Tuesday, July 29, 2014

Using Redline for Live Response - Part 1

For once I'll write about something a bit different than before. It's still about Ponmocup malware, or more precise about the Zuponcic Kit for delivery, but more about how to do Live Response and Detection on the host using Redline.

If you're not familiar with the Zuponcic Kit yet, you should read the following posts:
If you're not familiar with Redline, the great free tool from Mandiant, I recommend reading the following:

Redline User Guide (latest version at time of writing v1.12)

You should be familiar with the two distinct phases, collection and analysis, and the difference of a "Redline Collector" (standalone CLI tool for collection) and "Redline", the feature rich GUI application for analysis of collection data.

So, for this blog post I infected a VM via Zuponcic Kit capturing network traffic with Wireshark and doing a Redline collection and analysis afterwards.


PCAP analysis with Wireshark


Here an overview of the DNS and HTTP traffic from the infection:

Some of the most interesting DNS and HTTP requests are:

DNS:

www.niceshop.at: type A, class IN, addr 85.13.129.172
perrugina.sciencehunk.com: type A, class IN, addr 31.210.96.155
mw.prodigymsnteregala.com: type A, class IN, addr 178.33.192.35
fasternation.net: type A, class IN, addr 253.101.238.123
www.sanctionedmedia.com: type CNAME, class IN, cname sanctionedmedia.com
sanctionedmedia.com: type A, class IN, addr 64.210.128.29

HTTP:

Default browser UA:

  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

http://www.google.ch/url?url=http://www.niceshop.at/&rct=j&frm=1&q=&esrc=s&sa=U&ei=eQHDU9acLdP07Aa-oICIAg&ved=0CBQQFjAA&usg=AFQjCNHz4D179x2aXXoTOLfSK_k71qrAlw

http://www.niceshop.at/

http://perrugina.sciencehunk.com/__utm.gif?utmwv=5.3.3&utms=7&utmn=1812125645&utmhn=isroi.com&utmcs=UTF-8&utmsr=800x600&utmvp=783x444&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=10.0%20r22&utmdt=Gambar%20Animasi%20

http://mw.prodigymsnteregala.com/

http://mw.prodigymsnteregala.com/js/java.js

http://mw.prodigymsnteregala.com/ANLxMYn.jar

http://mw.prodigymsnteregala.com/ (POST)
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11
  Content-Length: 90
 
  i=2ZUpfq7G6Ke3q42Ny1c19p61...E78IJH3yVQJZL70k67ZEPHn9kW

Response:
  Content-Type: application/octet-stream
  Content-Length: 957688
  Content-Disposition: attachment; filename="xuqfvb"
  Last-Modified: Sun, 13 Jul 2014 22:01:35 GMT
    Time since request: 9.267738000 seconds

http://93.115.88.220/listing/chn/all.html
  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

Wrong IE version in UA! (looks like the rest of the UA was left unchanged, except the major version)


Detailed HTTP traffic of the Zuponcic Kit infection and initial C&C:

Request to infected website (malicious .htaccess file) coming from a Google search redirection: (checks for Cookie, Referrer, User-Agent)

Redirection to first stage Zuponcic Kit (checks client IP)

Request to main Zuponcic Kit page:

Request to "java.js" for browser (and Java) fingerprinting:

Malicious JAR downloader signed with stolen certificate:

POST request submitting a long parameter (key?) and receiving a large binary (encrypted) file:

GET request to IP (computed from DNS lookup to "fasternation.net" -- anti-sinkholing technique) sending data as Cookie values and using faked User-Agent:

Screenshots during VM infection

During the infection the user might see some Java warnings (depending on installed Java version and settings), trying to warn him from getting infected.






Using ProcessHacker the malware process shows like this:


Running Redline Collector

The recommended way for running Redline Collector on a host is via USB key. However, if you're not concerned about modification of the host under investigation you can also run Redline Collector remotely by copying it over the network or running it from a mounted share.


I may write more details about how to run Redline Collector remotely over the net in a later blog post. In this post I'd like to focus on the details available from a Redline analysis.

Here is a list of modules and options selected for this collection:



The XML files created during collection can get pretty large, depending on which modules are executed and settings in the script. The registry, event logs and filesystem make the largest part of this collection. However, the 537 MB of raw data nicely compress into a much smaller 33 MB. Compare this to a hard drive image or a memory dump. 






Analysis using Redline

After running Redline Collector on a suspicious or infected host you get lots of data (in XML format) to analyze with Redline, but also using grep and some other bash-fu (on Linux or Cygwin) can be very useful.

Using the timeline function from Redline is very easy and powerful. It lines up any artifacts collected using several timestamps that are selectable.


 


Here are some artifacts from the timeline of this infection.

Google redirection URL


A cookie is set from the infected web server the mark the first visit:


First request to Zuponcic Kit domain:

Request to "java.js" for loading the Java applet:

Prefetch file for "java.exe" created or updated:

Registry key created / updated for Malware domain serving malicious JAR:


Prefetch file for malware TMP file dropped:




Malware EXE file created:




Malware EXE process started:
 

 

Malware EXE process opened port listener:


Registry key with binary data created:


Creating persistence using registry RUN key under HKCU:



Creation of port listeners:



Using Bash-Fu on Redline XML data

Using some bash commands (possibly even using Cygwin on Windows) can be very useful and powerful. Here some examples.

Searching for some network indicators:

$ time egrep -ci "(prodigymsnteregala.com|\/js\/java\.js|ANLxMYn\.jar|qkejZDj\.jar|\/listing\/chn\/all\.html|93\.115\.88\.220)" *.* | egrep -v ":0"
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:4
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:5
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:2

real    0m17.630s
user    0m17.456s
sys     0m0.171s

$ egrep -i "(prodigymsnteregala.com|\/js\/java\.js|ANLxMYn\.jar|qkejZDj\.jar|\/listing\/chn\/all\.html|93\.115\.88\.220)" *.*
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/favicon.ico</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/tr.gif</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/js/java.js</SourceURL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com/favicon.ico</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>:Host: mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:<Path>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</Path>
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:<KeyPath>Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</KeyPath>

$ egrep -in -C 10 "prodigymsnteregala.com" w32registryapi.* | egrep -m 1 -A 15 "<RegistryItem " | egrep -m 1 -B 15 "</RegistryItem>"
6674509-<RegistryItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="FEBFAC4B-E50C-469E-A25A-2C42BE0653BE" created="2014-07-14T01:14:20Z">
        <Username>TOMS-VM-WIN7X64\Tom</Username>
6674510-<SecurityID>S-1-5-21-3096987436-3122932343-3109395949-1000</SecurityID>
6674511:<Path>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</Path>
6674512-<Hive>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000</Hive>
6674513:<KeyPath>Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</KeyPath>
6674514-<Type>REG_KEY</Type>
6674515-<Modified>2014-07-13T22:01:39Z</Modified>
6674516-<NumSubKeys>0</NumSubKeys>
6674517-<NumValues>0</NumValues>
6674518-</RegistryItem>

Searching for some host indicators (filenames, registry keys):

$ time egrep -ci "(DPNLOBBYG.EXE|483759317.TMP|Egkyxzdcin|7538554d-326909f3|JXZFUV)" *.* | egrep -v ":0"
w32apifiles.8xDv3nsauGodpXnrHsaHqg:8
w32apifiles.issues.6F4XA71eDhdfIujMDqoLCI:1
w32eventlogs.eOZaQVjGh3PdAuYt0LXxMR:8
w32prefetch.biHxIPURFOEdQgUKV9vyvp:12
w32processes-memory.jblWPV86pwBeohXjunTY1h:3
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:20
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:5

real    0m17.755s
user    0m17.565s
sys     0m0.170s

$ egrep -i "(DPNLOBBYG.EXE|483759317.TMP|Egkyxzdcin|7538554d-326909f3|JXZFUV)" w32apifiles.* w32scripting-persistence.*
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Users\Tom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7538554d-326909f3</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>7538554d-326909f3</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Users\Tom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7538554d-326909f3.idx</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>7538554d-326909f3.idx</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Windows\Prefetch\483759317.TMP-EB4905C2.pf</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>483759317.TMP-EB4905C2.pf</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Windows\Prefetch\DPNLOBBYG.EXE-603267D1.pf</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>DPNLOBBYG.EXE-603267D1.pf</FileName>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<RegText>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</RegText>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FilePath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FilePath>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FullPath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FullPath>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FileName>dpnlobbyg.exe</FileName>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<Text>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</Text>

$ egrep -in -B 10 -A 120 "DPNLOBBYG.EXE" w32scripting-persistence.* | egrep -m 1 -A 100 "<PersistenceItem " | egrep -m 1 -B 100 "</PersistenceItem>"
96-<PersistenceItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="C10D94E7-43A9-4160-A0EC-2C5BB246697F" created="2014-07-14T01:11:17Z">
   <PersistenceType>registry</PersistenceType>
97-<RegPath>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLLS</RegPath>
98:<RegText>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</RegText>
99-<RegOwner>NT AUTHORITY\SYSTEM</RegOwner>
100-<RegModified>2014-07-13T22:44:51Z</RegModified>
101:<FilePath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FilePath>
102-<FileOwner>TOMS-VM-WIN7X64\Tom</FileOwner>
103-<FileCreated>2014-07-13T22:01:47Z</FileCreated>
104-<FileModified>2014-07-13T22:01:47Z</FileModified>
105-<FileAccessed>2014-07-13T22:01:47Z</FileAccessed>
106-<FileChanged>2014-07-13T22:01:47Z</FileChanged>
107-<md5sum>105ead6f908f0d8cbab11a0f4408d373</md5sum>
108-<FileItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="7B6CDDEB-3A25-4568-9D31-AF18EB68C23E" created="2014-07-14T01:11:17Z">
    <DevicePath>\Device\HariskVolume1</DevicePath>
109:<FullPath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FullPath>
110-<Drive>c</Drive>
111-<FilePath>Users\Tom\AppData\Roaming</FilePath>
112:<FileName>dpnlobbyg.exe</FileName>
113-<FileExtension>exe</FileExtension>
114-<SizeInBytes>276992</SizeInBytes>
115-<Created>2014-07-13T22:01:47Z</Created>
116-<Modified>2014-07-13T22:01:47Z</Modified>
117-<Accessed>2014-07-13T22:01:47Z</Accessed>
118-<Changed>2014-07-13T22:01:47Z</Changed>
119-<FileAttributes>ReadOnly Hidden System Archive</FileAttributes>
120-<Username>TOMS-VM-WIN7X64\Tom</Username>
121-<SecurityID>S-1-5-21-3096987436-3122932343-3109395949-1000</SecurityID>
122-<SecurityType>SidTypeUser</SecurityType>
123-<Md5sum>105ead6f908f0d8cbab11a0f4408d373</Md5sum>
124-<PEInfo>
    <Type>Executable</Type>
125-<Subsystem>Windows_GUI</Subsystem>
126-<BaseAddress>4194304</BaseAddress>
127-<PETimeStamp>2012-02-23T05:41:05Z</PETimeStamp>
128-<PEChecksum><PEFileRaw>0</PEFileRaw>
129-<PEFileAPI>0</PEFileAPI>
130-<PEComputedAPI>287748</PEComputedAPI>
131-</PEChecksum>
132-<ExtraneousBytes>229376</ExtraneousBytes>
133-<DetectedAnomalies><string>checksum_is_zero</string>
134-<string>contains_eof_data</string>
135-</DetectedAnomalies>
136-<Sections>
    <NumberOfSections>3</NumberOfSections>
137-<ActualNumberOfSections>3</ActualNumberOfSections>
138-<Section><Name>.text</Name>
139-<Type>None</Type>
140-<SizeInBytes>43008</SizeInBytes>
141-<DetectedCharacteristics>Read Execute Code</DetectedCharacteristics>
142-<Entropy AverageValue="0.77262239772402574"/>
143-</Section>
144-<Section><Name>.rsrc</Name>
145-<Type>None</Type>
146-<SizeInBytes>3584</SizeInBytes>
147-<DetectedCharacteristics>Read</DetectedCharacteristics>
148-<Entropy AverageValue="0.54873274859376076"/>
149-</Section>
150-<Section><Name>.reloc</Name>
151-<Type>None</Type>
152-<SizeInBytes>512</SizeInBytes>
153-<DetectedCharacteristics>Read</DetectedCharacteristics>
154-<Entropy AverageValue="0.048149053317863157"/>
155-</Section>
156-</Sections>
157-</PEInfo>
158-<PeakEntropy>0.77262239772402574</PeakEntropy>
159-<PeakCodeEntropy>0.77262239772402574</PeakCodeEntropy>
160-</FileItem>
161-<RegistryItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="91340226-5657-48BB-9DAB-44F07BFD14BD" created="2014-07-14T01:11:17Z">
    <KeyPath>Microsoft\ndows\CurrentVersion\Run\</KeyPath>
162-<Type>REG_SZ</Type>
163-<Modified>2014-07-13T22:44:51Z</Modified>
164-<ValueName>DLLS</ValueName>
165-<Username>NT AUTHORITY\SYSTEM</Username>
166:<Text>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</Text>
167-<ReportedLengthInBytes>86</ReportedLengthInBytes>
168-<Hive>HKEY_CURRENT_USER\Software</Hive>
169-<Path>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLLS</Path>
170-<SecurityID>S-1-5-18</SecurityID>
171-</RegistryItem>
172-</PersistenceItem>

Looking at the raw XML usually should help with creating IOC's later.

Conclusion

Mandiant's Redline software is free to download and use. I find it amazing how much details can be found by analyzing a host with Redline and how easy it is to create a timeline for analysis.

Redline can combine disk and memory artifacts in a timeline, showing processes created and ports opened in time relation to files and registry keys created.

I think Redline is much more useful than what it costs! :-)

Are you using Redline yet and have some feedback or suggestions? I'd love to hear it...

In the next post I plan to show how to create IOC's from this analysis and how to check for IOC matches on a host. Stay tuned...

Cheers,
@c_APT_ure

6 comments:

  1. Please do a follow-up on this article on how to run Redline collector remote. I have tried and had issues with running it from a mapped network drive so it would be very interesting to see how you go about it. Best regards, Jan.

    ReplyDelete
  2. Hi Jan, thanks for the feedback, glad to hear there is some interest in this. I try to work on the follow-up post(s) as soon as I find some time. Maybe I'll publish some drafts while writing it and solicit some feedback.
    Cheers, Tom

    ReplyDelete
  3. I'm not familiar with RedLine, but it would seem from your post that it's RedLine that "knows about" different artifacts.

    I think that an example of this is the fact that while this post shows an infection via an exploit kit, there's nothing that seems to point out the value of the Java deployment cache index (*.idx) files, and their contents. It would seem that this isn't something programmed into RedLine, and therefore seems to be missed.

    ReplyDelete
    Replies
    1. Harlan,
      thanks for your comments.

      "I'm not familiar with RedLine..." --> that's why I'm writing some blog posts about Redline to show its usefulness to DFIR practitioners. Besides traditional memory forensics, it's also very useful for doing Live Response / triage and incident detection.

      Redline is featured on the SANS DFIR Fall 2012 poster ("Finding Unknown Malware") and in SANS FOR508 course for memory analysis (alternative to Volatility). How to use it for Live Response is not convered (or has it changed since last year?).

      To investigate IDX files I would write an IOC:
      - list files with path "C:\Users\***\AppData\LocalLow\Sun\Java\Deployment\cache\" of type (extension) IDX
      - search these files for strings "http" or "." (or anything else you want to see)

      I need to test / check if this returns all strings within the IDX files or not. To acquire the full file you would need to use another tool (e.g. Mandiant's commercial MIR tool allows this, and some cheaper or free tools likely too, e.g. FGET et.al.)

      Doing a collection of the filesystem with strings of files can take a long time and create huge XML files (well still small compared to a disk image). Restricting the files with strings to a narrow path should help keep the performance better.

      I will try to incorporate this into one of my next blog posts.

      Cheers,
      Tom

      Delete
    2. Tom,

      Thanks for the reply.

      > To investigate IDX files I would write an IOC:

      Can you write an IOC to parse binary data?

      My admittedly extremely limited experience with IOCs, through the forensicartifacts.com web site, as well as other experiences, has shown the use of the schema to be somewhat limited. I remember asking an IOC author once why they hadn't included the malware persistence mechanism in the IOC, and the response was that the value name was randomly generated. However, the value _data_ was consistent, in the that path stated with "C:\ProgramData", or something similar.

      Again, I'm not suggesting that the IOC schema is limited, because I don't know. I'm saying that the way I've seen the schema used, for writing IOCs in real world environments, has been somewhat limited.

      Delete
    3. Harlan,

      thanks for the challenge :-) (see my tweets: https://twitter.com/c_APT_ure/status/504030994085978113 )

      I only need to "tell" the IOC which ones of about 600 different artifacts I'm looking for. The parsing of those ~600 artifacts is implemented in the Redline Collector package (mAgent -- similar to the commercial MIR agent).

      The IOC schema certainly has some limitations, but you can still search for strings in files, registry keys and memory. Searching for binary patterns is a bit harder (I think not possible). But hey that's what YARA was made for.

      I prepared lots of screenshots tonight to update my blog post(s) soon again.

      Btw, I created several IOCs to detect different persistence methods, those are my favorites.

      Cheers,
      Tom

      Delete