Tuesday, August 30, 2016

Malware forensics using timeline analysis


So I came across an incident where the threat artifact defeated the AV, which was strangely reported by AV, but beside that there were no more alerts at both the endpoint or the network level. Since there was not much clarity regarding the incident so I decided to run a supertimeline analysis on the partition's dd (bit by bit image) image in order to get a sequential picture of what happened and how did the malware land on the machine. In the course of this, I was able to discover some extra IOCs.




Even though the above screenshot points to the fact that the malware's IIV was through a removable media. However, the timeline analysis can help us in identifying other details about the removable media like serial number, model, manufacturer etc. This is done when the registry artifacts are carved and placed in the timeline.


I was able to browse to the user profile folder and I could see the threat "winsrc.exe". So I zipped this in a password protected archive and acquired this artifact.


I could see the process running in the task manager and the description as well which seems to be some encoded stuff (A7LSBV IdqCLh U2Gf6066EY)


The file analysis was absent in VT. I uploaded the artifact and the analysis returned an overwhelming 34/52 bad. This indicates the malicious nature of the sample.


I did a simple strings and grep to look for "winsrc" in the image and was able to extract some logs of the AV. More interestingly we can see that 17.08.16.exe accessed and executed winsrc.exe from the temp folder. We know from the original alert that the file 17.08.16.exe which was the dropper in the removable media was responsible for dropping winsrc.exe in the user profile folder. We also see that winsrc.exe is also accessing itself in the user profile folder (maybe decrypting itself?)



Next we see some logs from SMS which is detecting some autorun keys written in the registry by the malware for persistence purpose.



The supertimeline was generates using SIFT ehanced supertimeline utility, which runs over the dd image of the partition, carves out various artifcats and outputs conveniently in form of a csv file, which can be imported in an excel file and analysed for IIV and artifcats related to the incident. The timeline analysis involves knowing some pivot point (string, datetimestamp) to pivot from and work from there in generating and analysing the timeline. I knew the datetimestamp, so I directly jump to that date and time and I could see many USB related artifacts, where I could see USB being mounted to mount points, along with details on the USB serial no and model etc.


Next we can see a file being modified from the MAC time events artifacts. This file is basically the logs of Windows Defender


I mounted the dd image on a mount point in linux box and then accessed the log file and I could the two artifacts mentioned in there along with process ids.


Furthermore, Windows events are also carved as artifacts in the timeline as EVTX and we can see some windows events written by Windows Defender. WD seems to have identified the malware as "Backdoor: Win32/IRCbot.FY".


We can see some more artifacts like the writing (last written) of autorun registry key as a persistence mechanism in form of an REG artifact. We can also see logs of AV profiling the malware as "Profiler.gen".


In order to see anything else interesting written in the registry I used regripper to access the NTUSER.DAT and flush it to a text file for analysis


I can only see the same autorun reg key in the output


Some other interesting artifacts discovered were the log file written by autorun eater which indicates that the TOSHIBA USB key was inserted, which invoked the malicious autorun.inf file in the USB, which executed the initial 17_08_16.exe which resulted in dropping and executing the winsrc.exe. Another very interesting artifact was a DNS Client event written in Windows Events logs, which showed that a DNS request was sent out to resolve "sp.3p.kz" domain. An excellent artifact to mine for OSCTI related to the domain to understand what is the sample we might be dealing with.



Googling this domain we can see that this is a C2 domain for Dorkbot




Another great OSCTI source is the threatcrowd website, which shows how the domain links to various other domains, ip addresses and hashes.


We can see that all hashes linked to this domain are malicious. All indications points that this is a threat which drops malicious code, which opens a backdoor in the endpoint, which communicates using IRC protocol. It also seems to do code injection. None of the hashes listed in the threatcrowd matched with the hash of our sample, which might indicate that this could be a new variant.



Another great source of OSCTI is AlientVault's OTX, which can showed details about the domain, showing that it is participating in malicious activities, potentially involve in malware propagation, and is used by known malware as a C&C server. 


We can see that a file "WmiAPRpl.h" is being accessed and we can also see AV failing to remove or handle the threat.

Next we will try to perform analysis of the malware in hand and try to figure out its working and see if we can get our hands on some more IOCs.