Saturday, November 18, 2017

Learning about malware persistence through the lens of IMWorm leveraging “Regshot”

In this series of posts, I’m continuing the Open Security Training materials, with this set of post being more focused on the Malware Analysis class.

You may find reviewing the material from Open Security more beneficial. However, if you do choose to stick with this I hope you find it helpful.

In this post, we will be learning about the persistence mechanism used by IMWorm. We will leverage RegShot to expand our understanding of IMWorm’s persistence.

Similar to the previous post in which we leveraged Autoruns and took an initial snapshot of the system, we will once again start off with an initial snapshot this time with Regshot. The screenshot below shows the initial or “1st shot” being taken. This snapshot will then be compared with another which will be taken after execution of IMWorm.

 

The next step was to execute “IMWorm” and take the “2nd shot” then compare the two results. The screenshot below shows the second shot being taken:
 
Now that the second shot is taken, it’s time to “Compare” the “1st shot” and “2nd shot”, as shown below:
 

The comparison produced the following:

Created with Regshot 1.9.0 x86 ANSI
Comments: SecurityNik - Before IMWorm Snapshot
Datetime: 2017/8/6 03:55:40 , 2017/8/6 03:59:55
Computer: SECURITYNIK-XP , SECURITYNIK-XP
Username: SecurityNik , SecurityNik

Keys added: 13
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\DownloadManager
HKLM\SOFTWARE\Policies\Microsoft\Windows NT
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Policies\Microsoft\Internet Explorer
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_buzz
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_Launchcast

Values added: 17
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions: 0x00000001
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Grzc\znyjner-fnzcyrf_cnffjbeq-vf-vasrpgrq\VZjbez\znyjner.rkr: 03 00 00 00 06 00 00 00 A0 58 31 1C 68 0E D3 01
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings: 3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 92 D5 1D 68 0E D3 01 01 00 00 00 0A 00 00 65 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 92 D5 1D 68 0E D3 01 01 00 00 00 0A 00 00 65 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Temp\malware-samples_password-is-infected\IMworm\malware.exe: "malware"
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-22914: "Contains letters, reports, and other documents and files."
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31253: "Moves the selected items to the Recycle Bin. If you want to recover them later, go to the Recycle Bin."
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31371: "Sends an e-mail message with copies of the selected files, or the files within a selected folder."
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage: 0x00000001
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_buzz\content url: "http://quicknews.info/"
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Yahoo\pager\View\YMSGR_Launchcast\content url: "http://quicknews.info/"

Values modified: 6
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 7A A3 C4 33 88 E3 52 BA 76 54 40 CA 16 B2 06 3E 17 99 12 EF EA 15 6D 37 EB 89 A7 FE 65 59 6E 02 CA 1C EF 55 F9 47 AF EC C4 98 C3 57 64 21 1E 89 01 51 D2 C0 40 BF F8 09 E9 00 DB CC 98 61 F9 A2 AB 45 BC 4E 9D DA 0D 0D 1A 44 C0 FD 95 61 38 4E
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: DB D4 00 37 7D 70 20 A5 C2 75 A2 84 A7 6F AE B5 C3 0B 07 57 BF FA 82 C6 31 20 60 85 52 58 87 E8 1E A5 0C 4C C8 82 61 81 2C 61 82 E4 17 F9 22 ED 61 A6 FD 3B 7F 47 8F B8 E9 7C E0 AF 75 0B F7 7E AB 11 F9 4A 38 9B 83 4F 6A B3 7C 80 35 B5 0F 24
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe C:\WINDOWS\system\lsass.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "userinit.exe,C:\WINDOWS\system\lsass.exe"
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://quicknews.info/"
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 03 00 00 00 0F 00 00 00 A0 0C C3 F6 65 0E D3 01
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 03 00 00 00 10 00 00 00 A0 58 31 1C 68 0E D3 01
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy: 0x00000000
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy: 0x00000001

Files added: 4
C:\WINDOWS\Prefetch\LSASS.EXE-0551E7A6.pf
C:\WINDOWS\Prefetch\MALWARE.EXE-03900DB2.pf
C:\WINDOWS\system\lsass.exe
C:\WINDOWS\lsass.exe

Files [attributes?] modified: 3
C:\WINDOWS\system32\CatRoot2\edb.chk
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
C:\WINDOWS\system32\config\software.LOG

Total changes: 43

Deviating from the persistence mechanism for a second to identify some other interesting points we see the following.

From above, we see that 13 Registry “Keys” were added. If we were to look at the last 2 of the 13 entries in more detail, we see they both have a value of  “content url REG_SZ  http://quicknews.info/” as show below:

 
Focusing on the “Values added”, the ones that stands out immediately are …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0x00000001

This “Remove the Folder Options menu item from the Tools menu”. If we remember in the previous post we were unable to view the folder options. This was the reason why.


… and …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0x00000001

This “Remove the Run menu item from the Start menu”.

… and …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001

This “Disable Registry Editing tools”. If we remember in the previous post we were unable to run “regedit”.


HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001

This “Disable Task Manager”.


Going back to the persistence mechanism, we see:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe C:\WINDOWS\system\lsass.exe"

In the first entry we saw there was only “Explorer.exe” in the second Entry, we also see “C:\WINDOWS\system\lsass.exe”. The value in the “Shell” specifies the program which provides the user interface and leverage the value in Userinit which is below.



HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "userinit.exe,C:\WINDOWS\system\lsass.exe"

Similarly, in the first entry we have "C:\WINDOWS\system32\userinit.exe," and in the second entry we have “C:\WINDOWS\system\lsass.exe” has now been appended.

The “UserInit” entry specifies which programs gets executed      upon user logon.


From the “Values modified” we see below that Internet Explorer home page has changed from …
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"


… to
HKU\S-1-5-21-1715567821-507921405-1060284298-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://quicknews.info/"



From the “Files added” section. We see 4 files are added. 2 of these are related to prefetch entries while the other 2 are related to “IMWorm”. These files are:
C:\windows\system\lsass.exe
C:\windows\lsass.exe

Ok! That’s enough for this entry.


Shell

No comments:

Post a Comment