running

      • Default configuration

      • www.google.com cloned locally

        • This was an attempt to see how the malware acts once it can reach Google first (since the first run the first domain it tried to call was Google)

Second run – Running of the exec

  1. Malware is ran. Fifteen to twenty seconds after the malware is ran, the malicious traffic attempts start.

  2. DNS request for www.google.com returns 192.168.56.103 (Debian system)

  3. The HTTP GET request to www.google.com is ran

Second_Run-Part1

  1. After some many HTTP GET’s, then it tries to run HTTP POST

Second_run-Part2

Second run – Observations

  1. After so many HTTP GET’s, it starts running HTTP POST every few. Is it in the code for specific URL’s to attempt to post to?

  2. Running iNetSim and pointing the DNS requests to one system makes for a somewhat confusing PCAP.

    1. This is why in the third, the set up is a bit more expanded.

Third run – lab configuration

  • Windows XP SP2 – VirtualBox (infected host)

    • Network configuration – Attached to Internal Network

    • Static IP address – 169.254.236.200, DNS – 192.168.56.2, Gateway – 169.254.236.100

    • Snapshot taken – Network configuration in place, BGInfo giving the network information on the wallpaper

      • Malware is running on this system

  • Debian 7.06 – LXDE – VirtualBox (capture traffic, run iNetSim – Google.com)

    • Network configuration Attached to Internal Network

    • Static IP address – 169.254.236.100

    • Network configuration Attached to Host-only adapter

    • DHCP IP address – 192.68.56.101

  • Remnux – VirtualBox (run iNetSim – one of the DGA’s)

    • Network configuration Attached to Host-only adapter

    • DHCP IP address – 192.168.56.102

  • Remnux – VirtualBox (run iNetSim – one of the DGA’s)

    • Network configuration Attached to Host-only adapter

    • DHCP IP address – 192.168.56.103

  • Ubuntu Server – VirtualBox (Running bind pointing to all of the above servers)

    • Network configuration Attached to Host-only adapter

    • Static IP address – 192.168.56.2

Third run – Running of the exec

I’ll be honest, this was a bit of a flop. I tried running some analysis on the domain generation algorithms from multiple runs to see if there was a potentially repeating URL.

It didn’t work. (The malware didn’t try to call out to one of the hard coded URL’s.)

I also ran a few packet captures in attempts to find any particular URL’s that initiated a HTTP POST after running the HTTP GET. I was going to hard code two particular DGA URL’s to a particular zone on the bind server.

It didn’t work. (The malware didn’t try to call out to one of the hard coded URL’s.)

So, I have no packets to display on this one. Well, nothing like you haven’t seen before higher up in this.

Third run – Observations

  1. Attempting to use a DNS server and trying to find the one or two magic URL’s to get lucky and have the malware call out to it is a bit of a stretch. (I did learn a lot about bind servers FWIW.)

  2. I had previously tried running FakeDNS to point it to multiple machines with no luck. My original thought “if I’m having problems with FakeDNS, why not make a real DNS server” was a bit of a stretch, but, lessons learned are never a bad thing.

  3. When in doubt, punt.

    1. I sent out the #Misec distress call on Twitter since I had thoroughly hit the wall with the level of complexity I was trying to accomplish with the bind server (one IP address tied to multiple DGA URL’s). So @jwgoerlich being part Nick Fury and part good Terminator sent from the future, pointed me in the direction of @ninjasl0th who point me to a fantastic tool called DNSChef from @_iphelix (home page – https://thesprawl.org/) Thanks guys!!

    2. And this leads to…. (the final run for this part…. for now…. )

Fourth run – lab configuration

  • Windows XP SP2 – VirtualBox (infected host)

    • Network configuration – Attached to Internal Network

    • Static IP address – 169.254.236.200, DNS – 192.168.56.102, Gateway – 169.254.236.100

    • Snapshot taken – Network configuration in place, BGInfo giving the network information on the wallpaper

      • Malware is running on this system

  • Debian 7.06 – LXDE – VirtualBox

    • Network configuration – Attached to Internal Network

    • Static IP address – 169.254.236.100

    • Network configuration – Attached to Host-only adapter

    • DHCP IP address – 192.68.56.101

      • capture traffic

  • Remnux – VirtualBox

    • Network configuration – Attached to Host-only adapter

    • DHCP IP address – 192.168.56.102

      • InetSim – standard configuration (minus DNS)

      • DNSChef
        • ./dnschef.py –interface 192.168.56.101 –fakeip 192.168.56.101

Fourth run – Running of the exec

  1. Malware is ran. Fifteen to twenty seconds after the malware is ran, the malicious traffic attempts start.

  2. Connection attempts are made to the static IP addresses listed on the first run.

      • 174.16.157.26

      • 130.37.198.90

      • 203.80.102.213

      • 88.68.117.47

      • 75.99.113.250

      • 184.166.216.26

      • 212.235.62.68

      • 172.245.217.122

Fourth_run-Part1

  1. The HTTP GET and POST requests start

Fourth_run-Part2

Fourth run – observations

  1. It was observed in a previous packet capture, after certain HTTP GET requests the next packet would be a HTTP POST

First packet

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: pzydvgtkzpeirkfexpjaxrgmfd.info

Connection: Close

HTTP/1.1 200 OK

Server: INetSim HTTP Server

Connection: Close

Content-Length: 258

Content-Type: text/html

Date: Mon, 02 Jun 2014 01:11:50 GMT

Second packet

POST /write HTTP/1.1

Host: default

Accept-Encoding:

Connection: close

Content-Length: 340

X-ID: 1414

HTTP/1.1 200 OK

Server: INetSim HTTP Server

Connection: Close

Content-Length: 258

Content-Type: text/html

Date: Mon, 02 Jun 2014 01:11:51 GMT

  1. I created a write folder in the following location on the Remnux system but nothing was written to it.

    • /var/lib/inetsim/http/wwwroot/

This concludes (for now) my network behavioral analysis of this variant.

On an interesting side note, I submitted one of the pcaps I capture to VirusTotal. Here is the results.

  1. VirusTotal pcap submission

PCAP file! The file being studied is a network traffic capture, when studying it with intrusion detection systems Snort triggered 8 alerts and Suricatatriggered 4 alerts.

 Wireshark file metadata

File encapsulation Ethernet

Number of packets 5371

Data size 8960017 bytes

Start time 2014-05-01 03:54:09

File type Wireshark – pcapng

End time 2014-05-01 03:57:01

Capture duration 172 seconds

 HTTP requests

[+] GET http://www.google.com/

Request datetime 2014-05-01 03:55:35.136400

Request user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Contacted host 192.168.56.103:80

Server response code 200

Response content sha256 c9d1b14e2548d2fe84274c8df1c2bbc2f3c4e30ee7327cebe162dc961775fa7c

Response content file type HTML document, ASCII text, with very long lines

[+] GET http://tkwkwytytkfxwnjroobaxqjrvxc.info/

Request datetime 2014-05-01 03:55:36.674263

Request user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Contacted host 192.168.56.103:80

Server response code 200

Response content sha256 69d8d2589495cc1de8dbda6a35a21dc273fa64811213050702096d8efbfa9103

Response content file type HTML document, ASCII text, with very long lines

[+] GET http://xzpqfulpylfahymnyhylgqckn.org/

Request datetime 2014-05-01 03:55:38.211770

Request user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Contacted host 192.168.56.103:80

Server response code 200

Response content sha256 69d8d2589495cc1de8dbda6a35a21dc273fa64811213050702096d8efbfa9103

Response content file type HTML document, ASCII text, with very long lines

[+] GET http://uwktplrdspftceipjkfpo.net/

Request datetime 2014-05-01 03:55:39.749917

Request user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Contacted host 192.168.56.103:80

Server response code 200

Response content sha256 69d8d2589495cc1de8dbda6a35a21dc273fa64811213050702096d8efbfa9103

Response content file type HTML document, ASCII text, with very long lines

[+] GET http://pvmjrwdadiztoyxbagbqwohinovcm.com/

Request datetime 2014-05-01 03:55:41.300534

Request user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Contacted host 192.168.56.103:80

Server response code 200

Response content sha256 69d8d2589495cc1de8dbda6a35a21dc273fa64811213050702096d8efbfa9103

Response content file type HTML document, ASCII text, with very long lines

 DNS requests

aulbbiwslxpvvphxnjij.biz 192.168.56.103

demrkpworsoblppffydpvlbht.biz 192.168.56.103

kbyhhatcculbpjnjbpfirairwtgc.biz 192.168.56.103

lbaybazlntrcwkvsxxchskwkkb.biz 192.168.56.103

nvgmytbewxtomrkhatokhl.biz 192.168.56.103

 Snort alertsSourcefire VRT ruleset

INDICATOR-COMPROMISE Suspicious .ru dns query (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus outbound connection (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus variant outbound connection attempt (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected (A Network Trojan was Detected)

 Suricata alertsEmerging Threats ETPro ruleset

ET TROJAN Possible Zeus GameOver Connectivity Check (A Network Trojan was Detected)

ET POLICY Reserved Internal IP Traffic (Potentially Bad Traffic)

ET USER_AGENTS Internet Explorer 6 in use – Significant Security Risk (Potential Corporate Privacy Violation)

ET TROJAN Zeus GameOver Checkin (A Network Trojan was Detected)

Final

If you wish to see the packet captures, you can grab them from my Google drive folder I shared.

#Facepalm or #malwarefail (you pick, too funny not to share)

As I am winding down after having a great day with my two sons, I’m in my lab wanting to do some studying. I end up doing a search online for I can’t remember what. (It’s been a long day and it’s 1:00am and I was asleep 30 minutes ago.) I stumble upon a site that gives me a redirect to this….

malwarefailOnly one word came to mind…

So, of course I download, after all, my Microsoft Linux Version 7 needed a driver update and I’ll be damned if I’m going to let sleep get in my way.

Since it is late, I submitted the file to Malwr.com, an online front end to Cuckoo Sandbox ran by the ShadowServer Foundation.

https://malwr.com/analysis/ZDI0NDdiYjRlOTg4NGFmOTg5NTY2ZTQzOGExYmVlZGU/

This one may be worthy of sacrificing an old Compaq, load it up with Microsoft Linux 7 and see what happens.