© Fidelis Cybersecurity. All rights reserved.

Deductive Reasoning: File Analysis Techniques

BsidesDC October 2015

Product Demo

Get comfortable: Over the next 2 hours we will take a step by step walk in great detail through the entire Fidelis Cybersecurity product line.

You can expect:

1. Graphs on the current APT threatscape2. Diagrams of best deployment practices3. Kill Chain optimization of your current infrastructure for

synergy4. Pricing and Availability.

Product Demo

Introduction

John Laycock:

• B.S. Mechanical Engineering from Northern Illinois University

• Cognitech/Ocean Systems Forensic Video Analyst• Government Contractor

DC3 – DCFL Forensic Examiner/DCISE/NCIJTF• General Dynamics/Fidelis Commercial Forensics Team• Fidelis Threat Research Team

John LaycockSystems, Threat ResearchEmail: john.laycock@fidelissecurity.com

Introduction

Chris Rogers

• Army Intel Sigint / Humint• Government Contractor

• Department of State• NIPC• US CERT• DC3 Forensic Examiner / Intrusions

• Bank of America Chris RogersSenior Analyst, Threat ResearchEmail: Chris.Rogers@fidelissecurity.com

Deductive Reasoning

“There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can't unravel the thousand and first.”

-Sir Arthur Conan Doyle The Sign of Four

Deductive Reasoning

“There is a strong family resemblance about malicious files, and if you have all the details of a thousand at your finger ends, it is odd if you can't infer the thousand and first.”

-Sir Arthur Conan Doyle The Sign of Four

DisclaimerThis is an introductory level talk to folks that do not necessarily do malware analysis on a daily basis. Many of the things you are about to see are not what would be considered forensically sound. These are quick, down and dirty tools to help you evaluate if a file is malicious. Many of the concepts we will be showing you are from a high level view. You can refer to some of the references in the appendix to drill down into these concepts in more detail.

TL:DR This is an intro to a deep topic. We’re showing some basic concepts that may or may not be forensically sound.

What is Malware? s Malware?

Variety of evil logic.

Crimeware BOTNET Randsomware Hijackers Keyloggers Adware Spyware Scumware Rootkits

Trojans Worms Viri Backdoors

What isn’t Malware? Malware

It is not magic.

The specific what… specific what

Computers are just tools that translate binary instructions into cool stuff like cat pictures and movies to the latest Zombie FPS.

Bad guys and shady marketers take full advantage of the user friendly nature to deploy their collection of bits to your computer.

What’s the vector victor?

• Downloader• Exploit Kit• E-mail• Web• Portable Media

How is this still a thing?• User Friendlyitus

• Compatabilibuddy

• Legacy Code

Pwned!End results are generally the same. System is pwned and attacker profits in some way.

Application in Security & IR

If it looks like malware and smells like malware… it’s probably not the dancing cat screen saver that was advertised.

Application in Security & IRMAC Times

- General Rules of thumb- How to debunk “Timestomping” or The secret hidden times

Application in Security & IR

NTFS

Master File Table (MFT) - Information about every file on an NTFS volume is stored in the Master File Table. Information such as Modified, Access, Created (MAC) times for the file are stored here.

Application in Security & IR

NTFS MAC Times

On the surface, all appears well. Let’s take a closer look…

Application in Security & IR

The MFT is found under the root directory of the volume and can be hidden as a system file. You can use a tool like FTK Imager Lite to copy this file out for analysis.

NTFS MAC Times

Application in Security & IR

NTFS MAC Times

Using MFTDump, you can export a csv of the $MFT and use Excel to sort through the MAC times looking for anomalies. In this case the Standard Info create time field does not match the File Name create time field this is evidence of time stomping.

Application in Security & IR

File System Locations

Malicious files can be found anywhere on your system. Sometimes they are visible and sometimes they like to hide. However, there are a number of commonly used directories that you can look through for anything that appears out of the ordinary.

Application in Security & IR

File System Locations

In this case the two irevil files are located under c:\Windows\system32.

Application in Security & IRFile system locations

Some common locations:

C:\

C:\Windows

C:\Windows\System32\

C:\Program Files\<directory>\*

C:\Program Files (x86)\<directory>\*

C:\Documents and Settings\{username}\Local Settings\Temp (XP)

C:\Users\{Username}\AppData\Local\Temp

Application in Security & IR

Registry

Getting malware onto a system is only the first step. The bad guys need to be able to restart their files if the system is rebooted. Persistence is the key to surviving a reboot. This can be accomplished by making entries in the registry.

Application in Security & IRRegistry

To review the registry on your system you can use Regedit.

This shows irevil.exe is set to run on startup.

Application in Security & IRFinding Registry time stamps

Use regedit to export the registry.

Application in Security & IRFinding Registry time stamps

Save as a text file.

Application in Security & IRFinding Registry time stamps

Open in notepad.

Alternatively you can use FTK Imager to export the registry hive and use a tool like RegRipper.

Application in Security & IRCommon Registry Keys

Application in Security & IRCommon Registry Keys

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

Try using regedit to look through some of these registry locations:

Application in Security & IRCommon Registry Keys

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows 7 64-bit

[HKLM\software\wow6432node\microsoft\windows\currentversion\run]

Consider using a tool like Autorunsc.exe from Microsoft Sysinternals.

Application in Security & IRPrefetch

The prefetch folder contains a list of commonly run programs on your system to help speed up loading times. These files are stored as .pf files in C:\Windows\Prefetch.

- Date/Time file first executed- Last time of execution- Number of times run

Application in Security & IRTask Scheduler

This can be used to help persist malware on a system and to schedule it to run at various intervals.

Look for schedlgu.txt commonly found in C:\Windows\C:\Windows\Tasks

You can also look for HKLM\SOFTWARE\Microsoft\SchedulingAgent

Application in Security & IRTask Scheduler

The ScheduLgU.txt file is essentially a log file showing lists of jobs scheduled and if they’ve run properly.

Application in Security & IRTask Scheduler

This is the irevil.job file found under c:\Windows\Tasks.

Heuristics and Tools

• DR Fat

Toolkit

Heuristics and Tools

Tools

• DR Fat

1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool

Heuristics and Tools

Tools

• DR Fat

The Internet

Heuristics and Tools

Tools

• DR Fat

Heuristics and Tools

1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool

Tools

• DR Fat

Hex Editor

Heuristics and Tools

Tools

• DR Fat

Heuristics and Tools

1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool

Tools

• DR Fat

Entropy Analyzer

Heuristics and Tools

Tools

• DR Fat

Shannon Formula:

Patterns and Stuff What The Freq??

4.18 7.99

Heuristics and Tools

Tools

• DR Fat

Heuristics and Tools

1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool

Tools

• DR Fat

Hashing Tool

CRC32: 968A8A16

MD5: 31e6002b21c489fbbdb0f88ddc02603e

SHA1: 524584aa63b9cb95b72ab5ae64522a0d48d857b2

SHA256:

a326d9b72e6905304de30fa02fd3a087506c99486f5094e8a5c7cc7a5f84e059

Ssdeep:

24576:v2UnOxz4461D69+Twrijj9Ig6sIw7ag38YaXag:v2cIZbuHqsd7agvaV

Authentihash: 53e70adbf1277fe98a4bc7830a173327398b6196dfb9231b53275544e2980f30 Imphash: 884310b1928934402ea6fec1dbd3cf5e

Heuristics and Tools

Tools

• DR Fat

Heuristics and Tools

1. The Internet2. Hex Editor3. Entropy Analyzer4. Hashing Tool5. Analyzer/PE Information Tool

Tools

• DR Fat

Analyzers

Heuristics and Tools

Tools

• DR Fat

PE Information tool

Heuristics and Tools

Heuristics and ToolsFilenames

Heuristics and ToolsFilenames

• Svvvtxys.exe

• Scvhost.exe

• Explorerer.exe

• БадФиле.exe

• 邪恶的计划 .exe

Heuristics and ToolsFilenamesHash

Heuristics and ToolsHash

Google

VirusTotal

TotalHash

MD5: 31e6002b21c489fbbdb0f88ddc02603e

Heuristics and ToolsFilenamesHashType

Heuristics and ToolsType

Heuristics and ToolsFilenamesHashTypeSize

Heuristics and ToolsSize

PDFs <50k

Word Docs > 2MB and only one page of text

PPT >2MB and only two slides

Heuristics and ToolsFilenamesHashTypeSizeBreakdown

Heuristics and ToolsBreakdown

Heuristics and ToolsBreakdown

Heuristics and ToolsFilenamesHashTypeSizeBreakdownTime

Heuristics and ToolsTime

Heuristics and ToolsFilenamesHashTypeSizeBreakdownTimeMeta

Heuristics and ToolsMeta

Heuristics and ToolsFilenamesHashTypeSizeBreakdownTimeMetaEntropy

Stuff

• DR Fat

Heuristics and ToolsEntropy

Stuff

• DR Fat

Heuristics and ToolsEntropy

Stuff

• DR Fat

Heuristics and ToolsEntropy

Stuff

• DR Fat

Heuristics and ToolsEntropy

Stuff

• DR Fat

Heuristics and ToolsEntropy

Stuff

• DR Fat

Heuristics and ToolsEntropy

Heuristics and ToolsFilenamesHashTypeSizeBreakdownTimeMetaEntropy

Why dynamics sometimes aren’t

1. Virtual Detection2. Sandbox Detection3. Debugger Checking4. Weird Dependencies5. Time Checks6. Missing Components7. Unusual URL Response during execution

He Laterally just said that

“Laterals work goodly, they is not for every play though.”

-Unnamed ex-Giants receiver

Tales from the field

• Not your average melting point. • A PNG in the butt.

The world beyond Windows1. ELF hunting2. Other stuff

In Conclusion

Static indicators that we talked about are clues.

• Some clues are key indicators

• Some clues are circumstantial

A final fitting Doyle/Holmes quote:

“The more bizarre a thing the less mysterious it proves to be. It is your commonplace, featureless crimes which are really puzzling.”

AppendixThe following are a series of links to references and tools we have found useful. Many are beyond the scope of a short talk but we have included them for future reference.

1. Sans Memory Forensics Poster http://digital-forensics.sans.org/media/Poster-2015-Memory-Forensics2.pdf

2. Sans Windows Forensic Analysis Poster http://digital-forensics.sans.org/media/poster-windows-forensics-2015.pdf

3. Fidelis Threat Advisories http://www.fidelissecurity.com/resources/threat-advisory

4. MFTDUMP v1.3.0http://malware-hunters.net/wp-content/downloads/MFTDump_V.1.3.0.zip

5. NTFS Documentationhttp://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf

Appendix7. Sysinternals - Autorunsc http://technet.microsoft.com/en-us/sysinternals/bb963902 8. Many ways of malware persistence (that you were always afraid to ask) http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html 9. Common Autostart Locations - http://gladiator-antivirus.com/forum/index.php?showtopic=24610 10. FTK Imager Lite - http://accessdata.com/product-download/digital-forensics/ftk-imager-lite-version-3.1.1 11. Suspicious File Locations - http://www.malicious-streams.com/resources/articles/DGMW1_Suspicious_FS_Geography.html 12. Windows Scheduler - http://what-when-how.com/windows-forensic-analysis/file-analysis-windows-forensic-analysis-part-4/ 13. Windows Prefetch - http://forensicswiki.org/wiki/Prefetch

Appendix14. Notes on Linux/Xor.DDoS. http://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html 15. Time Stomping is for Suckers. http://thedigitalstandard.blogspot.com/2011/02/time-stomping-is-for-suckers.html