Saturday, November 18, 2017

Looking to expand your knowledge on Intrusion Detection or Incident Handling, Hacker Techniques and Exploits? Then come hangout at one of my upcoming classes to learn more!

Upcoming Courses Taught By Nik Alleyne
TypeCourse / LocationDateRegister

Community SANS
Community SANS Annapolis Junction SEC504 Annapolis Junction, MD
Jan 29, 2018 - 
Feb 3, 2018

Community SANS
Community SANS Pensacola SEC503 Pensacola, FL
Feb 19, 2018 - 
Feb 24, 2018

Community SANS
Community SANS Baltimore SEC503 Baltimore, MD
Mar 12, 2018 - 
Mar 17, 2018

Community SANS
Community SANS Columbia SEC503 Columbia, MD
Aug 13, 2018 - 
Aug 18, 2018
*Course contents may vary depending upon location, see specific event description for details.

Learning about malware persistence through the lens of IMWorm leveraging “Regshot”

In this series of posts, I’m continuing the Open Security Training materials, with this set of post being more focused on the Malware Analysis class.

You may find reviewing the material from Open Security more beneficial. However, if you do choose to stick with this I hope you find it helpful.

In this post, we will be learning about the persistence mechanism used by IMWorm. We will leverage RegShot to expand our understanding of IMWorm’s persistence.

Similar to the previous post in which we leveraged Autoruns and took an initial snapshot of the system, we will once again start off with an initial snapshot this time with Regshot. The screenshot below shows the initial or “1st shot” being taken. This snapshot will then be compared with another which will be taken after execution of IMWorm.

 

The next step was to execute “IMWorm” and take the “2nd shot” then compare the two results. The screenshot below shows the second shot being taken:
 
Now that the second shot is taken, it’s time to “Compare” the “1st shot” and “2nd shot”, as shown below:
 

The comparison produced the following:

Created with Regshot 1.9.0 x86 ANSI
Comments: SecurityNik - Before IMWorm Snapshot
Datetime: 2017/8/6 03:55:40 , 2017/8/6 03:59:55
Computer: SECURITYNIK-XP , SECURITYNIK-XP
Username: SecurityNik , SecurityNik

Keys added: 13
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\DownloadManager
HKLM\SOFTWARE\Policies\Microsoft\Windows NT
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Policies\Microsoft\Internet Explorer
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_buzz
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_Launchcast

Values added: 17
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions: 0x00000001
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Grzc\znyjner-fnzcyrf_cnffjbeq-vf-vasrpgrq\VZjbez\znyjner.rkr: 03 00 00 00 06 00 00 00 A0 58 31 1C 68 0E D3 01
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings: 3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 92 D5 1D 68 0E D3 01 01 00 00 00 0A 00 00 65 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 92 D5 1D 68 0E D3 01 01 00 00 00 0A 00 00 65 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Temp\malware-samples_password-is-infected\IMworm\malware.exe: "malware"
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-22914: "Contains letters, reports, and other documents and files."
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31253: "Moves the selected items to the Recycle Bin. If you want to recover them later, go to the Recycle Bin."
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31371: "Sends an e-mail message with copies of the selected files, or the files within a selected folder."
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_buzz\content url: "http://quicknews.info/"
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_Launchcast\content url: "http://quicknews.info/"

Values modified: 6
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 7A A3 C4 33 88 E3 52 BA 76 54 40 CA 16 B2 06 3E 17 99 12 EF EA 15 6D 37 EB 89 A7 FE 65 59 6E 02 CA 1C EF 55 F9 47 AF EC C4 98 C3 57 64 21 1E 89 01 51 D2 C0 40 BF F8 09 E9 00 DB CC 98 61 F9 A2 AB 45 BC 4E 9D DA 0D 0D 1A 44 C0 FD 95 61 38 4E
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: DB D4 00 37 7D 70 20 A5 C2 75 A2 84 A7 6F AE B5 C3 0B 07 57 BF FA 82 C6 31 20 60 85 52 58 87 E8 1E A5 0C 4C C8 82 61 81 2C 61 82 E4 17 F9 22 ED 61 A6 FD 3B 7F 47 8F B8 E9 7C E0 AF 75 0B F7 7E AB 11 F9 4A 38 9B 83 4F 6A B3 7C 80 35 B5 0F 24
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe C:\WINDOWS\system\lsass.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "userinit.exe,C:\WINDOWS\system\lsass.exe"
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://quicknews.info/"
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 03 00 00 00 0F 00 00 00 A0 0C C3 F6 65 0E D3 01
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 03 00 00 00 10 00 00 00 A0 58 31 1C 68 0E D3 01
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy: 0x00000000
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy: 0x00000001

Files added: 4
C:\WINDOWS\Prefetch\LSASS.EXE-0551E7A6.pf
C:\WINDOWS\Prefetch\MALWARE.EXE-03900DB2.pf
C:\WINDOWS\system\lsass.exe
C:\WINDOWS\lsass.exe

Files [attributes?] modified: 3
C:\WINDOWS\system32\CatRoot2\edb.chk
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
C:\WINDOWS\system32\config\software.LOG

Total changes: 43

Deviating from the persistence mechanism for a second to identify some other interesting points we see the following.

From above, we see that 13 Registry “Keys” were added. If we were to look at the last 2 of the 13 entries in more detail, we see they both have a value of  “content url REG_SZ  http://quicknews.info/” as show below:

 
Focusing on the “Values added”, the ones that stands out immediately are …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0x00000001

This “Remove the Folder Options menu item from the Tools menu”. If we remember in the previous post we were unable to view the folder options. This was the reason why.


… and …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0x00000001

This “Remove the Run menu item from the Start menu”.

… and …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001

This “Disable Registry Editing tools”. If we remember in the previous post we were unable to run “regedit”.


HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001

This “Disable Task Manager”.


Going back to the persistence mechanism, we see:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe C:\WINDOWS\system\lsass.exe"

In the first entry we saw there was only “Explorer.exe” in the second Entry, we also see “C:\WINDOWS\system\lsass.exe”. The value in the “Shell” specifies the program which provides the user interface and leverage the value in Userinit which is below.



HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "userinit.exe,C:\WINDOWS\system\lsass.exe"

Similarly, in the first entry we have "C:\WINDOWS\system32\userinit.exe," and in the second entry we have “C:\WINDOWS\system\lsass.exe” has now been appended.

The “UserInit” entry specifies which programs gets executed      upon user logon.


From the “Values modified” we see below that Internet Explorer home page has changed from …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"


… to
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://quicknews.info/"



From the “Files added” section. We see 4 files are added. 2 of these are related to prefetch entries while the other 2 are related to “IMWorm”. These files are:
C:\windows\system\lsass.exe
C:\windows\lsass.exe

Ok! That’s enough for this entry.


Shell

Learning about malware persistence through the lens of “Hydraq” Malware

In this series of posts, I’m continuing the Open Security Training materials, with this set of post being more focused on the Malware Analysis class.

You may find reviewing the material from Open Security more beneficial. However, if you do choose to stick with this I hope you find it helpful.

In the first post, we learned about persistence mechanism through the registry. In the second post we saw persistence through both the registry and the “Startup” folder. In this post we will learn about persistence through Windows Services. This will be achieved through analyzing Hydraq.

Since I’m already aware that Hydraq delete itself upon launch, I’ve gone ahead and setup “ProcessHacker” to watch the process creation. Below is snapshot of before execution. In this snapshot, we see the malware is listed in “Windows Explorer”.


… and here is a snapshot after execution.

As can be seen above, the “malware.exe” process got created (svchost.exe in green) then it immediately deleted (malware.exe in red) itself. It then created a new “svchost.exe” process with PID “1448”. Creating another “svchost.exe” process allows it to blend it quite easily.

Additionally as seen in the lower right hand corner, a service also got created with the name “UpsQjd”.

Taking a look at an AutoRuns comparison before and after execution, we see below that a service has been registered as “RaS4mg6” and leverage a DLL which has a path of “C:\WINDOWS\system32\Rasmon.dll”


Files added: 2

C:\WINDOWS\Prefetch\MALWARE.EXE-2391A9A8.pf
C:\WINDOWS\system32\Rasmon.dll


Looking at the entries added via the registry we see:
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPSQJD\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPSQJD\0000\Service: "UpsQjd"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPSQJD\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPSQJD\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPSQJD\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPSQJD\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPSQJD\0000\DeviceDesc: "UpsQjd"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPSQJD\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPSQJD\0000\Control\ActiveService: "UpsQjd"

From above we see the service “UpsQjd” is being created in the registry. Leveraging “reg query” we see the following output:

This also corresponded to:


The funny thing though is this service does not have any binary path as shown below:
Except for a few services of type “Driver” or “FS driver” every other service had a “Binary Path”. The snapshot below shows that for the “Share process”, all processes had a “binary path” except “UpsQjd”.

The above definitely stands out.

Additionally, the following keys were created:
HKLM\SYSTEM\ControlSet001\Services\RaSQjdO\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\RaSQjdO\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\RaSQjdO\Type: 0x00000020
HKLM\SYSTEM\ControlSet001\Services\RaSQjdO\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs"
HKLM\SYSTEM\ControlSet001\Services\RaSQjdO\ObjectName: "LocalSystem"
HKLM\SYSTEM\ControlSet001\Services\RaSQjdO\Parameters\ServiceDll: "c:\windows\system32\rasmon.dll"
HKLM\SYSTEM\ControlSet001\Services\RaSQjdO\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00

This corresponds to:

However, while the service "UpsQjd" had a corresponding service, the service “RaSQjdo” has no readily available service as shown below:


However, if we pay closer attention to the information above, we can see the line “HKLM\SYSTEM\ControlSet001\Services\RaSQjdO\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs". What this tells me is while the process may start with its own “svchost.exe” process currently with PID “1448” it becomes part of the “netsvcs” group upon reboot.

Looking at the current “netsvcs” group, we see no trace of “RaSQjdO” as shown below:


However, if we look at he “netsvc” group for “svchost” we see:
C:\>reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\svchost" /v netsvcs
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\svchost
    netsvcs     REG_MULTI_SZ    6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0RaSQjdO\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0napagent\0hkmsvc\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0

As we can see above upon reboot, the malware will be migrating from its current “svchost” to another “svchost”. Without a doubt this level of persistence makes it difficult for anyone to easily detect.

Time to move on …
… but before we move on, let’s reboot and see if the malware is truly part of the “svchost” that manages the group “netsvcs”.


As can be seen above, the malware has truly migrated to a different “svchost”.

Time to move on.

That’s all for this post.

References:


Monday, September 25, 2017

Learning about malware persistence through the lens of “Parite” Malware

In this series of posts, I’m continuing the Open Security Training materials, with this set of post being more focused on the Malware Analysis class.

You may find reviewing the material from Open Security more beneficial. However, if you do choose to stick with this I hope you find it helpful.

In this the final post in the series, we are looking at persistence through the lens of the Parite malware.

While in the previous blog posts we were able to see that the malware deleted itself and create new processes or became a process that gets loaded by “svchost.exe” in the case of Parite, the malware deletes itself like the others. However, unlike the others it does not create a new process.

While reviewing this in Process Hacker, it was noticed that “malware.exe” gets loaded and is immediately deleted. The image below shows the process being deleted.


Since we are unable to track the process creation above, we need to verify through other methods what is the malware doing. Fortunately we also have Autoruns.exe which allows us to compare autoruns along with the snapshot of our registry via RegShot.

Conducting the first set of analysis via Autoruns, we see a startup registry value “fmsiocps c:\windows\fmsiocps.exe” has been added to “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”. Additionally, we see that the Registry key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls     ” now has the value “fmsiocps.dll c:\windows\system32\fmsiocps.dll”

Looking at Regshot output, we see key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe” was added. This corresponds to:

From above we see the “tqat.exe” executable will be launched under the debugger.

We also see additional keys from Regshot as shown below:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmsiocps: "C:\WINDOWS\fmsiocps.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: "fmsiocps.dll"

The final line shows the value "fmsiocps.dll" now associated with the “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs”

The AppInit_DLLs registry entry will be used to load the  "fmsiocps.dll" into every user mode process. Now isn’t that some serious power to have?

Running a search in Process Hacker for the "fmsiocps.dll" shows that this DLL has been loaded into 6 applications, which include “FireFox.exe”, “explorer.exe” and even “ProcessHacker.exe” along with 3 others.

















At this point, there is no need to go further as the objective was to demonstrate persistence. By Leveraging the “AppInit_DLLs” malicious software has the opportunity to be truly persistent.
  

Microsoft - Working with the AppInit_DLLs registry value

Wednesday, September 20, 2017

Learning about malware persistence through the lens of IMWorm leveraging “Autoruns”

In this series of posts, I’m continuing the Open Security Training materials, with this set of post being more focused on the Malware Analysis class.

You may find reviewing the material from Open Security more beneficial. However, if you do choose to stick with this I hope you find it helpful.

In this post, we will be learning about the persistence mechanism used by IMWorm. We will leverage Sysinterals Autoruns to expand our understanding of IMWorm’s persistence.

To make this analysis a bit easier, I first executed Autoruns and saved the output via the “File” -> “Save” menu to a file called “Before_IMWorm.arn”.

Once I had the saved file, I then executed the IMWorm executable and compared the new Autoruns output to this saved file. To achieve this, I first hit “Refresh”/”F5” within Autoruns. Then from the “File” -> “Compare” menu item, I selected the file “Before_IMWorm.arn” which was previously created. Once opened, this produced the output shown below:

As shown above, the registry entry ‘"HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /V UserInit’ has the value of “C:\WINDOWS\system\lsass.exe”. Additionally we see the file “msconfig.exe” has been created in the "c:\Documents and Settings\All Users\Start Menu\Programs\Startup".


Let’s try to hunt these down:
First when I tried to open “regedit” to verify the key, I was unable to do so and I believe this has something to do with “IMWorm”. The error I got was “Registry editing has been disabled by your administrator” as shown below:



As a result of this error, I instead leverage the “reg query” command line tool. This produced the result as follows


The example above demonstrates why it is extremely important to know and use more than one tools to solve your problems.

Next up I attempted to leverage Autoruns to “Jump to Image”. However, Autoruns exited and I was unable to open it. Looking for the file directly under Windows Explorer, I was also unable to find it. Trying to enable the option to show hidden files and file extension, I noticed those options were not available. I assumed once again, this is IMWorm doing its thing.

As a result, I had to go back into the command line with some more command line Kung Fu. At this point I did a “dir” on the folder in question as shown below:


Ooooops!! Loos like nothing is there. Let’s take another shot at this looking for hidden files. This time we execute the same command except we append “/A H” to the output above as shown below:
 
At this point we recognize the file was “hidden” from the default “dir” output.

From above, we see that IMWorm is leveraging both the registry “Run” key and the “Startup” folders for persistence purposes.






Wednesday, September 13, 2017

I Smell A RAT – Learning about Poison Ivy – Live Forensic Analysis

In this series of posts, I’m continuing the Open Security Training materials with this set of post being more focused on the Malware Analysis class.

You may find reviewing the material from Open Security more beneficial. However, if you do choose to stick with this I hope you find it helpful.

In this post we will take a quick pass at some live forensic analysis. See the reference section for some other analysis you may undertake.

First up, I’ll start off with the network through leveraging “netstat” on the “compromised” host. The network information below shows that the host “Securitynik-xp” on source port 1025 has an established connection to host 10.10.10.1 on port 3460.

Now that we have an established connection, let’s see what is the PID and owning process of this connection. Leveraging the “neststat –ob” as shown below.

 
Above we see the owning process is “system32:secnik_piv.exe” and it has a PID of 1688.

By looking at the “:” in “system32:secnik_piv.exe” we can conclude that this is more than likely an Alternate Data Stream (ADS).

Doing a “dir c:\windows\system32\secnik*.exe” we see … basically the file was not found. In Windows XP there is no immediate way to detect ADS without third party tools.

Therefore let’s leverage Sysinternals “Streams.exe” to identify the ADS in “system32”. The image below shows that “secnik_priv.exe” is embedded in “c:\windows\system32”
Taking a look at the registry for persistence, we see the key "HKLM\software\Microsoft\windows\CurrentVersion\Run" has a value “SecurityNik_PIvy_Agent      REG_SZ  C:\WINDOWS\system32:secnik_piv.exe”
 

Taking a look at ProcessHacker to learn more about the process “system32:secnik_piv.exe”, we see that it was started by “explorer.exe”. We also see that this process has spawned a “cmd.exe” process. If we remember from this post, we were interacting with the “compromised host” via the command shell.
At this point, we can continue to leverage ProcessHacker or even identify additional tools which can assist with our live analysis.

However, we were able to identify it’s persistence mechanism which allows it to survive reboot. At this point we can take the next step which is to begin the clean-up process.

Let’s start with deleting the persistence mechanism via the registry using “reg delete "HKLM\software\Microsoft\windows\CurrentVersion\Run" /v "SecurityNik_PIvy_Agent"”
We see from the final entry above that "SecurityNik_PIvy_Agent” has been deleted.

Let’s now look at suspending the process “system32:secnik_piv.exe” before we attempt to delete it from the ADS.

Leveraging ProcessHacker once again we first suspend the process … 

… once suspended we then leverage GMER to delete the file as shown below …
If we take a look at “c:\windows\system32:secnik_priv.exe” with Sysinternals “streams.exe” we see the file no longer exists as show below.

Now let’s close this off by terminating the process tree for “system:secnik_priv.exe


At this point, consideration should be given to the fact that the process may be recreated, therefore close attention should be paid to monitoring. Additionally, you may want to monitor the network for traffic known to be associated with Poison Ivy. Restarting the “infected” system is a good way to verify that all is well.