Case study: “Imminent RATs” (I)

Note: This is a fictional story; the characters and situations are not real. The only real thing is the technological part, which is based on a mixture of work done, experiences of other colleagues and research carried out.
These articles are part of a basic incident response workshop. Therefore, there are things that could be done more efficiently and elegantly… but the idea was to do them in a simple way so that they were easy to understand. And like any good practical workshop, you can follow it step by step: you can download a Remnux virtual machine with everything you need for the workshop here (for VMWare) or here (.ova format)).

Incident Response in less than 15 lines

Ultra-fast summary of incident response:

  • Preparation: We prepare ourselves for a possible attack by deploying detection and response measures in the Organization.
  • Detection and analysis: We detect possible attacks and analyze them to determine whether or not they are false positives, and in the event of an attack we analyze its severity.
  • Containment, eradication and recovery: We contain the spread of the attackers through the system, expel them and return the system to normal operation.
  • Post-incident lessons: We analyze the incident in search of measures to improve both the security of the system and the response itself for future incidents.

Preparation

In this case study we have an Organization with an intermediate maturity in its security measures: computers have antivirus, a mail gateway with an antispam/antivirus, a proxy that controls navigation, a firewall that controls incoming and outgoing connections and an intrusion detector that can generate alerts against possible attacks.

On the downside, we know that the updates in general (security patches, antivirus signatures and intrusion detector signatures) leave much to be desired, and that users’ security awareness is … disparate, so to speak.

Detection and analysis: “Something is wrong with my computer”

Many of the security incidents begin with a call from a user complaining that “his computer is slow/ doing something weird/ crashing/ is possessed by Alpha Centauri aliens”. And obviously, the user has never “touched anything/done anything weird/ opened anything/ put any USB with raccoon Dutch porn” on his computer.

In most cases after a more or less extensive research (or after the forceful application of a LART), it is shown that the user has taken some action, so that 95% of the cases users are usually a source of inexhaustible false positives (and of some glorious little battle that cannot be told for the sake of the physical integrity of the author).

However, users are a good source of information when detecting an attack against the Organization. Properly trained, not only are they harder to deceive in a spear-phishing attack but they can also warn us about such attacks, allowing us to respond in some cases in real time (that’s why all the efforts in security awareness are always worthwhile).

In this case we have a call from a standard user: his computer is doing “weird things”, and he swears on his life that “he has not done anything”. As he is not a hyperboss but still a boss of a certain rank, a quick response is necessary, so we quickly head to his computer collecting the necessary equipment to respond to a possible incident: USB memory with triage tools, USB disk for a disk capture and a half-liter coffee.

The user receives us for exactly 20 seconds: enough time to leave the computer on and “go to an urgent meeting”. If necessary, he will see us when he returns. At this point, however, all we need is a basic data capture to determine whether or not we have a security incident.

First of all, a dump of the RAM memory of the computer has to be made, in this case with the DumpIt tool, which has an extremely basic operation.

From the USB Toolbox itself we launched the tool:


The result is a 2Gb file generated directly on the USB stick itself (remember to alter the hard disk as little as possible in case we have to do a forensic analysis later). While we’re at it, we’re going to collect basic triage information with CYLR (which includes, among other things, the Windows registry, logs and MFT, all at a dizzying speed).

[Note: we want to make this case study VERY practical. Therefore, you can download both the RAM dump and the triage from here].

Once the triage information is collected (which should take you <10min on a modern computer), we can go back to our computer to review the data. Memory analysis is usually the technique that offers the best results, so we used Volatility and made two lists of processes with pslist and pstree (tip: in these analyses it is usually necessary to re-check the output of many commands, so it is very useful to redirect the output to a text file):

 
# volatility --profile Win7SP1x64 -f win7_labodfir.raw pslist > pslist.txt
# volatility --profile Win7SP1x64 -f win7_labodfir.raw pstree > pstree.txt

Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8018da7040 System                    4      0     93      590 ------      0 2018-04-07 08:36:49 UTC+0000                                 
0xfffffa80194ee340 smss.exe                260      4      2       29 ------      0 2018-04-07 08:36:49 UTC+0000                                 
0xfffffa801a29a060 smss.exe                340    260      0 --------      0      0 2018-04-07 08:36:52 UTC+0000   2018-04-07 08:36:55 UTC+0000  
0xfffffa801a29c2f0 csrss.exe               348    340      9      580      0      0 2018-04-07 08:36:52 UTC+0000                                 
0xfffffa801a5a9900 smss.exe                380    260      0 --------      1      0 2018-04-07 08:36:55 UTC+0000   2018-04-07 08:36:55 UTC+0000  
0xfffffa801a5acb10 wininit.exe             388    340      3       78      0      0 2018-04-07 08:36:55 UTC+0000                                 
0xfffffa801a5b3b10 csrss.exe               400    380      9      325      1      0 2018-04-07 08:36:55 UTC+0000                                 
0xfffffa801a5dcb10 winlogon.exe            436    380      3      112      1      0 2018-04-07 08:36:55 UTC+0000                                 
0xfffffa801a66db10 services.exe            496    388      9      232      0      0 2018-04-07 08:36:56 UTC+0000                                 
0xfffffa801a67eb10 lsass.exe               504    388      7      579      0      0 2018-04-07 08:36:56 UTC+0000                                 
0xfffffa801a684b10 lsm.exe                 512    388     10      148      0      0 2018-04-07 08:36:56 UTC+0000                                 
0xfffffa801a532b10 svchost.exe             620    496     11      361      0      0 2018-04-07 08:36:58 UTC+0000                                 
0xfffffa801aa90060 svchost.exe             684    496      9      322      0      0 2018-04-07 08:36:58 UTC+0000                                 
0xfffffa801aac1870 svchost.exe             740    496     23      523      0      0 2018-04-07 08:36:58 UTC+0000                                 
0xfffffa801ab49b10 svchost.exe             832    496     19      450      0      0 2018-04-07 08:36:58 UTC+0000                                 
0xfffffa801ab5f630 svchost.exe             864    496     20      788      0      0 2018-04-07 08:36:59 UTC+0000                                 
0xfffffa801ab8cb10 svchost.exe             912    496     35     1018      0      0 2018-04-07 08:36:59 UTC+0000                                 
0xfffffa801abc1b10 audiodg.exe             996    740      6      136      0      0 2018-04-07 08:36:59 UTC+0000                                 
0xfffffa801ac1ab10 svchost.exe             984    496     15      383      0      0 2018-04-07 08:36:59 UTC+0000                                 
0xfffffa8019c7fb10 spoolsv.exe            1188    496     15      355      0      0 2018-04-07 08:37:00 UTC+0000                                 
0xfffffa8019c88450 taskhost.exe           1196    496     10      282      1      0 2018-04-07 08:37:00 UTC+0000                                 
0xfffffa8019cac600 svchost.exe            1256    496     18      319      0      0 2018-04-07 08:37:00 UTC+0000                                 
0xfffffa801acc6870 svchost.exe            1360    496     10      148      0      0 2018-04-07 08:37:00 UTC+0000                                 
0xfffffa801ad1bb10 Sysmon.exe             1448    496     12      572      0      0 2018-04-07 08:37:00 UTC+0000                                 
0xfffffa8018e61060 vmtoolsd.exe           1524    496      8      295      0      0 2018-04-07 08:37:00 UTC+0000                                 
0xfffffa801a0cf060 unsecapp.exe           1792    620      4       66      0      0 2018-04-07 08:37:02 UTC+0000                                 
0xfffffa801a59a060 WmiPrvSE.exe           1916    620     13      329      0      0 2018-04-07 08:37:03 UTC+0000                                 
0xfffffa801a5de060 dllhost.exe            1932    496      0 --------      0      0 2018-04-07 08:37:03 UTC+0000   2018-04-07 08:40:14 UTC+0000  
0xfffffa801a646060 TPAutoConnSvc.         2000    496     10      141      0      0 2018-04-07 08:37:03 UTC+0000                                 
0xfffffa801a69b060 sppsvc.exe             1312    496      6      153      0      0 2018-04-07 08:37:03 UTC+0000                                 
0xfffffa8018e67600 TPAutoConnect.          648   2000      5      122      1      0 2018-04-07 08:37:06 UTC+0000                                 
0xfffffa8019c33b10 conhost.exe            1080    400      1       34      1      0 2018-04-07 08:37:06 UTC+0000                                 
0xfffffa801a776060 dllhost.exe            2088    496     15      199      0      0 2018-04-07 08:37:09 UTC+0000                                 
0xfffffa801a6e2060 WUDFHost.exe           2232    832      8      192      0      0 2018-04-07 08:37:11 UTC+0000                                 
0xfffffa801a8628f0 msdtc.exe              2296    496     14      154      0      0 2018-04-07 08:37:11 UTC+0000                                 
0xfffffa801ac0d060 VSSVC.exe              2448    496      0 --------      0      0 2018-04-07 08:37:14 UTC+0000   2018-04-07 08:40:14 UTC+0000  
0xfffffa80192ab060 userinit.exe           2504    436      0 --------      1      0 2018-04-07 08:37:14 UTC+0000   2018-04-07 08:37:45 UTC+0000  
0xfffffa8019c52b10 dwm.exe                2512    832      5      126      1      0 2018-04-07 08:37:14 UTC+0000                                 
0xfffffa801a790060 explorer.exe           2536   2504     41     1158      1      0 2018-04-07 08:37:14 UTC+0000                                 
0xfffffa801922e620 vmtoolsd.exe           2616   2536      6      186      1      0 2018-04-07 08:37:17 UTC+0000                                 
0xfffffa801916f720 cmd.exe                2820   2536      1       20      1      0 2018-04-07 08:37:22 UTC+0000                                 
0xfffffa8019182060 conhost.exe            2828    400      2       63      1      0 2018-04-07 08:37:22 UTC+0000                                 
0xfffffa801913cb10 SearchIndexer.         2864    496     13      841      0      0 2018-04-07 08:37:23 UTC+0000                                 
0xfffffa80194d5650 SearchProtocol         2968   2864      0 --------      0      0 2018-04-07 08:37:26 UTC+0000   2018-04-07 08:41:37 UTC+0000  
0xfffffa8019748b10 SearchFilterHo         2992   2864      0 --------      0      0 2018-04-07 08:37:26 UTC+0000   2018-04-07 08:40:26 UTC+0000  
0xfffffa801a5b9360 svchost.exe            1944    496     14      225      0      0 2018-04-07 08:38:21 UTC+0000                                 
0xfffffa801a17bb10 wmpnetwk.exe           1744    496      9      209      0      0 2018-04-07 08:38:22 UTC+0000                                 
0xfffffa8019c45b10 mscorsvw.exe           2476    496      6       87      0      1 2018-04-07 08:39:03 UTC+0000                                 
0xfffffa801a819b10 mscorsvw.exe           2788    496      6       78      0      0 2018-04-07 08:39:03 UTC+0000                                 
0xfffffa801a81a600 svchost.exe            2908    496     13      361      0      0 2018-04-07 08:39:03 UTC+0000                                 
0xfffffa801a745320 TrustedInstall         1980    496      4      120      0      0 2018-04-07 08:39:51 UTC+0000                                 
0xfffffa801a831b10 PING.EXE               1940   2820      0 --------      1      0 2018-04-07 08:40:01 UTC+0000   2018-04-07 08:40:03 UTC+0000  
0xfffffa801a8d7b10 OSPPSVC.EXE            1136    496      6      128      0      0 2018-04-07 08:42:08 UTC+0000                                 
0xfffffa801ab2cb10 python.exe             3020   2536      0 --------      1      0 2018-04-07 08:42:14 UTC+0000   2018-04-07 08:47:34 UTC+0000  
0xfffffa801ab35350 conhost.exe            1760    400      0 --------      1      0 2018-04-07 08:42:15 UTC+0000   2018-04-07 08:47:34 UTC+0000  
0xfffffa801aa38b10 explorer.exe           1132    620      0 --------      1      0 2018-04-07 08:44:09 UTC+0000   2018-04-07 08:45:10 UTC+0000  
0xfffffa801a9c8600 vfggggg.exe            3208   1132      0 --------      1      0 2018-04-07 08:44:09 UTC+0000   2018-04-07 08:44:38 UTC+0000  
0xfffffa801a9c6b10 vfggggg.exe            2072   3208     23      396      1      1 2018-04-07 08:44:25 UTC+0000                                 
0xfffffa801aec0b10 WmiPrvSE.exe           3632    620     13      333      0      1 2018-04-07 08:44:42 UTC+0000                                 
0xfffffa801b55e060 WmiApSrv.exe           3476    496      5      112      0      0 2018-04-07 08:44:50 UTC+0000                                 
0xfffffa801ae88060 WmiPrvSE.exe           3080    620      7      211      0      1 2018-04-07 08:44:55 UTC+0000                                 
0xfffffa801afbc060 SearchProtocol         2952   2864      7      284      0      0 2018-04-07 08:45:39 UTC+0000                                 
0xfffffa801a91f550 SearchFilterHo         2676   2864      5      104      0      0 2018-04-07 08:45:39 UTC+0000                     

  

The vfggggg.exe almost damages our vision of how malicious it looks. This time, it seems that the creators of the malware have not invest any effort on obfuscation techniques. It is curious that the parent is explorer.exe (usually it is a cmd.exe or a Powershell.exe, or we can trace the parents to a browser or email client).

The second most profitable option is usually to recognize network connections with netscan:

# volatility --profile Win7SP1x64 -f win7_labodfir.raw netscan > netscan.txt

Volatility Foundation Volatility Framework 2.5

Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x7deda8c0         UDPv4    0.0.0.0:3702                   *:*      1944     svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7e030010         UDPv4    0.0.0.0:64476                  *:*      864      svchost.exe    2018-04-07 08:38:26 UTC+0000
0x7e030010         UDPv6    :::64476                       *:*       864      svchost.exe    2018-04-07 08:38:26 UTC+0000
0x7e043730         UDPv4    0.0.0.0:5355                   *:*     984      svchost.exe    2018-04-07 08:38:20 UTC+0000
0x7e06bb30         UDPv4    0.0.0.0:3702                   *:*        1944     svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7e06bb30         UDPv6    :::3702                        *:*         1944     svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7e089b30         UDPv4    0.0.0.0:5355                   *:*             984      svchost.exe    2018-04-07 08:38:20 UTC+0000
0x7e089b30         UDPv6    :::5355                        *:*           984      svchost.exe    2018-04-07 08:38:20 UTC+0000
0x7e143010         UDPv4    0.0.0.0:3702                   *:*        864      svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7e0a93b0         TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        684      svchost.exe    
0x7e0ac680         TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        684      svchost.exe    
0x7e0ac680         TCPv6    :::135                         :::0                 LISTENING        684      svchost.exe    
0x7e0af5c0         TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        388      wininit.exe    
0x7e0b6820         TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        388      wininit.exe    
0x7e0b6820         TCPv6    :::49152                       :::0                 LISTENING        388      wininit.exe    
0x7e144c80         TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        740      svchost.exe    
0x7e145010         TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        740      svchost.exe    
0x7e145010         TCPv6    :::49153                       :::0                 LISTENING        740      svchost.exe    
0x7e0afb10         TCPv6    -:0            6800:a91a:80fa:ffff:6800:a91a:80fa:ffff:0 CLOSED           1        ??=????       
0x7e435010         UDPv4    192.168.25.128:138             *:*      4        System         2018-04-07 08:38:19 UTC+0000
0x7e497ec0         UDPv4    192.168.25.128:137             *:*       4        System         2018-04-07 08:38:19 UTC+0000
0x7e5bdec0         UDPv4    0.0.0.0:3702                   *:*       1944     svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7e5bdec0         UDPv6    :::3702                        *:*        1944     svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7e5be010         UDPv4    0.0.0.0:64475                  *:*        864      svchost.exe    2018-04-07 08:38:26 UTC+0000
0x7e5c1e00         UDPv4    0.0.0.0:3702                   *:*          864      svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7e5c1e00         UDPv6    :::3702                        *:*       864      svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7e74bd40         UDPv4    0.0.0.0:54789                  *:*        1944     svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e752010         UDPv4    0.0.0.0:54790                  *:*        1944     svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e752010         UDPv6    :::54790                       *:*     1944     svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7d4d00         UDPv4    0.0.0.0:3702                   *:*         864      svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7e7d5340         UDPv4    0.0.0.0:54791                  *:*        864      svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7d69b0         UDPv4    0.0.0.0:54792                  *:*          864      svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7d69b0         UDPv6    :::54792                       *:*        864      svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7d8010         UDPv6    ::1:54794                      *:*     1944     svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7ec330         UDPv6    fe80::fc4b:861d:db18:9601:54793 *:*   1944 svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7eca00         UDPv4    192.168.25.128:54795     *:*        1944     svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7edd00         UDPv4    127.0.0.1:54796                *:*     1944     svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7ee010         UDPv6    fe80::fc4b:861d:db18:9601:1900 *:*     1944     svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7ee870         UDPv6    ::1:1900                       *:*     1944     svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7f0010         UDPv4    192.168.25.128:1900     *:*     1944     svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7f0950         UDPv4    127.0.0.1:1900                 *:*    1944     svchost.exe    2018-04-07 08:38:22 UTC+0000
0x7e7f5520         UDPv4    0.0.0.0:3702                   *:*    864      svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7e7f5520         UDPv6    :::3702                        *:*        864      svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7e44c700         TCPv4    192.168.25.128:139             0.0.0.0:0            LISTENING        4        System         
0x7e7e5010         TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        496      services.exe   
0x7e7e5010         TCPv6    :::49155                       :::0                 LISTENING        496      services.exe   
0x7e8a4010         TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        496      services.exe   
0x7ead2360         TCPv4    0.0.0.0:445                    0.0.0.0:0            LISTENING        4        System         
0x7ead2360         TCPv6    :::445                         :::0                 LISTENING        4        System         
0x7ee61630         TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        912      svchost.exe    
0x7ee63a80         TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        912      svchost.exe    
0x7ee63a80         TCPv6    :::49154                       :::0                 LISTENING        912      svchost.exe    
0x7f372c40         TCPv4    0.0.0.0:5357                   0.0.0.0:0            LISTENING        4        System         
0x7f372c40         TCPv6    :::5357                        :::0                 LISTENING        4        System         
0x7ee767a0         TCPv6    -:0                            4870:da18:80fa:ffff:4870:da18:80fa:ffff:0 CLOSED           101      3              
0x7f566840         TCPv4    192.168.25.128:49219           91.192.100.59:30030  SYN_SENT         -1                      
0x7fb3bec0         UDPv4    0.0.0.0:0                      *:*     984      svchost.exe    2018-04-07 08:38:17 UTC+0000
0x7fb3bec0         UDPv6    :::0                           *:*    984      svchost.exe    2018-04-07 08:38:17 UTC+0000
0x7fc0a1e0         UDPv4    0.0.0.0:3702                   *:*     1944     svchost.exe    2018-04-07 08:39:03 UTC+0000
0x7fc98a50         TCPv4    0.0.0.0:49156                  0.0.0.0:0            LISTENING        504      lsass.exe      
0x7fc98a50         TCPv6    :::49156                       :::0                 LISTENING        504      lsass.exe      
0x7fc9f940         TCPv4    0.0.0.0:49156                  0.0.0.0:0            LISTENING        504      lsass.exe     

  

We get a rather suspicious IP/port combination: 91.192.100.59:30030. Since port 30030 is not particularly well known, here we might have a lead to continue our investigation.

The third option of interest is to make a list of the open files that are still resident in memory with filescan:

# volatility --profile Win7SP1x64 -f win7_labodfir.raw filescan > filescan.txt

  

Since we have a suspicious file name, we can search for it:

# fgrep vfggggg.exe filescan.txt
0x000000007e272a90     14      0 R--r-d \Device\HarddiskVolume1\Users\antonio\AppData\Roaming\vfggggg.exe

  

We verify that the file is located in a user folder, a very common location for newly landed malware on a computer. Let’s extract it from memory with dumpfiles:

# mkdir dump
# volatility --profile Win7SP1x64 -f win7_labodfir.raw dumpfiles -Q 0x000000007e272a90 -u -n -D dump

  

We obtain basic information from the file using file and exiftool:

# file file.None.0xfffffa801ae09e30.vfggggg.exe.img 
file.None.0xfffffa801ae09e30.vfggggg.exe.img: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

# exiftool file.None.0xfffffa801ae09e30.vfggggg.exe.img 
ExifTool Version Number         : 9.46
File Name                       : file.None.0xfffffa801ae09e30.vfggggg.exe.img
Directory                       : .
File Size                       : 4.0 kB
File Modification Date/Time     : 2018:04:07 14:52:57-04:00
File Access Date/Time           : 2018:04:07 14:53:34-04:00
File Inode Change Date/Time     : 2018:04:07 14:52:57-04:00
File Permissions                : rw-r--r--
File Type                       : Win32 EXE
MIME Type                       : application/octet-stream
Machine Type                    : Intel 386 or later, and compatibles
Time Stamp                      : 2017:06:24 06:53:40-04:00
PE Type                         : PE32
Linker Version                  : 8.0
Code Size                       : 371712
Initialized Data Size           : 580096
Uninitialized Data Size         : 0
Entry Point                     : 0xf000a
OS Version                      : 4.0
Image Version                   : 0.0
Subsystem Version               : 4.0
Subsystem                       : Windows GUI
Warning                         : Error processing PE data dictionary

  

The file seems to be our culprit (an unrecognized PE32 executable in user space is like a smoking gun next to a corpse), but in this case the size does not match: 4Kb, which indicates that it could not be extracted correctly from the memory.

We continue to explore the available evidence, in this case the MFT (Master File Table) collected by CYLR, which will give us a good clue of the files that were operational at the time of infection. Our goal is to find the way in which the malware reached the system, usually one of these three: mail, browsing or USB.

The MFT is raw extracted thanks to the magic of CYLR, but we need to convert it to a readable format, so we use the mftdump.exe tool to parse it and convert it into a 71Mb file with 175K entries.


Since we are only interested in today, we can only extract the files modified during the day:

# fgrep 2018-04-07 mft_parseada.csv > mft_malware.csv
# wc mft_malware.csv
   457  18333 145101 mft_malware.csv

 

The operation leaves us 457 events, something much more manageable and that we can open without fear in a LibreOffice Calc for its examination. It does not cost much to locate the vfggggg.exe and check the files that are around it:

25645 0 0 0     Purchase Order 03EDG.doc	PURCHA~1.DOC	2018-04-07 08:42:00 2018-04-07 08:42:29
2018-04-07 08:42:29	2018-04-07 08:42:29	
16508	0	1	0	Content.Word	CONTEN~1.WOR	2018-04-07 08:42:07	2018-04-07 08:45:39	2018-04-07 08:45:39	2018-04-07 08:45:39
25612	0	1	0	Content.Outlook	CONTEN~1.OUT	2018-04-07 08:42:29	2018-04-07 08:42:29	2018-04-07 08:42:29	2018-04-07 08:42:29
89905	0	0	0	test 02.exe	TEST02~1.EXE	2018-04-07 08:43:53	2018-04-07 08:43:53	2018-04-07 08:43:54	2018-04-07 08:43:54	952832
89897	0	0	0	vfggggg.exe			2018-04-07 08:44:02	2018-04-07 08:44:02	2018-04-07 08:43:54	2018-04-07 08:43:54	952832

 

The file “Purchase Order 03EDG.doc” has every chance of being the vector of infection. We can see that there are residues of the existence of both Word and Outlook, so the infection chain seems quite basic: the user has received an email in Outlook with a malicious attachment and opened it directly with Word.

We have already located the files we want to recover from the user’s hard drive, but before moving on, we will ensure the operation by removing the heavy artillery with the Volatility strings command (which is done in two stages because we have to extract all the useful chains from the memory dump beforehand):

$ strings -a -td win7_labodfir.raw > strings_win7.txt
$ strings -a -td -el win7_labodfir.raw >> strings_win7.txt 
$ volatility --profile Win7SP1x64 -f win7_labodfir.raw strings  -s strings_win7.txt > strings_vol.txt

 

We scan the Netscan IP address and confirm that it is related to our malware:

# fgrep  91.192.100.59 strings_vol.txt

71148752 [FREE MEMORY:-1] "10:45:08,6998260","vfggggg.exe","2072","TCP Reconnect","192.168.25.128:49179 -> 91.192.100.59:30030","SUCCESS","Length: 0, seqnum: 0, connid: 0","0","C:\Users\antonio\AppData\Roaming\vfggggg.exe"

441241253 [FREE MEMORY:-1] "10:45:40,6802302","vfggggg.exe","2072","TCP Reconnect","192.168.25.128:49186 -> 91.192.100.59:30030","SUCCESS","Length: 0, seqnum: 0, connid: 0","0","C:\Users\antonio\AppData\Roaming\vfggggg.exe"

 

We investigate other traces of TCP connections in memory with “TCP Send”, “TCP Receive” and “TCP Reconnect”:

# egrep "TCP Send|TCP Reveive|TCP Reconnect" strings_vol.txt

  

We find several links of interest:

1536769087 [2676:00962c3f] 10:42:21,1402019,Network,TCP Send,OUTLOOK.EXE,1128,208.97.132.208:143
438082728 [2676:014baca8] 10:43:53,3557447,Network,TCP Send,powershell.exe,3456,185.83.215.16:443
1161326462 [2952:00299f7e] 10:43:47,6837408,Network,TCP Send,mshta.exe,1236,185.83.215.16:443
519710651 [FREE MEMORY:-1] 10:43:45,8308037,Network,TCP Send,WINWORD.EXE,3744,185.83.215.16:443
519710839 [FREE MEMORY:-1] 10:43:46,3235312,Network,TCP Send,WINWORD.EXE,3744,178.255.83.1:80

  

Apparently, we do have an Outlook in play, as well as some very suspicious connections of both Word and Powershell. We could go over the content of the strings_vol.txt more, but we already have all the related clues, so we can proceed to recover the suspicious files from the user’s computer: “Purchase Order 03EDG.doc” and “vfggggg.exe”, in addition to the user’s .pst (which stores his mail).

We start the computer with a Linux live CD, mount the disk and locate the files that interest us (for now, it does not seem necessary to make a complete forensic copy of the hard drive). The analysis of malicious files, in the following article…

See also in: