Friday, February 27, 2015

Interesting event

Hi all.

I was not expectingto write this post today, I am still prepping for the SANS 560 course by studying programming. Slowly but surely I am getting it thanks to a combination of the Intro to programming course from Infinite Skills, and a series of courses from Udemy.

However while I was browsing the internet today I was on a website of dubious nature. Naturally when I clicked 'there to watch" I was redirected to knfzz.updatenow.jellyfishmint.kim. If that doesn't look suspicious right? being the interested body i am, I fired up a PC and started doing some analysis.

As of now, the site is scanning clean all day

https://www.virustotal.com/en/url/c2aef312ccca548609ac831e2b3291fde8931982c39462e615f6357ab48891d5/analysis/

urlquery.net/report.php?id=1425081604378

I'll try to keep this short, the website displays a popup on entry (in i.e) saying the user needs to update their flash player. Thats strike 2 for danger. There is an element on the page which my browser did not display, I need to find out what it is. in any case, clicking some of the links will send you to a subpage that ends in /NATakplayer2.US.html. I have not yet done analysis on this page, but VT has a scan of the page. Of note, the page mentions at the bottom, that they are not offering the original adobe file, and that their download may include additional software...

clicking the install button sends the user to 
hxxp://volumedl.com/api/download?accountid=14482&shortname=mediaplayer&campaignname=test=&clickid=MX10FVqJok

And the user gets a file, mediaplayer_setup.exe (note, file is digitally signed by InstallX, LLC) MD5 74DD09FAA1E0B1FD4A19B0C233926C05

I performed static analysis of the file, as well as uploading it to some sites including MALWR and VT, it appears its new to them

The PCAP I took was uploaded to VT and generated some alerts:

https://www.virustotal.com/en/file/b07e283e2e6413d485bc3e333e3f86d67937c502bf85bbd5fb887c83a012bf6f/analysis/

In the end the file possibly had some anti-WM and Anti-debugging technologies so I decided for an automated analysis over running the malware dynamically. In any case we see the exe has some hooking functionality, drops numerous files (mainly zip files) some outbound traffic, and at the very least offer's the user the opportunity to download some additional crapware.

See you guys around.

Monday, January 12, 2015

1st post 2015

Hi all.

So, just to update from last month, my big news, I passed the SANS GPEN examination. As you may know, it covers penetration testing. My goal is to at some point be able to pentest my lab, add malware and to attempt to detect the intrusion, analyze the hacked system and be able to re-mediate the system and detect future intrusions. as such I will need to learn a lot. One  part of that will be malware analysis.

Later this year I plan to take the SANS 560 course which deals with malware analysis. In preparation for that, I will need to learn a lot including programming, which has been a big stumbling block for me. But I am confident that I can overcome it. What I am doing now is attempting to read Practical Malware Analysis by Michael Sikorski (http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/1593272901). Getting through this with my limited knowledge should be a challenge that will be interesting. I've finished chapter one but will be going back over it. I do wish they had put Ch. 2 first as it deals with setting up your lab. Ch. 1 has you analyzing malware without a lab setup. Not a great idea. What I found interesting is that the malware included is not detected by my current A/v software, a few years after the book was published. :o Anyway, i'll keep those of you who may be reading informed.

Wednesday, November 19, 2014

Updates: End of year 2014

Hi everyone. a quick update, I won't waste time, i'm currently in a class that I expect will be a boost to my career and my skillset. I expect to have it posted here shortly. Thanks for your patience.

Thursday, May 8, 2014

April update

Just wanted to drop  line, let you all know what I've been doing. I'm working on a new analysis  but I did take some time this month to attend my first security/hacker conference, ShowMeCon 2014. I've posted a review over at EthicalHacker.net, its a forum where with good participation, you may be able to win yourself discounts, giveaways, or even completely free training, which is how I was able to attend this con. So definitely go take a look, sign up and be active.

https://www.ethicalhacker.net/forums/viewtopic.php?f=15&t=11878

Tuesday, April 8, 2014

New Analysis Apr 8 2014

Hi everyone. I'm trying to get into doing analysis regularly. So today I present another blog.

Today I did an analysis on a piece of malware filename 163842953.exe
MD5: 84e5e263ff859dae0df198c2b9051cf8 There is no clear consensus on what the Malware is on virustotal, and it has a horrendously low detection rate with the engines. (https://www.virustotal.com/en/file/da958d67485d4162f374fca97c3cfdd060aabb1ca49351efabdb5c4f414b2dd9/analysis/)

Here is a basic rundown on what I was able to find. When executed the file excuses cmd.exe silently and drops the following files:
File.exe: F2D365780E7DD0691C6FFB0EB888CABA
hhhii.exe: 53E9C0B26A983F00CD625BF2A1EB419B
mmmhhee.exe: 0EAAA93B405EC6B42121066646C56958

There is slightly better coverage for these files on the AV engines, excluding the last file which appears to have the job of performing reachback.

Speaking of which we saw a few URLs requested in this sample. IIRC, all requests were sent on port 80.
dupler-histu.com GET /b/shoe/456 HTTP/1.1
kozzi-acompany.com   GET /libk25.98/jquery/ multiple requests for this file.
GET /wpad.dat HTTP/1.1 User-Agent: System.Net.AutoWebProxyScriptEngine/2.0.50727.4927
mirutaruda.com  GET /startloader HTTP/1.1 GET /style.css HTTP/1.1 -  mmmhhee.exe is linked to this domain according to virustotal.
krowdclown.com GET /style.css HTTP/1.1  multiple requests for this file.

Now i'm no registry expert, so crawling through the entries was not easy, but I did notice these strange entries:
HKLM\SOFTWARE\Wow6432Node\Cpvnutujyk
HKU\USER SID\Software\Cpvnutujyk - SID removed
HKLM\SOFTWARE\Wow6432Node\Cpvnutujyk\License: 0x000001C8

So thats what I got today, please leave feedback, thanks! EDIT: A comment on one of the reports links one of the domains to ASPROX, Unconfirmed, but certainly possible.

Friday, April 4, 2014

New analysis

Hey all,

I know its been a while since I posted, events events. After my first analysis I received a naughtygram form my ISP, actually just them letting me know that I might be infected! Well, I took some time and eventually found some new ways to do my analysis, hopefully with less risk. I do want to take a second to give a shout to TekDefense and their YouTube channel https://www.youtube.com/user/TekDefense - some great videos there with introductions to Malware Analysis. So since this is my first real day back, i'll just review some info. Yesterday I was able to get my Security Onion (https://code.google.com/p/security-onion/)distro back up and running, and was able to test it out, so the goal is to do separate tests now, and perhaps at some point to integrate malware analysis and IDS testing, seeing what the IDS detects, and writing custom rules to detect what it misses.  So what did I see today from this version of cryptolocker? Probably not much that wouldn't be found in an in depth analysis paper written by an experienced analyst with hours to examine it, but I did notice a few things. The original file (Sorry, I don't have the name) spawned a new process, windtre.exe. windtre can be found in the user's temp directory and has an MD5 of 2BEDEF64E5A615619356219E44E5082D which was not in Virustotal. In the future I will be looking for ways to safely upload these files to sites for further analysis. Finally the malware did make some get requests for wpad.dat unfortunately I missed the ip's it requested. Future analysis reports will have this info, but i'll have to do it on days where I don't have to work! Well, thanks for reading guys, hope you all have a great day, please leave feedback. - SecTest

Sunday, February 16, 2014

Day 1 analysis

So my first forray into this world, I fired up my VM and wireshark and headed over to 2 websites I was told were hosting malware. Lessons learned 1: Make a checklist. I had forgotten to prep my tools and I ended up opening wireshark in the middle of my session, and forgot to take a clean snapshot of my vm.

Luckily or not the sites appeared to be clean. No google alert on the sites, no alarm from my security software and no redirects I was expecting. Lessons learned 2: stuff changes, sites get cleaned up.

So I headed over to google and looked up "list of infected websites" I came upon an old list and headed to one ending in .ru, a good candidate I figured. My host's security software did alert on the site and claimed it had denied access to the site, this was not completely the case as I was seeing the site, or at least a placeholder. IAC I reverted and looked for something more... active. Luckily a friend had mentioned in an online post that GRC hosted some malware. I headed over and found that it was hosting cryptolocker and zeus. I figured I am not prepared for cryptolocker and downloaded and ran zeus. Success!

This particular form of zeus came as a file, I believe a doc, likely a double file extension, i'll check later, and once executed brings up an adobe flash player installer/upgrade window, with a UAC window. Noticeable is that the program is signed by adobe, if I remember correctly the software uses legitimate but now revoked keys from adobe. If you give the software permission to install, it fails out and you are owned.

Analysis notes: Host security software blocked access to several IP addresses. When I threw a few of these through Virus Total, they came back clean or low detection rates, so Lessons learned3: don't rely completely on reputation and online scanners! I looked at my installed tools, regshot was the most useful with its comparison indicating that a number of files had been deleted and firewall rule changes made. Windows Defender was uninstalled, and the Windows firewall appeared to be turned off, though it was likely running in some fashion I suspect. Snort did detect the zeus activity and the exe file download. Strangely enough, OSSEC did not appear to detect any activity that I could see, so I have to suspect either its capabilities, or my use of ELSA as a monitoring tool. Please leave any thoughts or comments below, and thank you.