Tuesday, August 12, 2014

3R4LR - Running Redline Remotely for Live Response

This blog post is a work in progress and I'd love to get feedback while writing it. 

So while this note appears on top, the blog post is not finished. 

(Please come back again later!)

This blog post will likely not be updated (finished) anymore, sorry!


This is the second post about using Redline for Live Response. The first post covered Using Redline for Live Response - Part 1, showing how many details from artifacts can be collected with Redline.

Let's take a look at the steps necessary for running Redline Collector remotely.

  1. copy the collector to the host
  2. run the collector on the host
  3. compress the collection data (optional)
  4. copy the collection data back

I'm sure there are many ways to accomplish this, but here is the way I did it.

A short batch script, taking a hostname as parameter, uses PsExec to copy and execute a remote-script to the host. The remote-script does actually the steps described above.

Prerequisites:
  • read-only network share (for collector source)
    •  \\RO-Share-Host\Redline\
  • writable network share (to copy collection data back)
    •  \\RW-Share-Host\Data-Upload\
  • psexec rights (as admin) on remote host for user starting scripts
    • D:\Tools\Sysinternals>psexec -s \\hostname cmd /c whoami
      • --> nt authority\system

Considerations / Disadvantages:
  • needs privileged credentials for running the collector remotely
  • collector software and data overwrites unallocated space (changing harddisk from host under investigation)

Here are the two scripts, just slightly modified (anonymized) from the original previously used. (I hope I didn't introduce any typos or find/replace errors -- if so, please let me know)






REM ============================================================================
REM | Usage: run-redline.cmd hostname
REM ============================================================================
 

@echo off

REM  check if remote host is online
ping -n 1 %1 >NUL || echo Client %1 is offline. && goto FINISHED

echo Running Redline Collector remotely on System: %1
time /t

D:\Tools\Sysinternals\psexec.exe -accepteula \\%1 -s -c D:\Tools\Mandiant\Redline\run-redline-remote.cmd %1 >> E:\Data-Upload\Audits\%1_Redline_Log.txt

sleep 3

D:\Tools\7z.exe x -oE:\Data-Upload\Audits\%1 E:\Data-Upload\Audits\%1\audit_%1.7z

move E:\Data-Upload\Audits\%1_Redline_Log.txt E:\Data-Upload\Audits\%1\

dir /s E:\Data-Upload\Audits\%1

:FINISHED
echo *** Finished Redline Collector script !!!
time /t


REM ============================================================================
REM | Usage: run-redline-remote.cmd hostname
REM ============================================================================

@echo off

REM create new dir for Redline Collector
mkdir C:\Redline
cd C:\Redline

echo Starting "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

REM copy Redline Collector executable and scripts from share
xcopy /E /C /Y /Q \\RO-Share-Host\Redline\Redline-Collector-Latest .
sleep 10
dir /s

rem ----------------------------------------------------------------------------
rem include Helper.bat   (using "call Helper.bat" didn't work)
rem ----------------------------------------------------------------------------

SETLOCAL enableextensions enabledelayedexpansion

ECHO Ensuring the proper working directory
%~d0
cd %~dp0

REM Verify the files exist
SET agent64=.\x64\MIRAgent.exe
SET agent32=.\x86\MIRAgent.exe
SET script=MemoryzeAuditScript.xml
SET outputdir=.
SET bitness=%PROCESSOR_ARCHITECTURE%

IF NOT EXIST "%agent64%" GOTO :failed
REM IF NOT EXIST "%agent32%" GOTO :failed
IF NOT EXIST "%script%" GOTO :failed

IF "%1"=="" GOTO :usedefault
SET outputdir=%1
:usedefault
REM Check that the directory exists, and if not create it.
IF NOT EXIST "%outputdir%" CALL mkdir "%outputdir%"

SET args=-o "..\%outputdir%" -f -script "..\%script%" -encoding none -allowmultiple

SET agent=%agent32%
IF "%bitness%"=="x86" GOTO :agentset
IF "%bitness%"=="IA64" GOTO :unsupported
SET agent=%agent64%
:agentset

ECHO %agent% %args%
REM PAUSE
call %agent% %args%

GOTO :end

:failed
ECHO.
ECHO.
ECHO Failure Encountered:
ECHO Agent and/or Redline Audit Script not found.
GOTO :end

:unsupported
ECHO.
ECHO.
ECHO Failure Encountered:
ECHO This Operating System is not supported by the Memoryze Agent
GOTO :end

:auditfail
ECHO.
ECHO.
ECHO Failure Encountered
ECHO %errorlevel% return from "%lastcmd%"
IF EXIST "%buildlog%" START notepad "%buildlog%"
GOTO :end

:end
REM PAUSE
ENDLOCAL
rem ----------------------------------------------------------------------------

 

echo Finished "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

mkdir \\RW-Share-Host\Data-Upload\Audits\%1
rem copy run-redline-remote.log \\RW-Share-Host\Data-Upload\Audits\%1

rem ** copy collection without compression
rem xcopy /E /C /Y %1 \\RW-Share-Host\Data-Upload\Audits\%1

rem ** copy collection WITH (7z) compression
7z.exe a audit_%1.7z %1
copy audit_%1.7z \\RW-Share-Host\Data-Upload\Audits\%1

sleep 20

echo Finished "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

copy run-redline-remote.log \\RW-Share-Host\Data-Upload\Audits\%1



The scripts are provided as is without any warranty. Use at your own risk. They may be changed without notice.

I will update this post later  with a PoC running the scripts "remotely" from the VM-host on the infected VM from the previous post.

Stay tuned for more...

Cheers,
@c_APT_ure

Tuesday, July 29, 2014

Using Redline for Live Response - Part 1

For once I'll write about something a bit different than before. It's still about Ponmocup malware, or more precise about the Zuponcic Kit for delivery, but more about how to do Live Response and Detection on the host using Redline.

If you're not familiar with the Zuponcic Kit yet, you should read the following posts:
If you're not familiar with Redline, the great free tool from Mandiant, I recommend reading the following:

Redline User Guide (latest version at time of writing v1.12)

You should be familiar with the two distinct phases, collection and analysis, and the difference of a "Redline Collector" (standalone CLI tool for collection) and "Redline", the feature rich GUI application for analysis of collection data.

So, for this blog post I infected a VM via Zuponcic Kit capturing network traffic with Wireshark and doing a Redline collection and analysis afterwards.


PCAP analysis with Wireshark


Here an overview of the DNS and HTTP traffic from the infection:

Some of the most interesting DNS and HTTP requests are:

DNS:

www.niceshop.at: type A, class IN, addr 85.13.129.172
perrugina.sciencehunk.com: type A, class IN, addr 31.210.96.155
mw.prodigymsnteregala.com: type A, class IN, addr 178.33.192.35
fasternation.net: type A, class IN, addr 253.101.238.123
www.sanctionedmedia.com: type CNAME, class IN, cname sanctionedmedia.com
sanctionedmedia.com: type A, class IN, addr 64.210.128.29

HTTP:

Default browser UA:

  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

http://www.google.ch/url?url=http://www.niceshop.at/&rct=j&frm=1&q=&esrc=s&sa=U&ei=eQHDU9acLdP07Aa-oICIAg&ved=0CBQQFjAA&usg=AFQjCNHz4D179x2aXXoTOLfSK_k71qrAlw

http://www.niceshop.at/

http://perrugina.sciencehunk.com/__utm.gif?utmwv=5.3.3&utms=7&utmn=1812125645&utmhn=isroi.com&utmcs=UTF-8&utmsr=800x600&utmvp=783x444&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=10.0%20r22&utmdt=Gambar%20Animasi%20

http://mw.prodigymsnteregala.com/

http://mw.prodigymsnteregala.com/js/java.js

http://mw.prodigymsnteregala.com/ANLxMYn.jar

http://mw.prodigymsnteregala.com/ (POST)
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11
  Content-Length: 90
 
  i=2ZUpfq7G6Ke3q42Ny1c19p61...E78IJH3yVQJZL70k67ZEPHn9kW

Response:
  Content-Type: application/octet-stream
  Content-Length: 957688
  Content-Disposition: attachment; filename="xuqfvb"
  Last-Modified: Sun, 13 Jul 2014 22:01:35 GMT
    Time since request: 9.267738000 seconds

http://93.115.88.220/listing/chn/all.html
  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

Wrong IE version in UA! (looks like the rest of the UA was left unchanged, except the major version)


Detailed HTTP traffic of the Zuponcic Kit infection and initial C&C:

Request to infected website (malicious .htaccess file) coming from a Google search redirection: (checks for Cookie, Referrer, User-Agent)

Redirection to first stage Zuponcic Kit (checks client IP)

Request to main Zuponcic Kit page:

Request to "java.js" for browser (and Java) fingerprinting:

Malicious JAR downloader signed with stolen certificate:

POST request submitting a long parameter (key?) and receiving a large binary (encrypted) file:

GET request to IP (computed from DNS lookup to "fasternation.net" -- anti-sinkholing technique) sending data as Cookie values and using faked User-Agent:

Screenshots during VM infection

During the infection the user might see some Java warnings (depending on installed Java version and settings), trying to warn him from getting infected.






Using ProcessHacker the malware process shows like this:


Running Redline Collector

The recommended way for running Redline Collector on a host is via USB key. However, if you're not concerned about modification of the host under investigation you can also run Redline Collector remotely by copying it over the network or running it from a mounted share.


I may write more details about how to run Redline Collector remotely over the net in a later blog post. In this post I'd like to focus on the details available from a Redline analysis.

Here is a list of modules and options selected for this collection:



The XML files created during collection can get pretty large, depending on which modules are executed and settings in the script. The registry, event logs and filesystem make the largest part of this collection. However, the 537 MB of raw data nicely compress into a much smaller 33 MB. Compare this to a hard drive image or a memory dump. 






Analysis using Redline

After running Redline Collector on a suspicious or infected host you get lots of data (in XML format) to analyze with Redline, but also using grep and some other bash-fu (on Linux or Cygwin) can be very useful.

Using the timeline function from Redline is very easy and powerful. It lines up any artifacts collected using several timestamps that are selectable.


 


Here are some artifacts from the timeline of this infection.

Google redirection URL


A cookie is set from the infected web server the mark the first visit:


First request to Zuponcic Kit domain:

Request to "java.js" for loading the Java applet:

Prefetch file for "java.exe" created or updated:

Registry key created / updated for Malware domain serving malicious JAR:


Prefetch file for malware TMP file dropped:




Malware EXE file created:




Malware EXE process started:
 

 

Malware EXE process opened port listener:


Registry key with binary data created:


Creating persistence using registry RUN key under HKCU:



Creation of port listeners:



Using Bash-Fu on Redline XML data

Using some bash commands (possibly even using Cygwin on Windows) can be very useful and powerful. Here some examples.

Searching for some network indicators:

$ time egrep -ci "(prodigymsnteregala.com|\/js\/java\.js|ANLxMYn\.jar|qkejZDj\.jar|\/listing\/chn\/all\.html|93\.115\.88\.220)" *.* | egrep -v ":0"
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:4
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:5
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:2

real    0m17.630s
user    0m17.456s
sys     0m0.171s

$ egrep -i "(prodigymsnteregala.com|\/js\/java\.js|ANLxMYn\.jar|qkejZDj\.jar|\/listing\/chn\/all\.html|93\.115\.88\.220)" *.*
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/favicon.ico</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/tr.gif</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/js/java.js</SourceURL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com/favicon.ico</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>:Host: mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:<Path>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</Path>
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:<KeyPath>Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</KeyPath>

$ egrep -in -C 10 "prodigymsnteregala.com" w32registryapi.* | egrep -m 1 -A 15 "<RegistryItem " | egrep -m 1 -B 15 "</RegistryItem>"
6674509-<RegistryItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="FEBFAC4B-E50C-469E-A25A-2C42BE0653BE" created="2014-07-14T01:14:20Z">
        <Username>TOMS-VM-WIN7X64\Tom</Username>
6674510-<SecurityID>S-1-5-21-3096987436-3122932343-3109395949-1000</SecurityID>
6674511:<Path>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</Path>
6674512-<Hive>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000</Hive>
6674513:<KeyPath>Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</KeyPath>
6674514-<Type>REG_KEY</Type>
6674515-<Modified>2014-07-13T22:01:39Z</Modified>
6674516-<NumSubKeys>0</NumSubKeys>
6674517-<NumValues>0</NumValues>
6674518-</RegistryItem>

Searching for some host indicators (filenames, registry keys):

$ time egrep -ci "(DPNLOBBYG.EXE|483759317.TMP|Egkyxzdcin|7538554d-326909f3|JXZFUV)" *.* | egrep -v ":0"
w32apifiles.8xDv3nsauGodpXnrHsaHqg:8
w32apifiles.issues.6F4XA71eDhdfIujMDqoLCI:1
w32eventlogs.eOZaQVjGh3PdAuYt0LXxMR:8
w32prefetch.biHxIPURFOEdQgUKV9vyvp:12
w32processes-memory.jblWPV86pwBeohXjunTY1h:3
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:20
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:5

real    0m17.755s
user    0m17.565s
sys     0m0.170s

$ egrep -i "(DPNLOBBYG.EXE|483759317.TMP|Egkyxzdcin|7538554d-326909f3|JXZFUV)" w32apifiles.* w32scripting-persistence.*
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Users\Tom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7538554d-326909f3</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>7538554d-326909f3</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Users\Tom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7538554d-326909f3.idx</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>7538554d-326909f3.idx</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Windows\Prefetch\483759317.TMP-EB4905C2.pf</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>483759317.TMP-EB4905C2.pf</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Windows\Prefetch\DPNLOBBYG.EXE-603267D1.pf</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>DPNLOBBYG.EXE-603267D1.pf</FileName>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<RegText>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</RegText>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FilePath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FilePath>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FullPath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FullPath>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FileName>dpnlobbyg.exe</FileName>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<Text>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</Text>

$ egrep -in -B 10 -A 120 "DPNLOBBYG.EXE" w32scripting-persistence.* | egrep -m 1 -A 100 "<PersistenceItem " | egrep -m 1 -B 100 "</PersistenceItem>"
96-<PersistenceItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="C10D94E7-43A9-4160-A0EC-2C5BB246697F" created="2014-07-14T01:11:17Z">
   <PersistenceType>registry</PersistenceType>
97-<RegPath>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLLS</RegPath>
98:<RegText>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</RegText>
99-<RegOwner>NT AUTHORITY\SYSTEM</RegOwner>
100-<RegModified>2014-07-13T22:44:51Z</RegModified>
101:<FilePath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FilePath>
102-<FileOwner>TOMS-VM-WIN7X64\Tom</FileOwner>
103-<FileCreated>2014-07-13T22:01:47Z</FileCreated>
104-<FileModified>2014-07-13T22:01:47Z</FileModified>
105-<FileAccessed>2014-07-13T22:01:47Z</FileAccessed>
106-<FileChanged>2014-07-13T22:01:47Z</FileChanged>
107-<md5sum>105ead6f908f0d8cbab11a0f4408d373</md5sum>
108-<FileItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="7B6CDDEB-3A25-4568-9D31-AF18EB68C23E" created="2014-07-14T01:11:17Z">
    <DevicePath>\Device\HariskVolume1</DevicePath>
109:<FullPath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FullPath>
110-<Drive>c</Drive>
111-<FilePath>Users\Tom\AppData\Roaming</FilePath>
112:<FileName>dpnlobbyg.exe</FileName>
113-<FileExtension>exe</FileExtension>
114-<SizeInBytes>276992</SizeInBytes>
115-<Created>2014-07-13T22:01:47Z</Created>
116-<Modified>2014-07-13T22:01:47Z</Modified>
117-<Accessed>2014-07-13T22:01:47Z</Accessed>
118-<Changed>2014-07-13T22:01:47Z</Changed>
119-<FileAttributes>ReadOnly Hidden System Archive</FileAttributes>
120-<Username>TOMS-VM-WIN7X64\Tom</Username>
121-<SecurityID>S-1-5-21-3096987436-3122932343-3109395949-1000</SecurityID>
122-<SecurityType>SidTypeUser</SecurityType>
123-<Md5sum>105ead6f908f0d8cbab11a0f4408d373</Md5sum>
124-<PEInfo>
    <Type>Executable</Type>
125-<Subsystem>Windows_GUI</Subsystem>
126-<BaseAddress>4194304</BaseAddress>
127-<PETimeStamp>2012-02-23T05:41:05Z</PETimeStamp>
128-<PEChecksum><PEFileRaw>0</PEFileRaw>
129-<PEFileAPI>0</PEFileAPI>
130-<PEComputedAPI>287748</PEComputedAPI>
131-</PEChecksum>
132-<ExtraneousBytes>229376</ExtraneousBytes>
133-<DetectedAnomalies><string>checksum_is_zero</string>
134-<string>contains_eof_data</string>
135-</DetectedAnomalies>
136-<Sections>
    <NumberOfSections>3</NumberOfSections>
137-<ActualNumberOfSections>3</ActualNumberOfSections>
138-<Section><Name>.text</Name>
139-<Type>None</Type>
140-<SizeInBytes>43008</SizeInBytes>
141-<DetectedCharacteristics>Read Execute Code</DetectedCharacteristics>
142-<Entropy AverageValue="0.77262239772402574"/>
143-</Section>
144-<Section><Name>.rsrc</Name>
145-<Type>None</Type>
146-<SizeInBytes>3584</SizeInBytes>
147-<DetectedCharacteristics>Read</DetectedCharacteristics>
148-<Entropy AverageValue="0.54873274859376076"/>
149-</Section>
150-<Section><Name>.reloc</Name>
151-<Type>None</Type>
152-<SizeInBytes>512</SizeInBytes>
153-<DetectedCharacteristics>Read</DetectedCharacteristics>
154-<Entropy AverageValue="0.048149053317863157"/>
155-</Section>
156-</Sections>
157-</PEInfo>
158-<PeakEntropy>0.77262239772402574</PeakEntropy>
159-<PeakCodeEntropy>0.77262239772402574</PeakCodeEntropy>
160-</FileItem>
161-<RegistryItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="91340226-5657-48BB-9DAB-44F07BFD14BD" created="2014-07-14T01:11:17Z">
    <KeyPath>Microsoft\ndows\CurrentVersion\Run\</KeyPath>
162-<Type>REG_SZ</Type>
163-<Modified>2014-07-13T22:44:51Z</Modified>
164-<ValueName>DLLS</ValueName>
165-<Username>NT AUTHORITY\SYSTEM</Username>
166:<Text>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</Text>
167-<ReportedLengthInBytes>86</ReportedLengthInBytes>
168-<Hive>HKEY_CURRENT_USER\Software</Hive>
169-<Path>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLLS</Path>
170-<SecurityID>S-1-5-18</SecurityID>
171-</RegistryItem>
172-</PersistenceItem>

Looking at the raw XML usually should help with creating IOC's later.

Conclusion

Mandiant's Redline software is free to download and use. I find it amazing how much details can be found by analyzing a host with Redline and how easy it is to create a timeline for analysis.

Redline can combine disk and memory artifacts in a timeline, showing processes created and ports opened in time relation to files and registry keys created.

I think Redline is much more useful than what it costs! :-)

Are you using Redline yet and have some feedback or suggestions? I'd love to hear it...

In the next post I plan to show how to create IOC's from this analysis and how to check for IOC matches on a host. Stay tuned...

Cheers,
@c_APT_ure

Tuesday, June 3, 2014

Two years later...

By chance I just noticed that I wrote the Introducing Ponmocup Finder blog post exactly two years ago.

So it's time to celebrate the second anniversary :-)

Well, I was wondering if anyone else is currently detecting the .htaccess infections that Ponmocup Finder (PF) reports. Let's see...

Let's just look at any of the almost 500 domains currently being detected by PF as infected.

http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-history-days-sort.txt

439 www.pino-travel.com
439 www.log-in-verlag.de
438 www.oople.com
438 www.franken-gmbh.de
438 www.brichzin.de
438 www.bad-saulgau.de
437 www.vitaminbude.de

This German site has been seen infected since more than 430 days.

Here's todays "evidence" from my PF scripts that this domain is infected. It sets a cookie and redirects to Zuponcic Kit as discussed in previous (linked) blogs and presentations.

http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/www.bad-saulgau.de_wget_log.txt

--12:06:50--  http://www.bad-saulgau.de/
           => `www.bad-saulgau.de_out.txt'
Resolving www.bad-saulgau.de... 82.165.95.226
Connecting to www.bad-saulgau.de|82.165.95.226|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Tue, 03 Jun 2014 10:06:50 GMT
  Server: Apache
  Set-Cookie: tTF=50; path=/; domain=www.bad-saulgau.de; expires=Wed, 11-Jun-2014 08:44:50 GMT
  Location: http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522
  Content-Length: 536
  Keep-Alive: timeout=2, max=200
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
Location: http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522 [following]
--12:06:50--  http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522
           => `www.bad-saulgau.de_out.txt'
Resolving solent.alloyradianttubes.com... 31.210.96.155
Connecting to solent.alloyradianttubes.com|31.210.96.155|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Moved Temporarily
  Server: nginx/1.1.4
  Date: Tue, 03 Jun 2014 10:06:50 GMT
  Content-Type: text/html
  Content-Length: 160
  Connection: close
  Location: http://www.google.com/
Location: http://www.google.com/ [following]
 
The redirection to Google is an anti-detection method from Zuponcic Kit also discussed before on the Fox-IT blog.

So now the question is: Is anyone else detecting these .htaccess infected sites?

I haven't found any other detections. If you know of one, please let me know.

http://www.urlvoid.com/scan/bad-saulgau.de/

Website Information

Analysis Date8 seconds ago
Safety Reputation0/28
Domain 1st RegisteredUnknown
Server LocationFlag (DE) Germany
Google Page RankGoogle Page Rank
Alexa Traffic Rank1,751,096

URLQuery can detect the redirection to Zuponcic Kit (assuming the user sets a required referrer URL), but there are no indications in the report that there is anything malicious.

http://urlquery.net/report.php?id=1401817329491

Overview

URLwww.bad-saulgau.de/
IP82.165.95.226
ASNAS8560 1&1 Internet AG
Location Germany
Report completed2014-06-03 19:42:06 CET
StatusReport complete.
urlQuery Alerts No alerts detected

Settings

UserAgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
Refererhttp://www.google.com/url?q=ponmocup+finder
Pool
Access Levelpublic

Intrusion Detection Systems

Snort /w Sourcefire VRT No alerts detected
Suricata /w Emerging Threats Pro No alerts detected

Blacklists

DNS-BH / malwaredomains.com No alerts detected
PhishTank / phishtank.com No alerts detected
Spamhaus DBL / spamhaus.org No alerts detected

Files Captured

Suricata IDS No files captured

And also VirusTotal doesn't have any malware or malicious activity associated with this domain:

https://www.virustotal.com/en/domain/www.bad-saulgau.de/information/
(none)


https://www.virustotal.com/en/url/c6ef57b6a1eee4ec6dacb3cea61541137d6cd5da8daec570c8444db63fc08e1d/analysis/1401828323/

URL: http://www.bad-saulgau.de/
Detection ratio: 0 / 52
Analysis date: 2014-06-03 20:45:23 UTC ( 0 minutes ago )


I wonder who will be the "first" to detect these .htaccess infections... anyone? No? OK then...

If you're not familiar with the Ponmocup malware / botnet yet, my previous post may be a good starting point linking all together.

Yours truly,

Ponmocup Hunter :-)