20 12 2012
APTish Attack via Metasploit – Part IV – File System Forensics
Let’s get started….
Let’s quickly look at the definition of the word, “story” (in the context of reading), it’s defined as, “An account of imaginary or real people and events told for entertainment“.
As forensic analysts, we are providing someone with our account of a real person’s actions and events. We are telling people through our discoveries what someone did or didn’t do on a particular system. Whether or not someone considers something entertaining is subjective. Let’s assume for a moment that we want to be in this field because we like it and it’s “entertaining”.
Let’s look at a high level overview of the items required to make a story :
Exposition: “In this part, the situation of the characters in the story is explained and it leads up to the further development of the plot:”  – This sound a lot like getting a brief from HR and/or your CND team telling you there might be an incident. “This system (character) is acting weird. Please take a look at it for me.”
Rising Action: “the series of actions, or complications, that sets up the conflict for the main character of the story”  – Let’s call the character an artifact. See the similarities? Gathering evidence and starting to develop our “character” and the events they performed.
Climax: “the high point in the story – the turning point where the conflict comes to a head and is decided for one side or the other” - This sure sounds like that smoking gun artifact that really turns the events and gives you that, “ah ha” moment.
Falling Action: “events that happen after the climax – usually wrap up the story” – This is where you’re wrapping up your investigation and reviewing it to make sure you didn’t forget/miss anything.
Resolution: “the point of closure – also called the conclusion or denoument”  - Let’s call this our report writing stage, or in my case the blogging stage.
But I thought we were talking about timelines? Well, timelines are nothing more than stories. So where do we being our story? In our case we were tipped off by Splunk by the execution of AntiVirus_Update_2012.exe. Let’s being our story there.
CREATING OUR TIMELINE:
% mmls aptish
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: —– 0000000000 0000002047 0000002048 Unallocated
02: 00:00 0000002048 0073398271 0073396224 NTFS (0x07)
03: —– 0073398272 0073400319 0000002048 Unallocated
Calculating the offset so we can mount our image: 2048 * 512 = 1048576
% sudo mount -t ntfs -o ro,show_sys_files,streams_interface=windows,offset=1048576 aptish /mnt/aptish/
% log2timeline -p -r -f win7 -z Asia/Seoul /mnt/aptish/ -w aptish_timeline.csv
MAKING SENSE OF IT:
So I started with the execution of AntiVirus_Update_2012 and backed up a couple hours. It didn’t take long to filter this down to some interesting hits. This wont be as easy for those in the “real world”, but the concepts are the same. You will be dealing with multiple users on the same system, more than likely a greater time will pass before you even discover an issue, and the list goes on. Understand “normal”, and you will be fine.
First we see some web interaction with Gmail and another “website” http://192.168.81.128/AntiVirus_Update_2012.exe.
At first glance one could assume that given the 8 second window from using Gmail, and then navigating to the AntiVirus exe that maybe this email contained a link that the user clicked on. Possibly through a Phishing email? Let’s go with this and see what turns up.
LastWrite Time Thu Feb 2 14:03:38 2012 (UTC)
Wed Nov 14 09:49:03 2012
We can further validate this via the $Recycle.Bin. Windows Vista/7 no longer have INFO2 files. They have $I (INFO) and also $R (Recycled). There will be a $I for each $R. The $I files will will provide you with the original path of the file and the time the file was deleted, which will actually be the created time of the the $I file.
In our case it shows the \Desktop as the location where AntiVirus_Update_2012.exe was located. You can also verify the timeline and the deletion times to ensure they match. In our case they do indeed match.
% rifiuti-vista /mnt/aptish/\$Recycle.Bin/S-1–1000/\$IQNVV01.exe
Here we see 7zip being executed. Another interesting artifact is apt.7z. This might provide some information as to what was exfiltrated.
In our case, whenever a program is executed you will leave something behind.
LOOKING AT SOME OTHER ARTIFACTS:
I wrote a python script to go out to ForensicsWiki and lookup what appids were used. You can find it here: I didn’t find anything interesting in there though.
% python japp_id.py -p /mnt/aptish//Recent/CustomDestinations/
Windows Explorer Pinned and Recent.
Internet Explorer 8 / 9
Unable to find 5afe4de1b92fc382 on forensicswiki
Control Panel (?)
% python japp_id.py -p /mnt/aptish//Recent/AutomaticDestinations/
Windows Explorer Pinned and Recent.
Control Panel (?)
Our web history matches our timeline activity as well.
% pasco History/History.IE5/index.dat
URLVisited: malware_win7x86@http://192.168.81.128/AntiVirus_Update_2012.exe11/14/2012 09:43:22 11/14/2012 09:43:22
WHAT WAS EXFILTRATED:
Let’s look at the 7zip Prefetch file that we talked about during the timeline section. Compressing files is common for attackers prior to exfiltration. When you’re stealing literally gigs and gigs of data it’s useful to have some compression functionality.
You can see here we hit the jackpot after reviewing the 7zip prefetch file.
List of files and Directories whose pages are to be loaded
% fls -f ntfs -r -o 2048 aptish |grep apt.7z
++ r/r 3702-128-1:apt.7z
% icat -r -f ntfs -o 2048 aptish 3702 > apt.7z
% 7z e apt.7z
Processing archive: apt.7z
Without network data we can’t be certain these files were exfiltrated, but we can be pretty sure they were.
TEMP DIRECTORY ANALYSIS:
I want to caution you on this one. This isn’t always the best way to approach “suspicious files”. It’s common knowledge among malware analysts that malware authors will check for their MD5 hashes on some of the popular websites like VirusTotal, and then move to change their binaries if you have discovered them. Check with your leadership before you do it.
% ls /mnt/aptish/Users/malware_win7x86/AppData/Local/Temp |egrep ‘\.exe|\.vbs’
IqPTTDpRL.exe and TIOR.exe
Here are some of the command line options that IqPTTDpRL.exe supports. I use the example to show it launch notepad.exe.
This one lit up the AV engines with a 36/46 detection ratio.
You can see here 9/46 AV companies thought this was suspicious. That’s not a very good detection ratio.
Using process explorer, and after executing the vbs script we can see a connection attempt to 8043.
So knowing this I went ahead and fired up wireshark and also a listener via netcat on port 4444 and 8043. I also changed the IP addresses on the systems as it looked like that IP address might be hard coded into the executable.
% nc -l -p 4444
% nc -l -p 8043
At this point we might have been able to setup a Metasploit listener and connected back to it, but I decided to just end it here. At the end of the day it’s about ROI, and I think we have gotten our return and it’s time to move onto the next case.