In this
series of posts, I’m continuing the Open Security Training materials, with this
set of post being more focused on the Malware Analysis class.
You may
find reviewing the material from Open Security more beneficial. However, if you
do choose to stick with this I hope you find it helpful.
In this the
final post in the series, we are looking at persistence through the lens of the
Parite malware.
While in
the previous blog posts we were able to see that the malware deleted itself and
create new processes or became a process that gets loaded by “svchost.exe” in
the case of Parite, the malware deletes itself like the others. However, unlike
the others it does not create a new process.
While
reviewing this in Process Hacker, it was noticed that “malware.exe” gets loaded
and is immediately deleted. The image below shows the process being deleted.
Since we
are unable to track the process creation above, we need to verify through other
methods what is the malware doing. Fortunately we also have Autoruns.exe which
allows us to compare autoruns along with the snapshot of our registry via
RegShot.
Conducting
the first set of analysis via Autoruns, we see a startup registry value
“fmsiocps c:\windows\fmsiocps.exe” has been added to “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”.
Additionally, we see that the Registry key “HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\Appinit_Dlls ”
now has the value “fmsiocps.dll c:\windows\system32\fmsiocps.dll”
Looking at
Regshot output, we see key “HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\tqat.exe” was added. This
corresponds to:
From above we see the “tqat.exe” executable will be launched under the debugger.
We also see
additional keys from Regshot as shown below:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmsiocps: "C:\WINDOWS\fmsiocps.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: "fmsiocps.dll"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmsiocps: "C:\WINDOWS\fmsiocps.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: "fmsiocps.dll"
The final
line shows the value "fmsiocps.dll" now associated with the “HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs”
The
AppInit_DLLs registry entry will be used to load the "fmsiocps.dll" into every user mode
process. Now isn’t that some serious power to have?
Running a
search in Process Hacker for the "fmsiocps.dll" shows that this DLL
has been loaded into 6 applications, which include “FireFox.exe”,
“explorer.exe” and even “ProcessHacker.exe” along with 3 others.
At this point, there is no need to go further as the objective was to demonstrate persistence. By Leveraging the “AppInit_DLLs” malicious software has the opportunity to be truly persistent.
References:
Open Security Training
Malware Bytes Image File Execution Options
Launching the debugger automatically
MSDN - Image File Execution Options
MSDN - AppInit_DLLs in Windows 7 and Windows Server 2008 R2
Microsoft -
Working with the AppInit_DLLs registry value
Open Security Training
Malware Bytes Image File Execution Options
Launching the debugger automatically
MSDN - Image File Execution Options
MSDN - AppInit_DLLs in Windows 7 and Windows Server 2008 R2