System Forensics

All your artifacts are belong to us.

APTish Attack via Metasploit – Part IV – File System Forensics

Welcome back for the final part of my APTish Attack via Metasploit series. If you haven’t read any of the other posts I suggest you read them so you can get an idea of where we are starting from. You can find them here: Part I, Part II, and Part III

Let’s get started….

TIMELINE ANALYSIS:

Let’s quickly look at the definition of the word, “story” (in the context of reading), it’s defined as, “An account of imaginary or real people and events told for entertainment“. 

As forensic analysts, we are providing someone with our account of a real person’s actions and events. We are telling people through our discoveries what someone did or didn’t do on a particular system. Whether or not someone considers something entertaining is subjective. Let’s assume for a moment that we want to be in this field because we like it and it’s “entertaining”.

Let’s look at a high level overview of the items required to make a story [4]:

Exposition: “In this part, the situation of the characters in the story is explained and it leads up to the further development of the plot:” [4] – This sound a lot like getting a brief from HR and/or your CND team telling you there might be an incident. “This system (character) is acting weird. Please take a look at it for me.”

Rising Action: “the series of actions, or complications, that sets up the conflict for the main character of the story” [4] – Let’s call the character an artifact. See the similarities? Gathering evidence and starting to develop our “character” and the events they performed.

Climax: ”the high point in the story – the turning point where the conflict comes to a head and is decided for one side or the other”[4] - This sure sounds like that smoking gun artifact that really turns the events and gives you that, “ah ha” moment.

Falling Action: “events that happen after the climax – usually wrap up the story”[4] - This is where you’re wrapping up your investigation and reviewing it to make sure you didn’t forget/miss anything.

Resolution: “the point of closure – also called the conclusion or denoument” [4] - Let’s call this our report writing stage, or in my case the blogging stage.

But I thought we were talking about timelines? Well, timelines are nothing more than stories. So where do we being our story? In our case we were tipped off by Splunk by the execution of  AntiVirus_Update_2012.exe. Let’s being our story there.

CREATING OUR TIMELINE:

% mmls aptish 
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  —–   0000000000   0000002047   0000002048   Unallocated
02:  00:00   0000002048   0073398271   0073396224   NTFS (0×07)
03:  —–   0073398272   0073400319   0000002048   Unallocated

Calculating the offset so we can mount our image: 2048 * 512 = 1048576

% sudo mount -t ntfs -o ro,show_sys_files,streams_interface=windows,offset=1048576 aptish /mnt/aptish/

% log2timeline -p -r -f win7 -z Asia/Seoul /mnt/aptish/ -w aptish_timeline.csv

MAKING SENSE OF IT:

So I started with the execution of AntiVirus_Update_2012 and backed up a couple hours. It didn’t take long to filter this down to some interesting hits. This wont be as easy for those in the “real world”, but the concepts are the same. You will be dealing with multiple users on the same system, more than likely a greater time will pass before you even discover an issue, and the list goes on. Understand “normal”, and you will be fine.

First we see some web interaction with Gmail and another “website” http://192.168.81.128/AntiVirus_Update_2012.exe.

At first glance one could assume that given the 8 second window from using Gmail, and then navigating to the AntiVirus exe that maybe this email contained a link that the user clicked on. Possibly through a Phishing email? Let’s go with this and see what turns up.

Here is the output from regripper that shows the UserAssist key. The UserAssist key shows applications that are launched from the Desktop. This sheds some light on how AntiVirus was launched. We see it was run once at 0949, which is a few seconds before it shows up in our timeline.

UserAssist
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
LastWrite Time Thu Feb  2 14:03:38 2012 (UTC)
Wed Nov 14 09:49:03 2012
 C:\Users\malware_win7x86\Desktop\AntiVirus_Update_2012.exe (1) 
First we see the execution of AntiVirus_Update_2012.exe at 0949, which mirrors up with our event logs from part II, and the UserAssist key from above. We can also verify that it was indeed launched from the Desktop. This supports our original thought about AntiVirus being saved to the Desktop and then being executed. This is an example of how multiple artifacts can be used to validate our assumptions and support each other.

Then we see multiple files dropped into the Temp folder. You can see this by looking at the MACB time column.You should also notice that some of these files don’t “look right”. This should be an indicator in itself. This is why it’s important to become knowledgeable with what’s “normal” on a windows machine so you can spot “abnormal”. If you don’t know normal, you will never know abnormal. For starters it’s, “svchost”, not “scvhost”. And why would a vbs script be named that? Also, What are these oddly named exe and tmp files in there? Why are their times so close together?

Here is another “abnormal” item. Why was 7za.exe created under System32? It doesn’t belong there.
Here we see AntiVirus_Update_2012.exe being deleted.

We can further validate this via the $Recycle.Bin. Windows Vista/7 no longer have INFO2 files. They have $I (INFO) and also $R (Recycled). There will be a $I for each $R. The $I files will will provide you with the original path of the file and the time the file was deleted, which will actually be the created time of the the $I file.

In our case it shows the \Desktop as the location where AntiVirus_Update_2012.exe was located. You can also verify the timeline and the deletion times to ensure they match. In our case they do indeed match.

rifiuti-vista /mnt/aptish/\$Recycle.Bin/S-1–1000/\$IQNVV01.exe 

INDEX_FILE   DELETION_TIMESIZEFILE_PATH
/mnt/aptish/$Recycle.Bin/S-1–1000/$IQNVV01.exe2012-11-14 11:07:01222592C:\Users\malware_win7x86\Desktop\AntiVirus_Update_2012.exe

Here we see 7zip being executed. Another interesting artifact is apt.7z. This might provide some information as to what was exfiltrated.

And I added this more to show you that when you’re performing forensics on a system that you can inadvertently create your own self inflicted artifacts. Back to Locard’s exchange principle, “Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him.”

In our case, whenever a program is executed you will leave something behind.

NOTE: You will see that I executed FTK from the Desktop here. Normally I would run FTK or any other tool for that matter from a USB and/or CD/DVD, but I didn’t in this case because I didn’t have my tools while writing this post. I simply ran it from my toolkit that I had on the Desktop. It’s not recommended to copy tools to a Desktop, or use tools already on the box for integrity purposes.

LOOKING AT SOME OTHER ARTIFACTS:

AUTOMATIC/CUSTOM DESTINATIONS

I wrote a python script to go out to ForensicsWiki and lookup what appids were used. You can find it here: I didn’t find anything interesting in there though.

% python japp_id.py -p /mnt/aptish//Recent/CustomDestinations/
Windows Explorer Pinned and Recent.
Internet Explorer 8 / 9
Unable to find 5afe4de1b92fc382 on forensicswiki
Control Panel (?)

% python japp_id.py -p /mnt/aptish//Recent/AutomaticDestinations/
Windows Explorer Pinned and Recent.
Control Panel (?)
Notepad (32-bit)

WEB HISTORY

Our web history matches our timeline activity as well.

% pasco History/History.IE5/index.dat

URLVisited: malware_win7x86@http://192.168.81.128/AntiVirus_Update_2012.exe11/14/2012 09:43:22 11/14/2012 09:43:22

WHAT WAS EXFILTRATED:

Let’s look at the 7zip Prefetch file that we talked about during the timeline section. Compressing files is common for attackers prior to exfiltration. When you’re stealing literally gigs and gigs of data it’s useful to have some compression functionality.

You can see here we hit the jackpot after reviewing the 7zip prefetch file.

7ZA.EXE
List of files and Directories whose pages are to be loaded

\DEVICE\HARDDISKVOLUME1\USERS\MALWARE_WIN7X86\DOCUMENTS\CLASSIFIED.TXT
\DEVICE\HARDDISKVOLUME1\USERS\MALWARE_WIN7X86\DOCUMENTS\FINANCIAL_NUMBERS.TXT
\DEVICE\HARDDISKVOLUME1\USERS\MALWARE_WIN7X86\DOCUMENTS\SECRET.TXT
\DEVICE\HARDDISKVOLUME1\USERS\MALWARE_WIN7X86\DOCUMENTS\SSN_AND_CC_DATA.TXT

\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APT.7Z

Let’s verify.


% fls -f ntfs -r -o 2048  aptish |grep apt.7z
++ r/r 3702-128-1:apt.7z

% icat -r -f ntfs -o 2048 aptish 3702 > apt.7z

% 7z e apt.7z 
Processing archive: apt.7z

Extracting  Classified.txt
Extracting  Financial_Numbers.txt
Extracting  Secret.txt
Extracting  SSN_and_CC_Data.txt

Without network data we can’t be certain these files were exfiltrated, but we can be pretty sure they were.

TEMP DIRECTORY ANALYSIS:

I want to caution you on this one. This isn’t always the best way to approach “suspicious files”. It’s common knowledge among malware analysts that malware authors will check for their MD5 hashes on some of the popular websites like VirusTotal, and then move to change their binaries if you have discovered them. Check with your leadership before you do it.

% ls /mnt/aptish/Users/malware_win7x86/AppData/Local/Temp |egrep ‘\.exe|\.vbs’

HOtdFs.exe
IqPTTDpRL.exe
scvhost.vbs
tior.exe

IqPTTDpRL.exe and TIOR.exe

Here are some of the command line options that IqPTTDpRL.exe supports. I use the example to show it launch notepad.exe.

Here is a live example of how that process unfolds.

You can see here based off the information from the TMP files it appears that the purpose of this is to create a remote shell. “Shell has been started…Waiting…”

HOtdFS.exe

This one lit up the AV engines with a 36/46 detection ratio.

You can see here after executing HOtdFs.exe there is a connection attempt to 192.168.81.128 via port 4444.

SCVHOST.vbs

You can see here 9/46 AV companies thought this was suspicious. That’s not a very good detection ratio.

Using process explorer, and after executing the vbs script we can see a connection attempt to 8043.

REPRODUCING THE ATTACK:

If you remember this bit of Splunk output from part II.

Since we were able to recover all the files after performing file system forensics we are able to duplicate the attack.

So knowing this I went ahead and fired up wireshark and also a listener via netcat on port 4444 and 8043. I also changed the IP addresses on the systems as it looked like that IP address might be hard coded into the executable.

Netcat:

% nc -l -p 4444
% nc -l -p 8043

Wireshark:

SUMMARY:

At this point we might have been able to setup a Metasploit listener and connected back to it, but I decided to just end it here. At the end of the day it’s about ROI, and I think we have gotten our return and it’s time to move onto the next case.

Hopefully this series was helpful for you. The best way to learn is to do. I see people asking questions like, “What artifacts does XYZ make?” The best way to answer that is to try it out. Malware Sandboxes like BSA and/or Cuckoo can be used for non-malware purposes as well. Run legit programs through then and see what kind of artifacts are created. Use process explorer, reg shot, CaptureBAT, etc.

Enjoy!

Tweet
References:
[1] http://windowsir.blogspot.kr/2010/05/temporal-proximity.html
[2] http://www.basistech.com/pdf/events/open-source-forensics-conference/osdf-2011-hallman-log2timeline.pdf
[3] http://sploited.blogspot.kr/2012/05/timelines-continued-log2timeline-for.html
[4] http://answers.yahoo.com/question/index?qid=20071019030003AAvUgE0

, , , , ,

Comments are currently closed.

One thought on “APTish Attack via Metasploit – Part IV – File System Forensics

  • Sploit says:

    Hi Patrick,

    Finally got the chance to read your posts all the way through. Huge amount of effort has gone into this whole series and i’ve sure you’ve seen the hits on your blog because of it. Well done and thanks.

    I liked your comments in regards to securing your critical assets. Typically organisations get overwhelmed by the scale of security but when focusing on the smaller more important subset of their critical infrastructure the issues become more manageable.

    I think the importance of automation in monitoring for key areas of persistence, against a baseline dataset, is important to detect incidents more quickly.