Saturday, November 28, 2015

Write-Up of JIIR "Triage Practical – Malware Event – Prefetch $MFT IDS"


Introduction


Corey Harrell (@corey_harrell) recently tweeted about a malware triage challenge he posted on his Journey Into Incident Response (jIIr) blog:


In this blog post, Corey provided some context to the scenario and also posed the following questions:
  • Is this a confirmed malware security event or was the junior analyst mistaken?
  • What type of malware is involved?
  • What potential risk does the malware pose to your organization?
  • Based on the available information, what do you think occurred on the system to cause the malware event in the first place?

This write-up outlines my analysis of the provided evidence files and answers to Corey's questions. All timestamps are shown in GMT time zone.


Analysis


Processing evidence files


Before getting started, I converted the $MFT to a comma-separated values (CSV) file so that I could view the file in Microsoft Excel and also manipulate it using text parsing tools. First I created a bodyfile from the MFT using analyzeMFT:
$ analyzeMFT.py -f \$MFT -b MFT.body --bodyfull
where '-f' designates the file to read from (the '$' must be escaped so that bash shell does not interpret '$MFT' as a variable name), '-b' specifies output in bodyfile format with the output file name, and '--bodyfull' specifies to include full file paths.

I then converted the bodyfile to a CSV using mactime from The Sleuth Kit:
$ mactime -d -b MFT.body -m > MFT.timeline
where '-d' specifies comma-delimited format, '-b' specifies the bodyfile to read from, '-m' designates months in the timestamps as numbers instead of letters and '>' redirects standard output to a file.

All of the other evidence files provided were already in a useable form, so I did not have to process them before using them in my analysis, other than to replay the PCAP through Snort (using Security Onion) to see any generated alerts.

Is this a confirmed malware security event?


In a word, yes. The malware was executed, which installed a keylogger and exfiltrated data to an external FTP server.

Before analyzing the full scope of activity, I wanted to quickly identify any malicious indicator that would suggest further investigation was warranted and to serve as an anchor point from which to pivot for additional analysis. I started with the prefetch files, since if this were really a malware infection, the malware would have executed and I might find this in the prefetch. Additionally, I had a general time frame to look ("early...on August 15, 2015"). I mounted the Prefetch.ad1 file with AccessData's FTK Imager, opened the prefetch with NirSoft's WinPrefetchView utility, then sorted on the "Created Time" column. I quickly found a suspicious looking executable named Overdue Invoice Documents for Payment 082015.exe, shown in Figure 1:

Figure 1: Prefetch file for "Overdue Invoice Documents for Payment 082015.exe".


The following lists the full prefetch file details for this executable:
Process EXE:               OVERDUE%20INVOICE%20DOCUMENTS%20FOR%20PAYMENT%20082015[1].EXE
File Size:                 56,400
Created Time (PF file):    8/15/2015 5:33:58 AM
Modified Time (PF file):   8/15/2015 5:33:58 AM
Last Run Time (EXE file):  8/15/2015 5:33:55 AM
Process Path:              C:\USERS\LAB\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\TSFMVXQM\OVERDUE%20INVOICE%20DOCUMENTS%20FOR%20PAYMENT%20082015[1].EXE
Run Count:                 1
Missing Process:           Yes
Prefetch Filename:         OVERDUE%20INVOICE%20DOCUMENTS-BB3C03FD.pf
This file caught my eye for two reasons. First, the file name suggests it is some sort of document (e.g., a word processing document, spreadsheet, etc.), yet it has an executable file extension. Second, I've seen many phish with "overdue invoice" themes to increase the urgency to open them. In order to confirm what this file was, I searched for the file name in the file hash list provided with the evidence files, and found the following:
MD5: ea0995d9e52a436e80b9ad341ff4ee62
SHA1: 0601740b14494a983ed0281f34443b439855724c
FileName: win7x32.vmdk\Partition 1 [8190MB]\NONAME [NTFS]\[root]\Users\lab\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TSFMVXQM\Overdue%20Invoice%20Documents%20for%20payment%20082015[1].exe
Searching for this MD5 hash on VirusTotal returned a 44/56 anti-virus detection ratio, a very strong indication that this file is malicious (VirusTotal, 2015). Now, just because a malicious file was downloaded does not mean it was executed or the host was actually compromised. In this case, however, the prefetch for this file shows it was executed on 8/15/2015 at 5:33:55 AM, so we can assume for now the host was probably compromised. 


What type of malware is involved?


Most of the VirusTotal detections refer to this file as a generic Trojan, backdoor, or password stealer. Based on the PCAP provided, however, the malware appears to be the HawkEye Keylogger program, as shown in Figures 2 - 4.


Figure 2: "ET TROJAN HawkEye Keylogger FTP" Snort alert.


Figure 3: HawkEye Keylogger exfiltrating log file via FTP.


Figure 4: Contents of HawkEye Keylogger log file exfiltrated via FTP.
Note that the local system time stamp in the exfiltrated file in Figure 4 is 1:34:15 AM (Local) or 5:34:15 AM GMT, which is only 20 seconds after the malware was executed. I did not find the filename HawkEye_Keylogger_Stealer_Records_WIN-DBO1FC9QSDG 8.15.2015 1:34:20 AM.txt in either the $MFT or file hash list.

Malwr.com (2015) has a sandbox analysis of this specific malware sample (by MD5 hash). I wasn't able to locate any artifacts in the MFT timeline of file hash list similar to those in the Mawlr.com analysis, so the malware may have had some type of cleanup routine. I also did not download the sample from Malwr.com for further static or dynamic analysis since this is just a triage scenario, and I wanted to limit my findings based on the provided evidence files and what I could quickly find through Google searches.

What potential risk does the malware pose to your organization?

This malware poses a very high risk to the organization due to its ability to steal a variety of credentials, which could in turn be used to steal additional data, access other systems, facilitate lateral movement, launch more credible phishing or spear phishing campaigns through compromised email accounts, and a plethora of other possibilities. iSIGHT Partners reported previously on the Hawkeye Keylogger's capabilities (Eitzman, 2015).

What do you think occurred on the system to cause the malware event in the first place?


There is no way to determine with certainty how the malware got on the machine in the first place based on just the information provided. However, I think a reasonable hypothesis is that it was delivered via a phishing email, either as an embedded link or a file attachment. There are at least two reasons that suggest this was a phish: 1) the malware file name is a common them in phishing emails, and 2) the MFT timeline indicates a user on the computer was logged into the Yahoo! Mail web mail service at least three minutes prior to the malware being created on the system. Figure 4 depicts some relevant portions of the MFT timeline showing Yahoo! and Yahoo! Mail artifacts that suggest the user may have been logged into his or her web mail account:


Figure 4: Yahoo! activity in MFT timeline.


The previously mentioned iSIGHT Partners report discusses confirmed Hawkeye Keylogger campaigns that use phish emails with "payment" or "invoice" themes that supports this hypothesis. With that said, it would be necessary to examine this machine's web browsing history and web browsing cache files, and possibly speak to the user to confirm or deny this hypothesis.

I couldn't tell whether any exploits were involved, although this seems like it was a standalone executable, as I did not find any related prefetch information or any other potentially malicious files in the MFT timeline or file hash list (I admit I didn't review the file hash list on its own very thoroughly). Based on the MFT timeline, there was some Java and Adobe application activity before and after the malware was executed that could be related, and the machine was running vulnerable Java version 1.7.0_10 per the Snort alert in Figure 2 and the corresponding transcript in Figure 5. However, it looks like this might just be normal Java/Adobe operation. Additional file system analysis would be required to confirm this.


Figure 5: Transcript showing vulnerable Java version.

Another hypothesis is that the user was redirected during normal web browsing to a site hosting this file. I think this is less likely, as the file name seemed intended for a user to see and manually open it rather than through automated means (redirects, exploit kit, etc.).

References


Eitzman, R. (2015). Hawkeye keylogger campaigns affect multiple industries. Retrieved from http://www.isightpartners.com/2015/06/hawkeye-keylogger-campaigns-affect-multiple-industries/.

Malwr.com. (2015). Analysis of file with MD5 hash ea0995d9e52a436e80b9ad341ff4ee62. Retrieved from https://malwr.com/analysis/ZWU0ZmJmOWE4OGFhNDlhN2EwZmZmM2UyZTc0ODk3MjQ/.

VirusTotal. (2015). Analysis of file with MD5 hash ea0995d9e52a436e80b9ad341ff4ee62. Retrieved from https://www.virustotal.com/en/file/96716cf198502bdeeb0c0fccd8d01e46bccb2d03eaf0537d16f51851333d5247/analysis/.