In this series of
posts, I’m continuing the Open Security Training materials, with this set of
post being more focused on the Malware Analysis class.
You may find
reviewing the material from Open Security more beneficial. However, if you do
choose to stick with this I hope you find it helpful.
In this post, we
will be learning about the persistence mechanism used by IMWorm. We will
leverage RegShot to expand our understanding of IMWorm’s persistence.
Similar to the previous post in which we leveraged Autoruns and
took an initial snapshot of the system, we will once again start off with an
initial snapshot this time with Regshot. The screenshot below shows the initial
or “1st shot” being taken. This snapshot will then be compared with
another which will be taken after execution of IMWorm.
The next step was
to execute “IMWorm” and take the “2nd shot” then compare the two
results. The screenshot below shows the second shot being taken:
Now that the second
shot is taken, it’s time to “Compare” the “1st shot” and “2nd
shot”, as shown below:
The comparison produced
the following:
Created with Regshot 1.9.0 x86 ANSI Comments: SecurityNik - Before IMWorm Snapshot Datetime: 2017/8/6 03:55:40 , 2017/8/6 03:59:55 Computer: SECURITYNIK-XP , SECURITYNIK-XP Username: SecurityNik , SecurityNik Keys added: 13 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer HKLM\SOFTWARE\Microsoft\DownloadManager HKLM\SOFTWARE\Policies\Microsoft\Windows NT HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Policies\Microsoft\Internet Explorer HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_buzz HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_Launchcast Values added: 17 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions: 0x00000001 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig: 0x00000001 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Grzc\znyjner-fnzcyrf_cnffjbeq-vf-vasrpgrq\VZjbez\znyjner.rkr: 03 00 00 00 06 00 00 00 A0 58 31 1C 68 0E D3 01 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings: 3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 92 D5 1D 68 0E D3 01 01 00 00 00 0A 00 00 65 00 00 00 00 00 00 00 00 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 92 D5 1D 68 0E D3 01 01 00 00 00 0A 00 00 65 00 00 00 00 00 00 00 00 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0x00000001 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0x00000001 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Temp\malware-samples_password-is-infected\IMworm\malware.exe: "malware" HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-22914: "Contains letters, reports, and other documents and files." HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31253: "Moves the selected items to the Recycle Bin. If you want to recover them later, go to the Recycle Bin." HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31371: "Sends an e-mail message with copies of the selected files, or the files within a selected folder." HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage: 0x00000001 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_buzz\content url: "http://quicknews.info/" HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_Launchcast\content url: "http://quicknews.info/" Values modified: 6 HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 7A A3 C4 33 88 E3 52 BA 76 54 40 CA 16 B2 06 3E 17 99 12 EF EA 15 6D 37 EB 89 A7 FE 65 59 6E 02 CA 1C EF 55 F9 47 AF EC C4 98 C3 57 64 21 1E 89 01 51 D2 C0 40 BF F8 09 E9 00 DB CC 98 61 F9 A2 AB 45 BC 4E 9D DA 0D 0D 1A 44 C0 FD 95 61 38 4E HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: DB D4 00 37 7D 70 20 A5 C2 75 A2 84 A7 6F AE B5 C3 0B 07 57 BF FA 82 C6 31 20 60 85 52 58 87 E8 1E A5 0C 4C C8 82 61 81 2C 61 82 E4 17 F9 22 ED 61 A6 FD 3B 7F 47 8F B8 E9 7C E0 AF 75 0B F7 7E AB 11 F9 4A 38 9B 83 4F 6A B3 7C 80 35 B5 0F 24 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe C:\WINDOWS\system\lsass.exe" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe," HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "userinit.exe,C:\WINDOWS\system\lsass.exe" HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome" HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://quicknews.info/" HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 03 00 00 00 0F 00 00 00 A0 0C C3 F6 65 0E D3 01 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 03 00 00 00 10 00 00 00 A0 58 31 1C 68 0E D3 01 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy: 0x00000000 HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy: 0x00000001 Files added: 4 C:\WINDOWS\Prefetch\LSASS.EXE-0551E7A6.pf C:\WINDOWS\Prefetch\MALWARE.EXE-03900DB2.pf C:\WINDOWS\system\lsass.exe C:\WINDOWS\lsass.exe Files [attributes?] modified: 3 C:\WINDOWS\system32\CatRoot2\edb.chk C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb C:\WINDOWS\system32\config\software.LOG Total changes: 43
Deviating from the
persistence mechanism for a second to identify some other interesting points we
see the following.
From above, we see
that 13 Registry “Keys” were added. If we were to look at the last 2 of the 13
entries in more detail, we see they both have a value of “content url REG_SZ http://quicknews.info/” as show below:
Focusing on
the “Values added”, the ones that stands out immediately are …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions:
0x00000001
This “Remove
the Folder Options menu item from the Tools menu”. If we remember in the previous post we were unable to view the folder
options. This was the reason why.
… and …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0x00000001
This “Remove
the Run menu item from the Start menu”.
… and …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001
This “Disable
Registry Editing tools”. If we remember in the previous
post we were unable to run “regedit”.
…
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001
This “Disable
Task Manager”.
Going back
to the persistence mechanism, we see:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe C:\WINDOWS\system\lsass.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe C:\WINDOWS\system\lsass.exe"
In the
first entry we saw there was only “Explorer.exe” in the second Entry, we also
see “C:\WINDOWS\system\lsass.exe”. The value in the “Shell” specifies the
program which provides the user interface and leverage the value in Userinit
which is below.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "userinit.exe,C:\WINDOWS\system\lsass.exe"
Similarly,
in the first entry we have "C:\WINDOWS\system32\userinit.exe,"
and in the second entry we have “C:\WINDOWS\system\lsass.exe”
has now been appended.
The “UserInit”
entry specifies which programs gets executed upon
user logon.
From the “Values
modified” we see below that Internet Explorer home page has changed from …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet
Explorer\Main\Start Page:
"http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
… to
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet
Explorer\Main\Start Page: "http://quicknews.info/"
From the “Files
added” section. We see 4 files are added. 2 of these are related to prefetch
entries while the other 2 are related to “IMWorm”. These files are:
C:\windows\system\lsass.exe
C:\windows\lsass.exe
Ok! That’s
enough for this entry.
References:
Open Security Training
ShellOpen Security Training