Tuesday, July 29, 2014

Using Redline for Live Response - Part 1

For once I'll write about something a bit different than before. It's still about Ponmocup malware, or more precise about the Zuponcic Kit for delivery, but more about how to do Live Response and Detection on the host using Redline.

If you're not familiar with the Zuponcic Kit yet, you should read the following posts:
If you're not familiar with Redline, the great free tool from Mandiant, I recommend reading the following:

Redline User Guide (latest version at time of writing v1.12)

You should be familiar with the two distinct phases, collection and analysis, and the difference of a "Redline Collector" (standalone CLI tool for collection) and "Redline", the feature rich GUI application for analysis of collection data.

So, for this blog post I infected a VM via Zuponcic Kit capturing network traffic with Wireshark and doing a Redline collection and analysis afterwards.


PCAP analysis with Wireshark


Here an overview of the DNS and HTTP traffic from the infection:

Some of the most interesting DNS and HTTP requests are:

DNS:

www.niceshop.at: type A, class IN, addr 85.13.129.172
perrugina.sciencehunk.com: type A, class IN, addr 31.210.96.155
mw.prodigymsnteregala.com: type A, class IN, addr 178.33.192.35
fasternation.net: type A, class IN, addr 253.101.238.123
www.sanctionedmedia.com: type CNAME, class IN, cname sanctionedmedia.com
sanctionedmedia.com: type A, class IN, addr 64.210.128.29

HTTP:

Default browser UA:

  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

http://www.google.ch/url?url=http://www.niceshop.at/&rct=j&frm=1&q=&esrc=s&sa=U&ei=eQHDU9acLdP07Aa-oICIAg&ved=0CBQQFjAA&usg=AFQjCNHz4D179x2aXXoTOLfSK_k71qrAlw

http://www.niceshop.at/

http://perrugina.sciencehunk.com/__utm.gif?utmwv=5.3.3&utms=7&utmn=1812125645&utmhn=isroi.com&utmcs=UTF-8&utmsr=800x600&utmvp=783x444&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=10.0%20r22&utmdt=Gambar%20Animasi%20

http://mw.prodigymsnteregala.com/

http://mw.prodigymsnteregala.com/js/java.js

http://mw.prodigymsnteregala.com/ANLxMYn.jar

http://mw.prodigymsnteregala.com/ (POST)
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11
  Content-Length: 90
 
  i=2ZUpfq7G6Ke3q42Ny1c19p61...E78IJH3yVQJZL70k67ZEPHn9kW

Response:
  Content-Type: application/octet-stream
  Content-Length: 957688
  Content-Disposition: attachment; filename="xuqfvb"
  Last-Modified: Sun, 13 Jul 2014 22:01:35 GMT
    Time since request: 9.267738000 seconds

http://93.115.88.220/listing/chn/all.html
  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

Wrong IE version in UA! (looks like the rest of the UA was left unchanged, except the major version)


Detailed HTTP traffic of the Zuponcic Kit infection and initial C&C:

Request to infected website (malicious .htaccess file) coming from a Google search redirection: (checks for Cookie, Referrer, User-Agent)

Redirection to first stage Zuponcic Kit (checks client IP)

Request to main Zuponcic Kit page:

Request to "java.js" for browser (and Java) fingerprinting:

Malicious JAR downloader signed with stolen certificate:

POST request submitting a long parameter (key?) and receiving a large binary (encrypted) file:

GET request to IP (computed from DNS lookup to "fasternation.net" -- anti-sinkholing technique) sending data as Cookie values and using faked User-Agent:

Screenshots during VM infection

During the infection the user might see some Java warnings (depending on installed Java version and settings), trying to warn him from getting infected.






Using ProcessHacker the malware process shows like this:


Running Redline Collector

The recommended way for running Redline Collector on a host is via USB key. However, if you're not concerned about modification of the host under investigation you can also run Redline Collector remotely by copying it over the network or running it from a mounted share.


I may write more details about how to run Redline Collector remotely over the net in a later blog post. In this post I'd like to focus on the details available from a Redline analysis.

Here is a list of modules and options selected for this collection:



The XML files created during collection can get pretty large, depending on which modules are executed and settings in the script. The registry, event logs and filesystem make the largest part of this collection. However, the 537 MB of raw data nicely compress into a much smaller 33 MB. Compare this to a hard drive image or a memory dump. 






Analysis using Redline

After running Redline Collector on a suspicious or infected host you get lots of data (in XML format) to analyze with Redline, but also using grep and some other bash-fu (on Linux or Cygwin) can be very useful.

Using the timeline function from Redline is very easy and powerful. It lines up any artifacts collected using several timestamps that are selectable.


 


Here are some artifacts from the timeline of this infection.

Google redirection URL


A cookie is set from the infected web server the mark the first visit:


First request to Zuponcic Kit domain:

Request to "java.js" for loading the Java applet:

Prefetch file for "java.exe" created or updated:

Registry key created / updated for Malware domain serving malicious JAR:


Prefetch file for malware TMP file dropped:




Malware EXE file created:




Malware EXE process started:
 

 

Malware EXE process opened port listener:


Registry key with binary data created:


Creating persistence using registry RUN key under HKCU:



Creation of port listeners:



Using Bash-Fu on Redline XML data

Using some bash commands (possibly even using Cygwin on Windows) can be very useful and powerful. Here some examples.

Searching for some network indicators:

$ time egrep -ci "(prodigymsnteregala.com|\/js\/java\.js|ANLxMYn\.jar|qkejZDj\.jar|\/listing\/chn\/all\.html|93\.115\.88\.220)" *.* | egrep -v ":0"
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:4
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:5
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:2

real    0m17.630s
user    0m17.456s
sys     0m0.171s

$ egrep -i "(prodigymsnteregala.com|\/js\/java\.js|ANLxMYn\.jar|qkejZDj\.jar|\/listing\/chn\/all\.html|93\.115\.88\.220)" *.*
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/favicon.ico</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/tr.gif</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/js/java.js</SourceURL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com/favicon.ico</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>:Host: mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:<Path>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</Path>
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:<KeyPath>Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</KeyPath>

$ egrep -in -C 10 "prodigymsnteregala.com" w32registryapi.* | egrep -m 1 -A 15 "<RegistryItem " | egrep -m 1 -B 15 "</RegistryItem>"
6674509-<RegistryItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="FEBFAC4B-E50C-469E-A25A-2C42BE0653BE" created="2014-07-14T01:14:20Z">
        <Username>TOMS-VM-WIN7X64\Tom</Username>
6674510-<SecurityID>S-1-5-21-3096987436-3122932343-3109395949-1000</SecurityID>
6674511:<Path>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</Path>
6674512-<Hive>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000</Hive>
6674513:<KeyPath>Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</KeyPath>
6674514-<Type>REG_KEY</Type>
6674515-<Modified>2014-07-13T22:01:39Z</Modified>
6674516-<NumSubKeys>0</NumSubKeys>
6674517-<NumValues>0</NumValues>
6674518-</RegistryItem>

Searching for some host indicators (filenames, registry keys):

$ time egrep -ci "(DPNLOBBYG.EXE|483759317.TMP|Egkyxzdcin|7538554d-326909f3|JXZFUV)" *.* | egrep -v ":0"
w32apifiles.8xDv3nsauGodpXnrHsaHqg:8
w32apifiles.issues.6F4XA71eDhdfIujMDqoLCI:1
w32eventlogs.eOZaQVjGh3PdAuYt0LXxMR:8
w32prefetch.biHxIPURFOEdQgUKV9vyvp:12
w32processes-memory.jblWPV86pwBeohXjunTY1h:3
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:20
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:5

real    0m17.755s
user    0m17.565s
sys     0m0.170s

$ egrep -i "(DPNLOBBYG.EXE|483759317.TMP|Egkyxzdcin|7538554d-326909f3|JXZFUV)" w32apifiles.* w32scripting-persistence.*
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Users\Tom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7538554d-326909f3</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>7538554d-326909f3</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Users\Tom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7538554d-326909f3.idx</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>7538554d-326909f3.idx</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Windows\Prefetch\483759317.TMP-EB4905C2.pf</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>483759317.TMP-EB4905C2.pf</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Windows\Prefetch\DPNLOBBYG.EXE-603267D1.pf</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>DPNLOBBYG.EXE-603267D1.pf</FileName>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<RegText>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</RegText>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FilePath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FilePath>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FullPath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FullPath>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FileName>dpnlobbyg.exe</FileName>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<Text>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</Text>

$ egrep -in -B 10 -A 120 "DPNLOBBYG.EXE" w32scripting-persistence.* | egrep -m 1 -A 100 "<PersistenceItem " | egrep -m 1 -B 100 "</PersistenceItem>"
96-<PersistenceItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="C10D94E7-43A9-4160-A0EC-2C5BB246697F" created="2014-07-14T01:11:17Z">
   <PersistenceType>registry</PersistenceType>
97-<RegPath>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLLS</RegPath>
98:<RegText>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</RegText>
99-<RegOwner>NT AUTHORITY\SYSTEM</RegOwner>
100-<RegModified>2014-07-13T22:44:51Z</RegModified>
101:<FilePath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FilePath>
102-<FileOwner>TOMS-VM-WIN7X64\Tom</FileOwner>
103-<FileCreated>2014-07-13T22:01:47Z</FileCreated>
104-<FileModified>2014-07-13T22:01:47Z</FileModified>
105-<FileAccessed>2014-07-13T22:01:47Z</FileAccessed>
106-<FileChanged>2014-07-13T22:01:47Z</FileChanged>
107-<md5sum>105ead6f908f0d8cbab11a0f4408d373</md5sum>
108-<FileItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="7B6CDDEB-3A25-4568-9D31-AF18EB68C23E" created="2014-07-14T01:11:17Z">
    <DevicePath>\Device\HariskVolume1</DevicePath>
109:<FullPath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FullPath>
110-<Drive>c</Drive>
111-<FilePath>Users\Tom\AppData\Roaming</FilePath>
112:<FileName>dpnlobbyg.exe</FileName>
113-<FileExtension>exe</FileExtension>
114-<SizeInBytes>276992</SizeInBytes>
115-<Created>2014-07-13T22:01:47Z</Created>
116-<Modified>2014-07-13T22:01:47Z</Modified>
117-<Accessed>2014-07-13T22:01:47Z</Accessed>
118-<Changed>2014-07-13T22:01:47Z</Changed>
119-<FileAttributes>ReadOnly Hidden System Archive</FileAttributes>
120-<Username>TOMS-VM-WIN7X64\Tom</Username>
121-<SecurityID>S-1-5-21-3096987436-3122932343-3109395949-1000</SecurityID>
122-<SecurityType>SidTypeUser</SecurityType>
123-<Md5sum>105ead6f908f0d8cbab11a0f4408d373</Md5sum>
124-<PEInfo>
    <Type>Executable</Type>
125-<Subsystem>Windows_GUI</Subsystem>
126-<BaseAddress>4194304</BaseAddress>
127-<PETimeStamp>2012-02-23T05:41:05Z</PETimeStamp>
128-<PEChecksum><PEFileRaw>0</PEFileRaw>
129-<PEFileAPI>0</PEFileAPI>
130-<PEComputedAPI>287748</PEComputedAPI>
131-</PEChecksum>
132-<ExtraneousBytes>229376</ExtraneousBytes>
133-<DetectedAnomalies><string>checksum_is_zero</string>
134-<string>contains_eof_data</string>
135-</DetectedAnomalies>
136-<Sections>
    <NumberOfSections>3</NumberOfSections>
137-<ActualNumberOfSections>3</ActualNumberOfSections>
138-<Section><Name>.text</Name>
139-<Type>None</Type>
140-<SizeInBytes>43008</SizeInBytes>
141-<DetectedCharacteristics>Read Execute Code</DetectedCharacteristics>
142-<Entropy AverageValue="0.77262239772402574"/>
143-</Section>
144-<Section><Name>.rsrc</Name>
145-<Type>None</Type>
146-<SizeInBytes>3584</SizeInBytes>
147-<DetectedCharacteristics>Read</DetectedCharacteristics>
148-<Entropy AverageValue="0.54873274859376076"/>
149-</Section>
150-<Section><Name>.reloc</Name>
151-<Type>None</Type>
152-<SizeInBytes>512</SizeInBytes>
153-<DetectedCharacteristics>Read</DetectedCharacteristics>
154-<Entropy AverageValue="0.048149053317863157"/>
155-</Section>
156-</Sections>
157-</PEInfo>
158-<PeakEntropy>0.77262239772402574</PeakEntropy>
159-<PeakCodeEntropy>0.77262239772402574</PeakCodeEntropy>
160-</FileItem>
161-<RegistryItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="91340226-5657-48BB-9DAB-44F07BFD14BD" created="2014-07-14T01:11:17Z">
    <KeyPath>Microsoft\ndows\CurrentVersion\Run\</KeyPath>
162-<Type>REG_SZ</Type>
163-<Modified>2014-07-13T22:44:51Z</Modified>
164-<ValueName>DLLS</ValueName>
165-<Username>NT AUTHORITY\SYSTEM</Username>
166:<Text>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</Text>
167-<ReportedLengthInBytes>86</ReportedLengthInBytes>
168-<Hive>HKEY_CURRENT_USER\Software</Hive>
169-<Path>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLLS</Path>
170-<SecurityID>S-1-5-18</SecurityID>
171-</RegistryItem>
172-</PersistenceItem>

Looking at the raw XML usually should help with creating IOC's later.

Conclusion

Mandiant's Redline software is free to download and use. I find it amazing how much details can be found by analyzing a host with Redline and how easy it is to create a timeline for analysis.

Redline can combine disk and memory artifacts in a timeline, showing processes created and ports opened in time relation to files and registry keys created.

I think Redline is much more useful than what it costs! :-)

Are you using Redline yet and have some feedback or suggestions? I'd love to hear it...

In the next post I plan to show how to create IOC's from this analysis and how to check for IOC matches on a host. Stay tuned...

Cheers,
@c_APT_ure