Monday, December 23, 2013

Check Your Hash at the Door

A friend recently asked if I would post about using md5deep; he was trying to figure out how to use it to compare against the NSRL hash library and was having some difficulties.  Well, maybe it's stretching to say he asked if I would.  He asked for some help in figuring it out, and at the end of it all, I offered to post some stuff; he said it might be useful.  So if I put a PR spin on it, I was specifically asked, because of my great and wondrous knowledge.  How's that?  :)

Oh, and if you're wondering at my use of the term "friend," you can always substitute "person who pretends not to hate me as much as others do" if that makes you feel better.  I know some of you don't think it's possible that I actually have friends, so I feel I have to give you a way out...

Anyhow, to be honest, I've not ever used md5deep for that specific purpose.  I've always used something like FTK or EnCase.  I know, I know, don't be hatin'.  I do a lot with command line tools, and prefer them in many - if not most - cases, but there are some instances where (completely dependent on the scenario), a GUI is just easier and/or the better option.  And for what I've done with the NSRL hash libraries, those tools were what was called for (there was more than just deNISTing at hand).  

That said, the way I've used md5deep should still accommodate comparing against the NSRL hashes, with just a little bit of tweaking.  I've always used it to compare and verify files being copied from various data sources (typically network shares), when using a copy application that couldn't do so.  So in that scenario, it works out something like this:

We want recursion, possibly a progress/status indicator, and an output file that can be used as the input file for hash comparison.

Hash the source like:

user> md5deep -re "g:\loose_PST_files" > f:\psthash.txt

Hash the destination (and compare to hash of source):

user> md5deep -renx f:\psthash.txt "f:\loose_PST_files" > f:\psterrorhash.txt

This breaks down as follows:
    -r = recursion
    -e = progress/status
    -n = displays names of files not matching the input file
    -x = negative hash matching; reports files not in the input file 
    g:  is the mapped or local source drive
    f:  is the destination drive
Order for source is:  > # the flags have to be combined together (ie, -re) or it errors.  It will automatically output to stdout, so we have to redirect to logfile; this gives filename and hash value only (other format cannot be read properly for use as input file).

Order for destination is:  >   # the error log immediately follows the flag as the first variable; this is read and compared against the hashes of the destination.  Any errors in the comparison (whether the file is there but shouldn't be, or isn't there but should be) will output to the error log.  The size of the log should be 0 KB when all is done, and (obviously) empty - thus showing there were no errors/mismatches. 

These were notes I made in the past, and I think were most recently updated with version 3.4.  The tool is now on 4.3, so I don't know if the following has changed, but ... as noted above, the md5deep comparison (input) file had to have hash value and filename only, or could not be properly read.  I couldn't find anything in the documentation to say one way or the other, but it's possible that the NSRL lists might be problematic, even though md5deep is only looking at the hash and not the filename/location.  I did have occasion recently to verify the integrity of some evidence migrated to new storage, and ran md5deep in the manner above; it worked great.  The only thing I'll note is that if you do want the progress indicator, it WILL slow down the process; use with discretion.  You have been warned.

There were a couple posts related to using NSRLSrvr and NSRLLookup that showed up on the radar.  The first I passed along, and the second my friend found on his own; apparently it was helpful.  I don't know the first author, but Patrick puts out some good stuff on Sysforensics.  If you don't keep tabs on his blog, you should.  So without further ado, here they are, and they should work just fine to use md5deep to compare against NSRL.

And this wouldn't be complete if I didn't mention the NSRLookup service from Kyrus Tech:

Have fun and happy hunting (or, uh, happy hashing)!

Monday, December 16, 2013

What's Hash Got To Do With It? (Part 2)

Just a quick follow-up to yesterday's post, as promised.  I decided to do it as a new post rather than an edit/update, figuring it would be easier to track this way.  Not much to it, just a little more info to round things out.

First, I got my hands on the infected PC today, pulled the hard drive, and extracted some files.  I wasn't able get RAM, but I do have hiberfil and pagefile to work with, along with the user profile and registry hives, but that's not the point here.  (I will note, however, that unless I can find evidence of the malware's activities in hiberfil or pagefile, I'm still - to an extent - surmising how it spawned msiexec.exe in the first place.)  I found three separate executables under the user profile, as created by msiexec.exe.  I copied them off into a separate directory and used md5deep to hash the files, so that I could look for them on VT or as well (there, now this is a post about md5deep too!).  Here's what I ended up with (my own formatting):


Did you notice that?  All hashed the same.  Okay, maybe that's expected, or not too unexpected at least.  But did anyone note the hash value from yesterday, for the initial executable (from inside the zip)?  Well, in case not, here it is again (in the same format):


See that?  Yes, that's right - another md5 match, and I doubt it's due to collisions.  :-)  So basically, the original malware spawns msiexec.exe, creates a new executable(s) that is (or are) identical to the original (except for the name); the original is deleted, and the show goes on.  I don't know about you, but that's not what I commonly see from malware.

Now for a few more tidbits...

A little header info from a network capture:
POST /se/gate.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0
Content-Length: 74

IP Addresses, as seen by the C2 blocking device:

Now, I mentioned before that there was a .ru TLD involved, and here that is:

Haven't looked at that traffic yet, and it never made it to the device that blocked the C2 traffic, as it had already been blocked for other reasons.  And of course, until I examine the pcaps, I won't know what that traffic was (still might not - since it was blocked, it will be a one-side conversation).

Last of all, a screenshot of the offending email (note some inconsistencies outlined in red):

SupportAmazonyu?  AmazonStoreIdecoa?  I could get it with "Amazon," but what's with the other stuff?  And the order numbers don't match up anywhere.  And finally, it says, "Well let ..." rather than "We'll let ..."

Well, I guess you can't patch users!  At least not without regression testing first.  ;-)

I think that's it for now; if I do come up with anything else that looks interesting or useful, I'll post another update.  Aside from that, I told a friend I'd post about some specific uses for md5deep; we'll see how that works out, but hopefully it will be coming soon.

Happy Hunting!

Sunday, December 15, 2013

What's Hash Got To Do With It?

Well, because that's how we're going to kick off this little story.  Without further ado, here ya go:  26E57BDE90B43CF6DAE6FD5731954C61

Before we go too far into that, however, I need to take a step back.  It's been a long time since my last post.  Too long indeed (my job makes it difficult, to say the least), so let's not dwell on that, shall we?  With that out of the way, I'll give just a quick back story on the above-referenced md5 hash value.  Last week, on Wednesday and Thursday, I came across this malicious gem.  Well, I think it was the same both times.  From a network perspective, it was behaving the same - reaching out to the same C2 channels, attempting to post the same type of encrypted data (based on format, appearance of cipher-text, etc.).  However, as it turns out there wasn't an appropriate endpoint sensor on the first box, to be able to pull back more relevant info.

That fact is important as we go on - that unless you have evidence across different DFIR disciplines (host and network, with all their subsets), you really can't say for certain what is occurring.  You can postulate, and may very well be correct, but without RAM, RE, timeline and other host data, and various points of NSM (network security monitoring) such as FW logs, IDS/IPS, netflow, you're left at least somewhat in the dark.  Anyhow, from a network perspective, these two appeared to be the same, and fortunately there was an endpoint sensor on the second box; I got to have some fun, and thought I'd share.

As it turns out, the infections originated not from some stealthy drive-by or infected website, but via an executable inside a zip file sent along with an "Amazon" email to personal email accounts.  In the case of the second one, the user had received two previous ones that were ignored and deleted; the third was just too much and curiosity won out.  User opens zip file.  Oops #1.  User double-clicks executable.  Oops #2.  At that point it's all over but the tears, and the malware has its fun.  The positive side was that - finally - I got to have some fun too!

Now, I didn't know all that at first.  All I knew was that C2 traffic to had been blocked.  That was the same domain as the previous day, so my interest was piqued.  The system that blocked didn't have any info about the malware, just knew that the traffic was bad, so that was no help.  I went in to my sensor logs from that box, and found the application reaching out to was msiexec.exe, from the c:\windows\system32 directory.  Ooh, now that's not right.  The parent process for msiexec.exe was order_jd4320480293.exe.  Now that's not good either.  And it was running from inside a zip under the user's temp directory, with a parent of explorer.exe.  Alright, that's not unexpected, especially at this point.

I was able to pull a copy of the binary for order_jd4320480293.exe that the sensor had pushed to my analysis server, and saw that it had 9 hits by hash on Virus Total, so I went to check that out.  There were indeed 9 engines that detected it; one from the 11th, and eight from the 12th.  Most had generic names as yet; the most relevant one appeared to be from McAfee, which had it as a ZBot variant.  Searching on that lead me to, where the binary had apparently been uploaded and analyzed already.  As a side note, the next morning VT had 14 detections, and is now up to 23 (What's funny is that some of the vendors I submitted a sample to, now say they detected it back then.  Hmm, really?).  Since there's some RE type info on VT and Malwr, I won't try to go into that; I'll give you some reference links to go enjoy that.  I will, however, give a quick rundown of what I saw.  I will probably come back and add some IP addresses for the domain, as well as a .ru TLD I saw from the endpoint, so watch for an update.

So here's the quick high-level rundown:
*  User downloads zip from fake Amazon email, opens, and runs order_jd4320480293.exe
*  Malware executes, and order_jd4320480293.exe spawns (loads) msiexec.exe from c:\windows\system32 as a child process 
*  Child process msiexec.exe creates a new executable under the user profile, named (one example) msyaam.exe or msevaxlgn.exe (another example)
*  Child process msiexec.exe adds a runkey for the new executable, in the user hive, under Software\Microsoft\WindowsNT\Current Version\Load
*  Child process msiexec.exe deletes original executable, order_jd4320480293.exe

Along in there somewhere, msiexec.exe packages up some data (probably credentials), encrypts, and tries to ship it out to remote servers.  Unsuccessfully.  Defense in depth... ;-)

Well, that's it for now.  Given the info available elsewhere about this malware, I probably won't post anything about its actions on the system, unless I see a very different  approach take place.  But I will look to post some IPs and perhaps some other tidbits that might be helpful from an IOC perspective.  Other than that, here are some links:

Happy Hunting!