Monday, July 9, 2018

Host based threat hunting with Australia's Cert DensityScout and Sysinternals's Sigcheck

In this post, I'm looking at using a two different tools to detect the known unknowns. Basically, I will be doing some host based threat hunting. The known in this case refers to files which are known to be malicious. This can be as a result of AntiMalware vendors, VirusTotal, etc.. classifying these files. However, the unknown refers to me not being aware of these being malicious files. Specifically, the tools we will review are Australia Cert DensityScout and Microsoft Sysinternal sigcheck. These tools will help us to identifies anomalies.

As always with any tool you use, you first should look at the help, man page or any other documentation to get an understanding of what the tool does. In our case, there is also good documentation online as shown in the reference section.

To get the help, you can run densityscout without any arguments. It is recommended if you are on a 64 bit windows system to use the x64 version of densityscout.

E:\Tools\densityscout_45\win64>densityscout.exe -pe -p 0.1 -l 0.1 -o c:\tmp\densityscout-results.txt -r c:\


From above, the options are as follows:
-pe -> focus on files that has the PE header. that is the "MZ" signature in its first 2 bytes.
-p 0.1 -> print on the screen files that have a density lower than 0.1
-l 0.1 -> only files that have a density lower than 0.1
-o c:\tmp\densityscout-results.txt -> The output file to which the results should be written
-r c:\ -> start at the root of the C drive and recurse through all sub-directories

After the tool finishes running, we see our file has been created.
E:\Tools\densityscout_45\win64>dir c:\tmp\densityscout-results.txt

 Volume in drive C has no label.
 Volume Serial Number is 080B-A369
 Directory of c:\tmp

2018-06-07  11:21 PM            14,046 densityscout-results.txt
               1 File(s)         14,046 bytes
               0 Dir(s)  44,528,136,192 bytes free


I then moved this file to my analysis machine to sort the value from lowest to highest.
$ sort densityscout-results.txt --reverse > densityscout-results-sorted.txt
$ cat densityscout-results-sorted.txt | more
(0.09947) | c:\Program Files\Microsoft Office\Office16\1033\MSOUC.HXS
(0.09709) | c:\Users\All Users\PCDr\6875\AddOnDownloaded\d1381de6-f6df-4c78-9412-f365e1907833.dll
(0.09709) | c:\ProgramData\PCDr\6875\AddOnDownloaded\d1381de6-f6df-4c78-9412-f365e1907833.dll
(0.09167) | c:\PortablApps\PortableApps\YUMIPortable\App\YUMI\YUMI.exe
(0.09061) | c:\Program Files\Microsoft Office\Office16\1033\GRAPH.HXS
(0.09008) | c:\Windows\SoftwareDistribution\Download\9f24bc49f22b4a2eda1267a5c08b0903\amd64_Microsoft-Windows-EditionP
ack-Enterprise-Package~~AMD64~~10.0.17134.1\amd64_windows-defender-am-sigs_31bf3856ad364e35_10.0.17134.1_none_a2054a63
84cba550\mpasdlta.vdm
(0.08639) | c:\Windows\WinSxS\amd64_microsoft-windows-p..urepassword-library_31bf3856ad364e35_10.0.16299.15_none_33fba
22d1a24c307\Windows.UI.PicturePassword.dll
(0.08639) | c:\Windows\System32\Windows.UI.PicturePassword.dll
(0.08273) | c:\Users\Security Nik\AppData\Roaming\PCDr\Repair\BundleApplicationRepairTool.exe
(0.08273) | c:\home\SecurityNik\AppData\Roaming\PCDr\Repair\BundleApplicationRepairTool.exe
(0.08245) | c:\Users\All Users\Comodo Downloader\cis\download\installs\5080\xml_binaries\ise\ise_installer.exe
(0.08245) | c:\ProgramData\Comodo Downloader\cis\download\installs\5080\xml_binaries\ise\ise_installer.exe
(0.08181) | c:\Users\All Users\Comodo\ISE\ise_installer.exe
(0.08181) | c:\Users\All Users\Comodo\Installer\ise_installer.exe
(0.08181) | c:\Users\All Users\Comodo Downloader\cis\download\installs\5140\xml_binaries\ise\ise_installer.exe
(0.08181) | c:\ProgramData\Comodo\ISE\ise_installer.exe
.................

Now that we have the densityscout data, let's now transition to leveraging Sigcheck.

Running sigcheck:

E:\Tools\SysinternalsSuite>sigcheck -e -c -u -h -vr -s c:\ > c:\tmp\sigCheck.csv
-e -> Scan executable images only
-u -> show only unsigned files
-h -> generate file hshes
-i -> Show the catalog name and signing chain
-vr -> Submit to VirusTotal and open a report via the browser for hahses found to be a malware
-s c:\ -> while searchig the C drive, recurse through the subdirectories
> c:\tmp\sigCheck.csv -> Instead of putting the output on the screen, redirect it to a file named sigCheck.csv

Taking a snapshot of the output from Sigcheck, we get:
E:\Tools\SysinternalsSuite>type c:\tmp\sigCheck.csv | more
Path,Verified,Date,Publisher,Company,Description,Product,Product Version,File Version,Machine Type,MD5,SHA1,PESHA1,PESHA256,SHA256,IMP,VT detection,VT link
"c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\1031\TrackerUI.dll","Signed","11:30 PM 2017-10-19","Microsoft Corporation","Microsoft Corporation","TrackerUI","Microsoft« Build Tools«","15.0.27019.1","15.0.27019.1 built by: D15REL","32-bit","F29E0E408814D42D57DF21716CD639F5","EE068C956AA94D6D142671BE0587451A0B607F04","7C625DB9CC169B46DA3A2A5CEF7AE898B08912F9","317A7B6ED6BC09E428C40B32E93E28F8CC60EE9B4165FA615A4CEA02541066F2","9AB44675F42B0D6037495FAF00258CA560F7EAA7F19AD0087A8D96C6D4290F2A","n/a","1|66","https://www.virustotal.com/file/9ab44675f42b0d6037495faf00258ca560f7eaa7f19ad0087a8d96c6d4290f2a/analysis/"
"c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\amd64\de\MSBuildTaskHost.resources.dll","Signed","6:06 PM 2017-12-04","Microsoft Corporation","Microsoft Corporation","MSBuildTaskHost.exe","Microsoft« Build Tools«","15.5.180+ge4c819961e","15.5.180.51428","32-bit","493F30FA92F8A9328EB0FE7602D14967","6EDAA34EAC59C858A1B73D28064B182BD2CF020B","E14F7B38A666BE9E85E3C49B890C959952091E7C","80AA7F9B2E3537B481CAFC211A6E5D782F2447B3BF3BC4CE6B6501C1791AAEB7","B732893B0A3965E831F6B2B7A06A3216137CEBE1D3309F1653107DC564EA13C8","DAE02F32A21E03CE65412F6E56942DAA","1|65","https://www.virustotal.com/file/b732893b0a3965e831f6b2b7a06a3216137cebe1d3309f1653107dc564ea13c8/analysis/"
............


From the data returned from Sigcheck, the first thing I did in the interest of time, was to sort the data by the VirusTotal column, to understand VirusTotal ratings of the files starting from highest to lowest.


To achieve my objective, I started off by using the Linux sort utility on the 17th field as the key. However, for whatever strange reason I was not getting the results I expected. This is why we should always be aware of different ways of receiving the same results. As a result, I used "awk" to rewrite the fields so that the 17th column could move to the first and the first moved to the second.

The command below starts by first reading the file Sigcheck.csv. Next a grep was made for the string "Unsigned". This allows us to focus only on the returned results which are unsigned. This was then followed by the awk command to print the 17th and 1st field. Finally, the 12th field is moved to field 3. From the results returned, this was then followed by a grep using perl regular expresion looking for the first column that does not start with the number 1. From the results returned, it was then sorted to keep VirusTotal highes match rate at the top.


$ cat Sigcheck.csv | grep "Unsigned" | awk --field-separator=, '{ print $17","$1","$12 }' | grep --perl-regexp "^[^1]*\|\d+" | sort --uniq --reverse
"4|67","c:\VTRoot\HarddiskVolume2\Portable Apps\PortableApps\HDHackerPortable\App\HDHacker\HDHacker.exe","5C2D22AAC32335E5F29898473EAEF9D21B38EDD7"
"3|66","c:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vde5ed89a#\457b4a4c20bed2246e03f1f9e5eaa1a5\Microsoft.VisualStudio.Utilities.Internal.ni.dll","D4B3C929D755B7AD9AAE5D6C64081DE5BD5E4060"
"2|68","c:\VTRoot\HarddiskVolume2\Portable Apps\PortableApps\IObitUnlockerPortable\App\IObitUnlocker\SysLegacy32\IObitUnlocker.sys","2446597BD4FD1F67657425310BEC5DB5614A8616"
"2|68","c:\VTRoot\HarddiskVolume2\Portable Apps\PortableApps\FreeUPXPortable\App\FreeUPX\upx394.exe","747159A347C12D394E9576167C234D7DB3D9AB0A"
"2|66","c:\VTRoot\HarddiskVolume2\Portable Apps\PortableApps\ConverberPortable\App\Converber\Converber.exe","38EF4F2313BF0670B845907F089D5B2873A65F32"
"2|65","c:\VTRoot\HarddiskVolume2\Portable Apps\PortableApps\FreeUPXPortable\App\FreeUPX\upx393.exe","73AC17C4301274342E69A32E25C2CA2FB84D985B"

Now that we have the results from Sigcheck analysis, let's now see if any of these results also show up in the densityscout report. Leveraging our analysis machine again, we have.


$ cat densityscout-results-sorted.txt | grep --perl-regexp --ignore-case "(HDHacker|IObitUnlocker|upx394|upx393|Converber)"
(0.07310) | c:\VTRoot\HarddiskVolume2\Portable Apps\PortableApps\HDHackerPortable\App\HDHacker\HDHacker.exe
(0.07310) | c:\PortablApps\PortableApps\HDHackerPortable\App\HDHacker\HDHacker.exe
(0.03109) | c:\VTRoot\HarddiskVolume2\Portable Apps\PortableApps\FreeUPXPortable\App\FreeUPX\upx393.exe
(0.03109) | c:\PortablApps\PortableApps\FreeUPXPortable\App\FreeUPX\upx393.exe
(0.02833) | c:\VTRoot\HarddiskVolume2\Portable Apps\PortableApps\FreeUPXPortable\App\FreeUPX\upx394.exe
(0.02833) | c:\PortablApps\PortableApps\FreeUPXPortable\App\FreeUPX\upx394.exe

Since we have matches across the two files, we can start with now putting the hashes in VirusTotal or another other site that does this type of analysis and start getting a better understanding of what the file does.

Obviously at this point if there are concerns about these files, they should be removed from your system. Alternatively, you may want to update your own Antimalware solutions and perform a scan to see if it detects these files as malicious. Additionally, you may choose to run it in a confined environment to perform your own analysis.

Ok. That's it for this post. Hope you enjoyed it.


References:
https://www.cert.at/downloads/software/densityscout_en.html
https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck
https://stackoverflow.com/questions/4105956/regex-does-not-contain-certain-characters
https://www.gnu.org/software/gawk/manual/gawk.html
https://regexone.com/lesson/excluding_characters

2 comments: