Post on 11-Apr-2017
© Fidelis Cybersecurity. All rights reserved.
Deductive Reasoning: File Analysis Techniques
BsidesDC October 2015
Product Demo
Get comfortable: Over the next 2 hours we will take a step by step walk in great detail through the entire Fidelis Cybersecurity product line.
You can expect:
1. Graphs on the current APT threatscape2. Diagrams of best deployment practices3. Kill Chain optimization of your current infrastructure for
synergy4. Pricing and Availability.
Product Demo
Introduction
John Laycock:
• B.S. Mechanical Engineering from Northern Illinois University
• Cognitech/Ocean Systems Forensic Video Analyst• Government Contractor
DC3 – DCFL Forensic Examiner/DCISE/NCIJTF• General Dynamics/Fidelis Commercial Forensics Team• Fidelis Threat Research Team
John LaycockSystems, Threat ResearchEmail: john.laycock@fidelissecurity.com
Introduction
Chris Rogers
• Army Intel Sigint / Humint• Government Contractor
• Department of State• NIPC• US CERT• DC3 Forensic Examiner / Intrusions
• Bank of America Chris RogersSenior Analyst, Threat ResearchEmail: Chris.Rogers@fidelissecurity.com
Deductive Reasoning
“There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can't unravel the thousand and first.”
-Sir Arthur Conan Doyle The Sign of Four
Deductive Reasoning
“There is a strong family resemblance about malicious files, and if you have all the details of a thousand at your finger ends, it is odd if you can't infer the thousand and first.”
-Sir Arthur Conan Doyle The Sign of Four
DisclaimerThis is an introductory level talk to folks that do not necessarily do malware analysis on a daily basis. Many of the things you are about to see are not what would be considered forensically sound. These are quick, down and dirty tools to help you evaluate if a file is malicious. Many of the concepts we will be showing you are from a high level view. You can refer to some of the references in the appendix to drill down into these concepts in more detail.
TL:DR This is an intro to a deep topic. We’re showing some basic concepts that may or may not be forensically sound.
What is Malware? s Malware?
Variety of evil logic.
Crimeware BOTNET Randsomware Hijackers Keyloggers Adware Spyware Scumware Rootkits
Trojans Worms Viri Backdoors
What isn’t Malware? Malware
It is not magic.
The specific what… specific what
Computers are just tools that translate binary instructions into cool stuff like cat pictures and movies to the latest Zombie FPS.
Bad guys and shady marketers take full advantage of the user friendly nature to deploy their collection of bits to your computer.
What’s the vector victor?
• Downloader• Exploit Kit• E-mail• Web• Portable Media
How is this still a thing?• User Friendlyitus
• Compatabilibuddy
• Legacy Code
Pwned!End results are generally the same. System is pwned and attacker profits in some way.
Application in Security & IR
If it looks like malware and smells like malware… it’s probably not the dancing cat screen saver that was advertised.
Application in Security & IRMAC Times
- General Rules of thumb- How to debunk “Timestomping” or The secret hidden times
Application in Security & IR
NTFS
Master File Table (MFT) - Information about every file on an NTFS volume is stored in the Master File Table. Information such as Modified, Access, Created (MAC) times for the file are stored here.
Application in Security & IR
NTFS MAC Times
On the surface, all appears well. Let’s take a closer look…
Application in Security & IR
The MFT is found under the root directory of the volume and can be hidden as a system file. You can use a tool like FTK Imager Lite to copy this file out for analysis.
NTFS MAC Times
Application in Security & IR
NTFS MAC Times
Using MFTDump, you can export a csv of the $MFT and use Excel to sort through the MAC times looking for anomalies. In this case the Standard Info create time field does not match the File Name create time field this is evidence of time stomping.
Application in Security & IR
File System Locations
Malicious files can be found anywhere on your system. Sometimes they are visible and sometimes they like to hide. However, there are a number of commonly used directories that you can look through for anything that appears out of the ordinary.
Application in Security & IR
File System Locations
In this case the two irevil files are located under c:\Windows\system32.
Application in Security & IRFile system locations
Some common locations:
C:\
C:\Windows
C:\Windows\System32\
C:\Program Files\<directory>\*
C:\Program Files (x86)\<directory>\*
C:\Documents and Settings\{username}\Local Settings\Temp (XP)
C:\Users\{Username}\AppData\Local\Temp
Application in Security & IR
Registry
Getting malware onto a system is only the first step. The bad guys need to be able to restart their files if the system is rebooted. Persistence is the key to surviving a reboot. This can be accomplished by making entries in the registry.
Application in Security & IRRegistry
To review the registry on your system you can use Regedit.
This shows irevil.exe is set to run on startup.
Application in Security & IRFinding Registry time stamps
Use regedit to export the registry.
Application in Security & IRFinding Registry time stamps
Save as a text file.
Application in Security & IRFinding Registry time stamps
Open in notepad.
Alternatively you can use FTK Imager to export the registry hive and use a tool like RegRipper.
Application in Security & IRCommon Registry Keys
Application in Security & IRCommon Registry Keys
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
Try using regedit to look through some of these registry locations:
Application in Security & IRCommon Registry Keys
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
Windows 7 64-bit
[HKLM\software\wow6432node\microsoft\windows\currentversion\run]
Consider using a tool like Autorunsc.exe from Microsoft Sysinternals.
Application in Security & IRPrefetch
The prefetch folder contains a list of commonly run programs on your system to help speed up loading times. These files are stored as .pf files in C:\Windows\Prefetch.
- Date/Time file first executed- Last time of execution- Number of times run
Application in Security & IRTask Scheduler
This can be used to help persist malware on a system and to schedule it to run at various intervals.
Look for schedlgu.txt commonly found in C:\Windows\C:\Windows\Tasks
You can also look for HKLM\SOFTWARE\Microsoft\SchedulingAgent
Application in Security & IRTask Scheduler
The ScheduLgU.txt file is essentially a log file showing lists of jobs scheduled and if they’ve run properly.
Application in Security & IRTask Scheduler
This is the irevil.job file found under c:\Windows\Tasks.
Heuristics and Tools
• DR Fat
Toolkit
Heuristics and Tools
Tools
• DR Fat
1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool
Heuristics and Tools
Tools
• DR Fat
The Internet
Heuristics and Tools
Tools
• DR Fat
Heuristics and Tools
1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool
Tools
• DR Fat
Hex Editor
Heuristics and Tools
Tools
• DR Fat
Heuristics and Tools
1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool
Tools
• DR Fat
Entropy Analyzer
Heuristics and Tools
Tools
• DR Fat
Shannon Formula:
Patterns and Stuff What The Freq??
4.18 7.99
Heuristics and Tools
Tools
• DR Fat
Heuristics and Tools
1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool
Tools
• DR Fat
Hashing Tool
CRC32: 968A8A16
MD5: 31e6002b21c489fbbdb0f88ddc02603e
SHA1: 524584aa63b9cb95b72ab5ae64522a0d48d857b2
SHA256:
a326d9b72e6905304de30fa02fd3a087506c99486f5094e8a5c7cc7a5f84e059
Ssdeep:
24576:v2UnOxz4461D69+Twrijj9Ig6sIw7ag38YaXag:v2cIZbuHqsd7agvaV
Authentihash: 53e70adbf1277fe98a4bc7830a173327398b6196dfb9231b53275544e2980f30 Imphash: 884310b1928934402ea6fec1dbd3cf5e
Heuristics and Tools
Tools
• DR Fat
Heuristics and Tools
1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool
Tools
• DR Fat
Analyzers
Heuristics and Tools
Tools
• DR Fat
PE Information tool
Heuristics and Tools
Heuristics and ToolsFilenames
Heuristics and ToolsFilenames
• Svvvtxys.exe
• Scvhost.exe
• Explorerer.exe
• БадФиле.exe
• 邪恶的计划 .exe
Heuristics and ToolsFilenamesHash
Heuristics and ToolsHash
VirusTotal
TotalHash
MD5: 31e6002b21c489fbbdb0f88ddc02603e
Heuristics and ToolsFilenamesHashType
Heuristics and ToolsType
Heuristics and ToolsFilenamesHashTypeSize
Heuristics and ToolsSize
PDFs <50k
Word Docs > 2MB and only one page of text
PPT >2MB and only two slides
Heuristics and ToolsFilenamesHashTypeSizeBreakdown
Heuristics and ToolsBreakdown
Heuristics and ToolsBreakdown
Heuristics and ToolsFilenamesHashTypeSizeBreakdownTime
Heuristics and ToolsTime
Heuristics and ToolsFilenamesHashTypeSizeBreakdownTimeMeta
Heuristics and ToolsMeta
Heuristics and ToolsFilenamesHashTypeSizeBreakdownTimeMetaEntropy
Stuff
• DR Fat
Heuristics and ToolsEntropy
Stuff
• DR Fat
Heuristics and ToolsEntropy
Stuff
• DR Fat
Heuristics and ToolsEntropy
Stuff
• DR Fat
Heuristics and ToolsEntropy
Stuff
• DR Fat
Heuristics and ToolsEntropy
Stuff
• DR Fat
Heuristics and ToolsEntropy
Heuristics and ToolsFilenamesHashTypeSizeBreakdownTimeMetaEntropy
Why dynamics sometimes aren’t
1. Virtual Detection2. Sandbox Detection3. Debugger Checking4. Weird Dependencies5. Time Checks6. Missing Components7. Unusual URL Response during execution
He Laterally just said that
“Laterals work goodly, they is not for every play though.”
-Unnamed ex-Giants receiver
Tales from the field
• Not your average melting point. • A PNG in the butt.
The world beyond Windows1. ELF hunting2. Other stuff
In Conclusion
Static indicators that we talked about are clues.
• Some clues are key indicators
• Some clues are circumstantial
A final fitting Doyle/Holmes quote:
“The more bizarre a thing the less mysterious it proves to be. It is your commonplace, featureless crimes which are really puzzling.”
AppendixThe following are a series of links to references and tools we have found useful. Many are beyond the scope of a short talk but we have included them for future reference.
1. Sans Memory Forensics Poster http://digital-forensics.sans.org/media/Poster-2015-Memory-Forensics2.pdf
2. Sans Windows Forensic Analysis Poster http://digital-forensics.sans.org/media/poster-windows-forensics-2015.pdf
3. Fidelis Threat Advisories http://www.fidelissecurity.com/resources/threat-advisory
4. MFTDUMP v1.3.0http://malware-hunters.net/wp-content/downloads/MFTDump_V.1.3.0.zip
5. NTFS Documentationhttp://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf
Appendix7. Sysinternals - Autorunsc http://technet.microsoft.com/en-us/sysinternals/bb963902 8. Many ways of malware persistence (that you were always afraid to ask) http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html 9. Common Autostart Locations - http://gladiator-antivirus.com/forum/index.php?showtopic=24610 10. FTK Imager Lite - http://accessdata.com/product-download/digital-forensics/ftk-imager-lite-version-3.1.1 11. Suspicious File Locations - http://www.malicious-streams.com/resources/articles/DGMW1_Suspicious_FS_Geography.html 12. Windows Scheduler - http://what-when-how.com/windows-forensic-analysis/file-analysis-windows-forensic-analysis-part-4/ 13. Windows Prefetch - http://forensicswiki.org/wiki/Prefetch
Appendix14. Notes on Linux/Xor.DDoS. http://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html 15. Time Stomping is for Suckers. http://thedigitalstandard.blogspot.com/2011/02/time-stomping-is-for-suckers.html