Friday, May 14, 2010

Forensics contest #5 Answer

Well 5/13/10 has come and gone now, so here are my answers for the latest contest. As noted later in my writeup, no new tools this time, just my writeup and approach to it.

Answer 1a: sdfg.jar
Answer 1b: q.jar
Answer 3:
Answer 4: 5942BA36CF732097479C51986EEE91ED
Answer 5: UPX
Answer 6: 0F37839F48F7FC77E6D50E14657FB96E
Answer 7:

Up Front:
This is a writeup on how I did it, in a manual process, with no new tools, just an attempt to do the analysis in a controlled environment and not infect anything that I didn't want to.

Before doing any malware analysis there are a few things to know/understand.
1. Odds are whatever machine you are doing this on is going to get infected sooner or later.
2. While running in a VM env is a good way to test/work on these, there is the possiblity for the programs to determine they are in a VM and act differently because of it.

System Setup:
- Sandbox software -
- Hashtab -
- NetworkMiner -
- wireshark
- exeinfope
- PEiD
- UPX -
- NO AV software installed

Download and install all software, disconnect network, just in case.

Once Sandboxie is installed some quick initial tweaks for todays fun:
- Sandbox Settings > Recovery > Immediate Recovery > Uncheck 'Enable Immediate Recovery' May want to look at (I haven't played with these settings before):
Restrictions > Drop Rights > 'Drop rights from Administrators and Power Users group'

After installing all of the software above in my VM I snapshotted it so that I could role back to a known safe/uninfected machine as needed.

On to looking at the infected.pcap file:
First thing to do is launch NetworkMiner from within a Sandbox. Right click on the NetworkMiner.exe and say 'Run Sandboxed' (again we've already installed all software)

Lets first look at the different conversations/systems involved. We have 2 systems on the local network. - appears to be the default gateway or proxy server for the network - Windows XP ssystem with .Net 2.0, 3.0, 3.5 and Java installed on it. And on a workgroup/domain called TICKLAB (need to check Satori and see why I didn't see this there?) has 4 outgoing sessions: [] - 6 sessions, downloading 7 files - 1 session [] - 1 session, downloading 1 file - 1 session

We can now safely look at the files that were extracted by NetworkMiner. Files Tab > Right click on first file > Open Folder. When you do this action from within a sandboxie env it will open up the file explorer also in that same sandboxed env. You can see this with the [#] Title [#] scenario in the title bar. While you can still infect yourself by running an infected exe this way, it will be, in theory at least, contained by the sandbox and go away when you close out and delete the sandbox.

The 7 files that were downloaded from were: (filename as NetworkMiner saved it, may not be the name it was on the server)

For proper analysis of what it is actually doing true.php should be run through a process to convert it to 100% readable text. It does a few different things trying to obscure what it is doing, I assume so as to try to evade different tests that a system may do to determine if it is malicious. 2 things you can see are the two jar files it does with document.write, sdfg.jar and q.jar. will also need looked at because it calls .replace on the text in true.php (I think, need to dig more)

Anyway, we have an answer to #1 and #3 now, the two .jar files that got created and what file did it.

Conversation to reveals a bit of interesting info. It requests the following:

broken down we have:
Logged on user id, computer name, ? hash maybe ?

So now we have answer #2.


version of IE on the infected system

System OS which we already determined by passive means before, but good to see we have the same info here.


This is the MD5 of the packed file. Possibly a phone home feature to let it know what version is out there on each

system if ver above isn't that?

We can verify this is the MD5 on the file by right clicking on the file.exe.octet-stream and going to properties and then the File Hashes tab (this is what HashTab does)

Now we have answer #4.

Based on the MD5 and some of the other info it is doing, this appears to be a decent writeup on it:

Ok, so now we need to determine how/if our .exe is packed.
Right click on exeinfope.exe and tell it to run sandboxed (needed, probably not, but...). Go to the directory where the file.exe.octet-stream file resides and open it.

Exeinfo PE ver says it is:
UPX -> Markus & Laszlo ver. [ 3.04 ] <- info from file. ( sign like UPX packer )

Same idea, but with PEiD v0.95 (may be a newer version?)
UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo

So we now have answer #5

To get answer #6 we'll need to get UPX and run "upx -d" on the file and then compute the MD5 with HashTab again.

So just to be same, run a cmd.exe inside the sandbox also, go do the directory where the file is:
upx -d file.exe.octet-stream

This will expand the file out. Now go back to explorer, properties on file.exe.octet-stream, File Hashes and then new

MD5 is: 0F37839F48F7FC77E6D50E14657FB96E

Answer #6

For the last part, to know where it tries to go there are a few ways to look at this. We know it has to be one of the systems that our infected host tried to contact, we can look at the traffic there and try to determine it, we can dig around in the unpacked .exe and try to find the code (beyond my level) or we can purposely infect our VM and see what happens.

Based on other info we found on the MD5 we actually know from other peoples writeups where it was going and can verify that we also tried to go there in the packet capture. port 444.

This malware appears to be SpyEye, a good writeup on it can be found here, which details some of what I had already figured out from the URL info:

No comments: