APTish Attack via Metasploit – Part IV – File System Forensics

Welcome back for the final part of my APTish Attack via Metasploit series. If you haven't read any of the other posts I suggest you read them so you can get an idea of where we are starting from. You can find them here:

Timeline Analysis

Let's quickly look at the definition of the word, "story" (in the context of reading), it's defined as, "An account of imaginary or real people and events told for entertainment".

As forensic analysts, we are providing someone with our account of a real person's actions and events. We are telling people through our discoveries what someone did or didn't do on a particular system. Whether or not someone considers something entertaining is subjective.

Let's look at a high level overview of the items required to make a story [4].

Exposition: "In this part, the situation of the characters in the story is explained and it leads up to the further development of the plot:" [4] - This sound a lot like getting a brief from HR and/or your CND team telling you there might be an incident. "This system (character) is acting weird. Please take a look at it for me."

Rising Action: "the series of actions, or complications, that sets up the conflict for the main character of the story" [4] - Let's call the character an artifact. See the similarities? Gathering evidence and starting to develop our "character" and the events they performed.

Climax: "the high point in the story - the turning point where the conflict comes to a head and is decided for one side or the other"[4] - This sure sounds like that smoking gun artifact that really turns the events and gives you that, "ah ha" moment.

Falling Action: "events that happen after the climax - usually wrap up the story"[4] - This is where you're wrapping up your investigation and reviewing it to make sure you didn't forget/miss anything.

Resolution: "the point of closure - also called the conclusion or denoument" [4]  - Let's call this our report writing stage, or in my case the blogging stage.

But I thought we were talking about timelines? Well, timelines are nothing more than stories. So where do we being our story? In our case we were tipped off by Splunk by the execution of  AntiVirusUpdate2012.exe. Let's being our story there.

Creating our Timeline

mmls aptish

DOS Partition Table  
Offset Sector: 0  
Units are in **512 byte sectors**  
Slot    **Start**        End          Length       Description  
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)  
01:  -----   0000000000   0000002047   0000002048   Unallocated  
02:  00:00   000000 **2048**   0073398271   0073396224   NTFS (0x07)  
03:  -----   0073398272   0073400319   0000002048   Unallocated  

Calculating the offset so we can mount our image: 2048 * 512 = 1048576

  • sudo mount -t ntfs -o ro,showsysfiles,streams_interface=windows,offset=1048576 aptish /mnt/aptish/
  • log2timeline -p -r -f win7 -z Asia/Seoul /mnt/aptish/ -w aptish_timeline.csv

Making Sense of it

So I started with the execution of AntiVirusUpdate2012 and backed up a couple hours. It didn't take long to filter this down to some interesting hits. This wont be as easy for those in the "real world", but the concepts are the same. You will be dealing with multiple users on the same system, more than likely a greater time will pass before you even discover an issue, and the list goes on. Understand "normal", and you will be fine.

First we see some web interaction with Gmail and another "website" hxxp://192.168.81.128/AntiVirusUpdate2012.exe.

At first glance one could assume that given the 8 second window from using Gmail, and then navigating to the AntiVirus exe that maybe this email contained a link that the user clicked on. Possibly through a Phishing email? Let's go with this and see what turns up.

Silvrback blog image

Here is the output from regripper that shows the UserAssist key. The UserAssist key shows applications that are launched from the Desktop. This sheds some light on how AntiVirus was launched. We see it was run once at 0949, which is a few seconds before it shows up in our timeline.

UserAssist  
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist  
LastWrite Time Thu Feb  2 14:03:38 2012 (UTC)  
Wed Nov 14 09:49:03 2012  
C:\Users\malware_win7x86\Desktop\AntiVirus_Update_2012.exe (1)  

First we see the execution of AntiVirusUpdate2012.exe at 0949, which mirrors up with our event logs from Part II, and the UserAssist key from above. We can also verify that it was indeed launched from the Desktop. This supports our original thought about AntiVirus being saved to the Desktop and then being executed. This is an example of how multiple artifacts can be used to validate our assumptions and support each other.

Then we see multiple files dropped into the Temp folder. You can see this by looking at the MACB time column.You should also notice that some of these files don't "look right". This should be an indicator in itself. This is why it's important to become knowledgeable with what's "normal" on a windows machine so you can spot "abnormal". If you don't know normal, you will never know abnormal. For starters it's, "svchost", not "scvhost". And why would a vbs script be named that? Also, What are these oddly named exe and tmp files in there? Why are their times so close together?

Silvrback blog image

Here is another "abnormal" item. Why was 7za.exe created under System32? It doesn't belong there.

Silvrback blog image

Here we see AntiVirusUpdate2012.exe being deleted.

Silvrback blog image

We can further validate this via the $Recycle.Bin. Windows Vista/7 no longer have INFO2 files. They have $I (INFO) and also $R (Recycled). There will be a $I for each $R. The $I files will will provide you with the original path of the file and the time the file was deleted, which will actually be the created time of the the $I file.

In our case it shows the \Desktop as the location where AntiVirusUpdate2012.exe was located. You can also verify the timeline and the deletion times to ensure they match. In our case they do indeed match.

rifiuti-vista /mnt/aptish/\$Recycle.Bin/S-1--1000/\$IQNVV01.exe

INDEX_FILE   DELETION_TIMESIZEFILE_PATH  
/mnt/aptish/$Recycle.Bin/S-1--1000/$IQNVV01.exe2012-11-14 11:07:01222592C:\Users\malware_win7x86\Desktop\AntiVirus_Update_2012.exe

Here we see 7zip being executed. Another interesting artifact is apt.7z. This might provide some information as to what was exfiltrated.

Silvrback blog image

And I added this more to show you that when you're performing forensics on a system that you can inadvertently create your own self inflicted artifacts. Back to Locard's exchange principle, "Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him."

In our case, whenever a program is executed you will leave something behind.

NOTE You will see that I executed FTK from the Desktop here. Normally I would run FTK or any other tool for that matter from a USB and/or CD/DVD, but I didn't in this case because I didn't have my tools while writing this post. I simply ran it from my toolkit that I had on the Desktop. It's not recommended to copy tools to a Desktop, or use tools already on the box for integrity purposes.

Silvrback blog image

Other Artifacts

Automatic/Custom Destinations

I wrote a python script to go out to ForensicsWiki and lookup what appids were used. Jump List Lookup

python jl_lookup.py -p /mnt/aptish//Recent/CustomDestinations

  • Windows Explorer Pinned and Recent.
  • Internet Explorer 8 / 9
  • Unable to find 5afe4de1b92fc382 on forensicswiki
  • Control Panel (?)

python jl_lookup.py -p /mnt/aptish//Recent/AutomaticDestinations

  • Windows Explorer Pinned and Recent.
  • Control Panel (?)
  • Notepad (32-bit)

Web History

Our web history matches our timeline activity as well.

pasco History/History.IE5/index.dat

Exfiltration

Let's look at the 7zip Prefetch file that we talked about during the timeline section. Compressing files is common for attackers prior to exfiltration. When you're stealing literally gigs and gigs of data it's useful to have some compression functionality.

You can see here we hit the jackpot after reviewing the 7zip prefetch file.

  • USERS\MALWARE_WIN7X86\DOCUMENTS\CLASSIFIED.TXT
  • USERS\MALWAREWIN7X86\DOCUMENTS\FINANCIALNUMBERS.TXT
  • USERS\MALWARE_WIN7X86\DOCUMENTS\SECRET.TXT
  • USERS\MALWAREWIN7X86\DOCUMENTS\SSNANDCCDATA.TXT
  • WINDOWS\SYSTEM32\APT.7Z

Testing

  • fls -f ntfs -r -o 2048  aptish |grep apt.7z
  • ++ r/r 3702-128-1:apt.7z
  • icat -r -f ntfs -o 2048 aptish 3702 > apt.7z
  • 7z e apt.7z

  • Extracting  Classified.txt

  • Extracting  Financial_Numbers.txt
  • Extracting  Secret.txt
  • Extracting  SSNandCC_Data.txt

Without network data we can't be certain these files were exfiltrated, but we can be pretty sure they were.

Temp Directory

I want to caution you on this one. This isn't always the best way to approach "suspicious files". It's common knowledge among malware analysts that malware authors will check for their MD5 hashes on some of the popular websites like VirusTotal, and then move to change their binaries if you have discovered them. Check with your leadership before you do it.

  • ls /mnt/aptish/Users/malware_win7x86/AppData/Local/Temp |egrep '.exe|.vbs'
  • HOtdFs.exe
  • IqPTTDpRL.exe
  • scvhost.vbs
  • tior.exe

IqPTTDpRL.exe and TIOR.exe

Silvrback blog image

Silvrback blog image

Here are some of the command line options that IqPTTDpRL.exe supports. I use the example to show it launch notepad.exe.

Silvrback blog image

Here is a live example of how that process unfolds.

Silvrback blog image

Silvrback blog image

You can see here based off the information from the TMP files it appears that the purpose of this is to create a remote shell. "Shell has been started...Waiting...

HOtdFS.exe

This one lit up the AV engines with a 36/46 detection ratio.

Silvrback blog image

You can see here after executing HOtdFs.exe there is a connection attempt to 192.168.81.128 via port 4444.

Silvrback blog image

SCVHOST.vbs

You can see here 9/46 AV companies thought this was suspicious. That's not a very good detection ratio.

Silvrback blog image

Using process explorer, and after executing the vbs script we can see a connection attempt to 8043.

Silvrback blog image

Reproduce the Attack

If you remember this bit of Splunk output from Part II.

Silvrback blog image

So knowing this I went ahead and fired up wireshark and also a listener via netcat on port 4444 and 8043. I also changed the IP addresses on the systems as it looked like that IP address might be hard coded into the executable.

Netcat

  • nc -l -p 4444
  • nc -l -p 8043

Silvrback blog image

Summary

At this point we might have been able to setup a Metasploit listener and connected back to it, but I decided to just end it here. At the end of the day it's about ROI, and I think we have gotten our return and it's time to move onto the next case.

Hopefully this series was helpful for you. The best way to learn is to do. I see people asking questions like, "What artifacts does XYZ make?" The best way to answer that is to try it out. Malware Sandboxes like BSA and/or Cuckoo can be used for non-malware purposes as well. Run legit programs through then and see what kind of artifacts are created. Use process explorer, reg shot, CaptureBAT, etc.