Helpful Navigation Toolbar

Wednesday, August 26, 2015

Publicly announcing buatapa!!


Hello again readers and welcome back! Today's blog post is going to cover a small script that I developed called "buatapa". This was meant to be released several months ago, but steady case work has kept me busy. I finally carved out some development time to finish up this blog post and push it out publicly at long last!


buatapa

According to the magic of Google Translate, "bua tapa" is the Irish Gaelic translation of the phrase "quick win". 



The phrase "quick win" translated to Irish Gaelic, thanks to Google Translate!


I decided to call my (GASP!) first publicly released Python script "buatapa" for a couple of reasons, with the main reasons being that it is very heavily based off of Brian Baskin's noriben personal malware sandbox, so I wanted to have a cool name for it as well. The results of this script have the potential to indeed give you a "quick win" with trying to find malware on a Windows system.


What buatapa does

The purpose of this script is to collect the data and then run the script against the collected data from a second machine (rather than performing the VirusTotal queries from the suspected compromised system itself) in case there is no network connectivity on the suspected compromised system (like a secured environment, POS environment, etc.) It simply works by parsing the results of autoruns.csv that is generated by Sysinternals autoruns on a Windows system. The script finds Unicode characters, anything that resembles a poweliks Registry entry, and anything that does not have a signed certificate. It then attempts to perform a VirusTotal hash lookup for any files with abnormal characters and unsigned entries and returns the results in an easy to read text file. 



How to set up buatapa

The first thing that is required to get the fullest functionality is to get a VirusTotal API. You can get your public API by heading over to VirusTotal and signing up for an account, if you do not already have one. 

Once you have your account, login to VirusTotal and choose the option under your username of "My API key"



"My API key" option on VirusTotal

When you choose that option, you will be presented with a page like this, which contains your API key. 


Page with your API key, settings, and rate limits

Note that the public API has rate limit queries, which are built into the script automatically (rather than running four in a minute and then waiting for 60 seconds; I chose to do one query every 15 seconds. You can of course modify the script to change the sleep time and query rate if you would like).

Highlight your API key and input it into the script. (It is the exact same code as Noriben, so if you are familiar with that, you should be familiar with this.)


Copy the API key to here (or here) in the script (buatapa and/or noriben)

It is very important to also install the "requests" Python library to your Python distribution if you have not already. I once again defer to Brian Baskin's Python experience (which admittedly dwarfs my own) as he stated:

"Without Requests it cannot do VirusTotal queries. That's the only internet-based functionality. So you have to install requests ("pip install requests")...Requests is the HTTP library that I use. The built-in Python libs are horrible."

So, make sure that you type in run the command 'pip install requests' from a command prompt before you run buatapa or noriben, in order to get the internet functionality that is needed to run the scripts!!


Type in 'pip install requests' from a command prompt to install Requests


Running buatapa


You will have to have Python either natively installed on your system or be running something like Active State Python in order to run buatapa. In order to run buatapa, simply open a command prompt and give the path of where the buatapa script resides. The script will automatically create the output text file in the directory the script was run from, so make sure you have read/write permissions to that directory. For example, don't run it from C:\Windows\System32 unless you open the command prompt with Administrative privileges. You must give the script the "-c" argument to open the autoruns.csv file. 


The results from running buatapa (NOTE: The script is name "personal_buatapa.py" because it has my API key in it)

You do not have to use the Live Response Collection to create the autoruns.csv file (although I did include the output in the latest update, to make life easier for you if you do), however you do indeed have to have the output of autoruns saved as a csv for buatapa to process the file. The text output of autoruns, while easier for human reading, is more difficult to parse and correlate than the csv version.


Results from buatapa

The results are saved as a text file, named "$DATE_$TIME_buatapa_output.txt" (for example 20150825_181703_buatapa_output.txt), with all of the information that autoruns collects about the suspected entry presented in an easy to read text format. If a VirusTotal hit is found, the scan date, detection ration, and VirusTotal report URL will be presented at the very top of the entry. 


Screenshot of a snippet of the buatapa output


buatapa (by default) only looks at unsigned entries, but it also attempts to identify abnormal Unicode characters (anything that is not Windows CP-1252) as well as trying to look for entries that are similar to poweliks. You can change the defaults by giving the script different arguments, which can be seen the -h or --help flag.


buatapa usage



buatapa is by no means meant to replace in-depth analysis; it is meant to provide a faster and easier way to identify potentially compromised systems. buatapa will likely not be able to identify incredibly well-hidden rootkits, digitally-signed malware or never seen before malware, as it is not meant to do that. It is meant to rapidly provide an easy to read list of files that have been identified by VirusTotal as likely being malware that is set to automatically run in an area recognized by autoruns. It will provide you a "quick-win" in identifying the "low hanging fruit" malware. 


As I have said many times in the past (and will continue to say many times in the future) the malware will only be as sophisticated as it needs to be in order to gain access to the data your adversaries are after. If a piece of malware originally written four years ago can steal every credit card transaction in your environment, the adversary will use it. They will not use their "next generation Cloud 2.0 automatic exfiltration memory-only kernel-level rootkit" malware in the event that it might actually get discovered in an environment where very basic malware would suffice. Remember the third party vendor used by Goodwill to process payments last year? The malware that was allegedly used in that compromise displayed every single transaction in a command prompt window and had no method of persistence. If the window had simply been closed by ANY individual, even by accident, or if the system was rebooted, the compromise would have stopped. Hardly "advanced" or "sophisticated", but the malware allegedly ran for 18 months and resulted in 868,000 compromised credit cards.




buatapa.zip - download here

MD5: 0f88d739e019482e28edb4d7b9bfee45
SHA-256: 458fe572249757d16c5c325a85370481cba8a62fa276aabe872500d21acd62fb

Version 0.0.5
Updated: August 26, 2015


If you encounter any bugs or any have suggestions or feedback on the tool, please do not hesitate to let me know!










Thursday, August 20, 2015

...at long last, updates to the Live Response Collection!!



Hello again readers! I am happy to announce, after many long months in development (and due to a pretty busy six months, about six months later than I had originally planned) an updated version of the Live Response Collection is available!


The first item that you will probably note is the Windows folder looks very different. I wanted to provide a cleaner look for users, so when you run the LRC against a system it is easier to find the output folder. By having four main folders, instead of about 35, the results will be much easier to see. I moved all of the "tools" into the folder cleverly named "Tools", and all of the scripts into the similarly cleverly named folder "Scripts". While this does not change the function of the tools, it does slightly change file paths leveraged by the old scripts, so you will have to update any custom changes that you made for your environment.


New Windows folder structure



Within the "Scripts" folder I also began the process of what I am calling "Modules", which I started for several reasons. Since all six scripts share a lot of code and functionality, I wanted to reduce the overall size of each file by leveraging code that they share. It makes the maintenance and updates for the LRC easier. It also allows easier user customization, because instead of trying to figure out which large section of code they want to use (or not to use) you can just choose to skip a module completely if you don't want it by replacing the name within the code itself. I plan on writing a future post in the future detailing just how easy it is to write a customized module, complete with a breakout of the variables that the script(s) rely on, so users can add functionality and features easier than ever (<hint hint> and hopefully you share them for inclusion into a future LRC release!)


The beginnings of LRC "modules". There will be more!

As I stated, the overall functions of the LRC did not change terribly much, some Startup folder hashing was added as well as also saving autoruns output to csv, which will be touched on in my next blog post. The next post will also be the publich release of a tool that is also several months in the making, but also several months later than I had originally anticipated to release it. 




LiveResponse.zip - download here

MD5: 8a6ff9be12f4b06dfd0cde08997592b9
SHA-256: e9976375d226e50fe705891bfc4f249abf09d24aa7da5cea27d63c4c7aec5953


Updated: August 20, 2015







Tuesday, July 14, 2015

Gardening, cyber security, and YOU!


Hello again readers! We spent the first week of July on vacation in North Carolina and then I spent a few days last week at the SANS DFIR Summit in Austin. I was going to write a small recap of the DFIR Summit but I think Matt Bromiley summed it all up pretty well in his post and I don't have much more to add, other than my favorite part of the DFIR Summit is actually seeing friends and colleagues in person and of course the sheer amount of networking opportunities. I personally would like to see more time allotted for networking, but there are so many quality presenters that it would be a shame to have fewer presentations.


This blog post is going to cover some additional thoughts that I had on the impromptu Incident Response panel on which I participated, led by Brian Carrier, and also included Frank McClain and Rob Wallace. One of the comments that I made regarding expensive cyber security tools was akin to "you can buy a screwdriver, but you cannot set it on a table and have it magically build you a house". Likewise, it doesn't matter how effectively written or well-thought out a tool is, at the end of the day, it is simply a tool. The functionality and quality of information (or work) that is produced by that tool is entirely dependent on the human that uses it. I could buy the most expensive, top-of-the-line, hammers, screwdrivers, saws, levels, shims (also a type of cache), nails, screws, and so on, but at the end of the day I do not have the skills needed to build a house. In fact, building Lego sets is about the extent of my construction capabilities. 


Unfortunately a lot of vendors market their tool(s) as an "end-all-be-all solution". A lot of decision makers for businesses see this and decide to buy the latest and greatest tool but do not make any investment into the needed individuals to really harness the power of the tool. (My Cyber-Business-Guru/friend, Jack, would note that the mistake is assuming that the tool is a cost-savings over hiring expensive personnel.  You Must Have Both!A good parallel with this can be made regarding our garden and our time away from home over the past few weeks; as you often come back to a garden that is completely unrecognizable from the one that you initially had.


Imagine that a vendor salesperson comes in and pitches the "EXTREME Cyber Security Protector 3000XL" as being able to "stop threats before they happen, in real-time, allowing instantaneous cyber security protection....(and a few other random buzzwords...synergy...end-to-end solution, cost savings, win-win, force multiplier...)". Of course the salesperson makes a great presentation (otherwise they would not be in sales long) and management decides to buy it.






Sure, initially the tool may work fine, but these tools are never meant to be a "set it and forget it" solution. The same can be said about our garden. We kept up on doing regular maintenance, watering, and weeding our garden up until we went on vacation, so it looked similar to this despite our "purchase"* of the most expensive wheelbarrow that I could find:



Newly planted garden. Retrieved July 13, 2015 from http://www.livecreativelyinspired.com/wp-content/uploads/2014/07/marigolds-newly-planted-in-the-vegetable-garden.jpg


So far, so good, right? Well, we got quite a bit of rain it rained Miracle Grow for weeds while we were gone, and upon returning home we got even more rain on a regular basis. Due to all of the precipitation, we did not have an opportunity until this past weekend to perform the needed upkeep to get rid of the weeds and ensure we have a nice garden with the flowers and shrubs that we want, not milkweed, $#&%*! kudzu, and other weeds that we do not want. 



But ... we bought an expensive wheelbarrow. How did this happen??  Retrieved July 13, 2015 from http://www.waldeneffect.org/20100716garden2.jpg

I think that this is a perfect parallel; as we have to perform regular maintenance on the garden to ensure that we have the plants that we want (ie our network, our data,) or else we end up with something that is overrun with weeds and out of control (malware, toolbars, scareware). Having a good team of individuals helping ensure your "garden" (network and devices) is secure, regardless of the tool(s) that is used is much more rewarding in the long run than spending large amounts of money on tools that just sit there and are rendered ineffective in a short period of time. In the end, it isn't about buying the fully automated, ridiculously expensive wheelbarrow, it is about the humans who filled it with the all of the unwanted items that were running rampant in our garden




Now where do you want this malware (weeds)?  Retrieved July 13, 2015 from http://www.summerhouseart.com/blog/wp-content/uploads/2010/03/weed-wagon.jpg

*FULL DISCLAIMER: We did not really purchase the battery powered wheelbarrow and the photos above are not of our garden or our wheelbarrow. 





Tuesday, June 16, 2015

How to Have that Awkward Conversation




Hello again readers!! Today's post is the first (but most certainly not the last) "guest post" in which friends and colleagues can share their experiences and insights and give alternate perspectives on digital forensics, incident response, and information security. 

Today's post is authored by my friend "Jack" who has much more experience (and an MBA) on the "business" side of forensics and incident response than I ever will (and let's be honest, I also will never have an MBA). "Jack" may or may not also be in the Witness Protection Program, but the OPM data breach might change that.....

(PS: Apparently cat memes are the number one attraction to blog posts, according to 87 out of 100 business professionals. The other 13 were no doubt scouring the internet for other pictures of cats.)





How to Have that Awkward Conversation

By: "Jack"


NO, not the “It’s not you; it’s me!” one.  The one where you tell your employees (or clients!) that you’ve been hacked, their information is who-knows-where, and oh by the way, you’ve got no idea how the bad guys even got in.  You know. THAT one.  

I’m not going to sugarcoat this.  It’s going to be painful.  It’s going to be embarrassing.  But just like adults always tell kids, it is better to hear it directly from you.   If the news media or banking institutions are notifying victims instead… oh boy; it’s a public relations nightmare.  

First rule of Data Breach Club: Talk first and say it loud.  No one likes being indoctrinated into Data Breach Club, but I’ll let you in on a little secret:  It’s not an exclusive membership.  You’re either in the club, or you don’t know you’re already in the club.    



    

If you are upfront and honest, chances are better that you might maintain the relationships your organization has with its employees, partners, and clients.  Further, you may not have a choice about public disclosure, or private disclosure, depending on contracts you have with clients.  Depending on the laws where you operate, you may be obligated to provide full disclosure within a certain time period.  Most state breach notification laws don’t specify what your notification should include; however there are some minimum guidelines which we attempt to cover in our samples below.   

In the State of Maryland for example, the Attorney General’s website says the following about data breach notifications:


Once a security breach is detected, a business must conduct in good-faith a reasonable and prompt investigation to determine whether the information that has been compromised has been or is likely to be misused, i.e. for identity theft. If the investigation shows that there is a reasonable chance that the data will be misused, that business must notify the affected consumers. 
In the event of a security breach, notice must be given to consumers as soon as reasonably practicable following the investigation. A business may delay notification if requested by a law enforcement agency or to determine the scope of the breach, identify all the affected individuals or restore the integrity of the system. Notice to affected consumer must be given in writing and sent to the most recent address of the individual, or by telephone to the most recent phone number. Notice may be sent via e-mail if an individual has already consented to receive electronic notice or the business primarily conducts its business via the Internet. The law also contains a provision for substitute notice, allowing a business to provide notice of a security breach by e-mail, posting on its website and notice to statewide media if the cost of notice would exceed $100,000 or the number of consumers to be notified exceeds 175,000 individuals.  (https://www.oag.state.md.us/idtheft/businessGL.htm)

Searching online for “data breach disclosure laws AND [your location]” should net you some relevant results.  When in doubt, call a lawyer that specializes in data breaches.  If the Google can’t find one, your local Bar Association should be able to assist you.  






So how do you begin that notification email?  Your letter should contain some version of the following:
[ ] denote areas where you should fill in the blank


Part I—Introduce the Problem and Accept Responsibility:  You need to be upfront and honest; if you have a lawyer advising differently, find a new lawyer (Preferably one you suspect has a secret identity and fights crime at night using heightened senses resultant from a hazardous chemical spill; but I suppose if you can’t find one, any ethical data breach lawyer will do.)  If you don’t know something, say so.  Trying to hide the fact that you don’t know something just makes you look like you are hiding something, which is usually assumed to be more sinister.  Also, please don’t place blame on nation-states for a mess of your own creation; you’ll end up looking ridiculous and becoming the Poster Child of “What NOT to do”.        

“We are contacting you because on [insert discovery date] we discovered a serious cyber-security incident that occurred between [Start Date] and [End Date] that involved a breach of your [personal information, such as medical records, credit card numbers, passwords, etc…].  At this time we do not believe that [other personal information] was accessed.  We know you have trusted us with your information and we take that trust seriously. We take full responsibility for this incident and we will work tirelessly to resolve it quickly and completely.”

And if you delayed in sending notifications to victims, say why:

“In accordance with applicable laws, we delayed notification of affected parties by 30 days, due to an official request by law enforcement.”


Part II—Here’s What Is Happening Now:  This is where you tell them what you are doing do fix this problem.  (Not diverting attention, not doing just enough to get regulators off your back, not putting on a show to restore stock prices, not doing the minimum for regulatory compliance or limiting your liability.  Actually fixing the problem.  Let me say it again for dramatic effect:  Actually.Fixing.The.Problem.)  





You’ll want to (or be required to) at least cover what you did to stop the attackers, what you are doing to clean-up the breach, and what changes you will make in the future.  Your notification should say some version of the following, pick and choose based on your circumstances:  

“Upon discovery we immediately blocked the offending IPs and shut down all out-bound traffic.  We have begun the process of finding compromised machines.”

“We brought in cyber-security experts to investigate and fix this problem entirely and to ensure that we are more secure in the future.”  

“We advised the credit reporting bureaus and banks of this incident. We are offering a free credit report to every affected party, and here’s how to do that. [Instructions here.]”  

“We are cooperating fully with law enforcement and an investigation is on-going.  There will be full participation and transparency during the investigation.  Employees will be contacted in person if their assistance is required.  Do not provide any personal information, account numbers or passwords to any unverified person via email or on the phone, now or ever.”

“We are currently dedicating money to invest in our IT infrastructure, our security personnel, and monitoring tools so that attacks in the future are thwarted.”


Part III—Here’s What the User Has to Do:  This is where you tell your employees, clients, customers, and/or Partners what they need to do.  You must be exceedingly firm about password changes and policy enforcement while at the same time making this VERY easy for them.  It’s a huge component of rebuilding trust and being transparent throughout the process.  You’ll want to take note of the inclusion of an attachment, which should detail cyber-security best practices that they can use at work or at home.      

“You will be required to choose a new password before you can log into your account.  Everyone must do this, from the newest employee to the CEO of the company—even every member of the IT team to include admin accounts.  It may NOT be the same password as last time.  Your password will be required to have upper and lower case letters, a number, and a symbol.  You cannot use dictionary words.  It must also be at least 8 characters in length.  We apologize for the inconvenience, but this is a very important part of information security.  It removes the attacker’s access to our network.  Thoroughness of this step is paramount. 




“You may wish to place a fraud alert or freeze on your credit report, which you can do by contacting the three major credit reporting bureaus, Equifax, Experian, and TransUnion [insert contact info here].  Be aware that you will not be able to borrow money or open a new credit card until you lift the freeze.”

“If your bank has not contacted you about replacing your cards, you may wish to proactively call them and ask for a replacement card.”

“We recommend following industry standards and best practices when it comes to cyber security.  The attached document details steps you can take to better protect yourself from online threats, both professionally and personally.  There is even a section included that focuses on online safety for kids and teens.”  



Part IV—We are Here to Help You:  This is where you point people to your public relations team, who in turn can run point between the employees/clients/partners and the legal team, technical team, management team, etc…  






What?  You don’t have a public relations team/person?  Didn’t anyone tell you that this is a key part of a data breach incident? This is one of those indirect costs of data breaches that no one ever considers during the risk management process.  Yes, it will cost money; you didn’t think data breaches were cheap did you?  Please note the inclusion of a toll-free number and the promise of regular updates.  We define “regular” as at least every two weeks.    

“If you have any questions or concerns, you may contact our offices at: [1-800-555-5555] or email us at [company@ourcompany.com].  Our website: [www.ourcompany.com] will be updated with the latest information as our investigation continues.”

“Again, we apologize for this incident and any inconvenience this causes.  We value your trust and we are committing all resources to resolving this incident quickly and completely, so we can get back to [insert mission statement or “what you do” here].

Sincerely,
[Highest ranking person in your company]


No, I’m not kidding.  Your lawyer should not sign this for you.  Nor should your 3rd party data breach management company.  Not your PR firm, not the head of IT, and definitely not something cutesy like your mascot (even if your mascot is one of the cats in this blog post).  And for crying out loud, I don’t care how big and high profile you are, don’t have the President of the United States address the nation for you either.   

Before you send out this letter, run it by your public relations team/person, your general counsel/lawyer, your data breach response team, and your CEO, who as we discussed above will be signing the letter.    









Friday, June 5, 2015

Post OPM Breach...let the phishing begin!!




Hello again readers! As you may already know, last evening the Office of Personnel Management (OPM) admitted they sustained a data breach where they "lost 4 million records". In reality the number is probably much higher than that and the attack probably did not actually possess a "never before seen level of sophistication" or use a "previously unknown zero day attack" or any of the other "it is not our fault" mumbo jumbo that is usually seen after a data breach is admitted publicly. 


However, this blog post is not going to cover any of that, instead it is going to focus on two phishing emails I received last night that were possibly related to my own information being compromised in the breach, as my personal information is held by OPM as I was in the DoD (as a member of the US Air Force) and still currently hold a security clearance. (NOTE: I have not been notified that any of my information was compromised, and it could be completely unrelated. But...I mean....come on)



The phishing starts....

Last night I received two phishing emails that were related to "my Navy Federal Credit Union account". This is interesting because although I have indeed served in the military, I do not have any accounts with Navy Federal Credit Union at all. 


Two emails received from "Navy Federal"


The first email was received at 19:05:07 and the second was received at 19:53:17, so in less than an hour I had two phishing attempts. Once again, I cannot definitively say that it is related to the OPM breach, but the timing is suspect, to say the least.



Email 1: Your Account Statements is Now Avaliable

This was the first email that I received, with typical spelling errors and grammatical mistakes. As I have stated many times in the past, a "sophisticated" phishing email is one with no misspelled words or grammatical errors. This is clearly NOT in the sophisticated category. The link redirects to the domain "http://rudivervoort[.]be/SP/", which clearly does not seem to be legitimate for the Navy Federal Credit Union website. The email address is listed as "navyfederal@usmc.com", which is also NOT the domain of Navy Federal Credit Union. UPDATE: The url in the email is now listed on virustotal as well!



Original email

Email with some grammar and spelling issues highlighted

Email header information

VirusTotal results from link in email





Email 2: Account Review Notice!

This email was sent later and is crafted a little bit better than the first. There are no spelling errors, although there are quite a few grammatical errors. Analysis of the email header shows it "originated" in the same Canadian IP addresses as the first phishing email, which may suggest they were related. The redirect link is a shortened URL, which should not happen in a legitimate email from your banking institution. In fact, the URL is shown on VirusTotal as malicious (already!). The email address this time around is listed as "Nfcu_navyfederal@net2.com". The first email address, in my opinion, was better.


Original email



Grammar highlighted

Email header information

VirusTotal results on link in email



Regardless of whether these emails are actually related to the OPM breach or not, it does highlight the importance of taking some safety precautions to avoid falling for phishing emails: 


  • Always ensure you read an email thoroughly. Look out for spelling and grammar issues; if it seems strange, it probably is
  • Hover over links before clicking on them
  • Better yet, do not click on ANY link from your bank, credit card company, shipping company, etc. Log into the website of your service provider directly if you get an "important message" from them



A very timely Dilbert comic strip. Retrieved June 5, 2015 from http://dilbert.com/strip/2005-08-12











Monday, April 13, 2015

Live Response Collection slides from Bsides Charm



Hello again readers! I had the pleasure of speaking about the Live Response Collection at the inaugural Bsides Charm event held this past weekend. I am working on getting some new features and functionality added to the next release which I hope to have available in the near future. As always, if you have any suggestions or comments to help improve the functionality or additional data that you would like to see collected, please do not hesitate to contact me!


http://www.slideshare.net/BriMorLabs/live-response-collection-overview



Friday, March 20, 2015

Teslacrypt vs open source tools



Hello again readers! Today's blog post is going to cover a new "variant" of ransomware that has been deemed "Teslacrypt", which was highlighted in a fairly detailed post by Vadim Kotov from Bromium Labs.  I was able to acquire two samples of Teslacrypt, which I affectionately labeled "teslacrypt.exe" and "teslacrypt2.exe".  There really isn't anything earth-shattering or groundbreaking that this ransomware does, but this blog post will highlight how you can leverage open source tools such as noriben, PE Studio, and the Live Response Collection to triage a system that has been affected with this ransomware and some tips and techniques that I picked up during my research that may help you in dealing with this (and other) forms of ransomware.


Although teslacrypt.exe and teslacrypt2.exe both performed the ransomware process in similar fashions, there were differences between both of them, primarily in the content of the actual executables themselves and the persistence mechanism that each used. For the purposes of this post, I will highlight the differences, but will refer to traits that the files share as "teslacrypt" with specific details of "teslacrypt.exe" and "teslacrypt2.exe" as needed. Both executables are available on VirusShare if you would like to dig into them on your own!


"teslacrypt.exe"
(md5: 209a288c68207d57e0ce6e60ebf60729)
(sha256: 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370)


"teslacrypt2.exe"
(md5: 81f44c27c1c765890384095fe6f5f8bf)
(sha256: 3129c794296d54606d9f1771672250ee57b798ce6f9ab8335d677f48e552ae80)


FIGHT!

First of all, I want to point out that since the last time that I mentioned noriben in a blog post, Brian Baskin has put out an update that adds some cool new features to the noriben tool. While the Malware Box of Evil is a stand-alone machine with no external network connections, I did learn a new way to leverage the awesomeness of noriben when issues arise (as you will soon see).


noriben ran on the system just fine, however this ransomware also encrypts (among many other types of files which I will cover under the "PE Studio" section), files that end with a .py (Python script) extension. Although the malware continues to run after it is started, it only appears to actually survey the system for the files to encrypt one time when it initially runs until the Ransomware windows pops up and, and then again after the system is rebooted (as evidenced by the persistence key in the Registry which I will cover in the Live Response Collection section). What this means is that although noriben itself was running, the actual script was encrypted by the ransomware, so the additional processing of the Process Monitor Log file (.pml) was not able to occur on the system itself.




Python scripts encrypted by Teslacrypt (note .ecc file extension). I saved "Noriben-1.6.1.py" after the ransomware noticed popped up, to test to see if it would be encrypted again (it was not)


Fortunately, noriben can process the .pml file after it is collected, which is what I ended up having to do.


 I copied the .pml file over to my admin laptop and ran it from the command line with the "-p" flag. This processed the pml file and generated the csv, report, and timeline files as was expected on the Malware Box of Evil.


Running noriben from another system to process the .pml file


As noriben demonstrated, running "teslacrypt2.exe" spawns a new executable "ovsbhpa.exe" which is stored in the %AppData% folder, which in this case, the full path is "C:\Documents and Settings\Administrator\Application Data\ovsbhpa.exe". The executable then deletes itself from the original location. The first thing that the new executable does is runs vssadmin to delete all shadow copies on the system, thereby likely eliminating the possibility of restoring from a backup that was contained on the system.



The processes created by Teslacrypt2, as seen with noriben

Teslacrypt creates two additional files in the %AppData% folder, "key.dat" and "log.html". The "log.html" file fairly straightforward, as it is a file that contains the listing of every file that was encrypted by teslacrypt. 



contents of "log.html"

The file "key.dat" is more interesting, as the first portion of the file contains the "Bitcoin address" (a string of characters that is Base-58 encoded) that is supposed to allow access to site in order to decrypt your files. 


teslacrypt popup window on the infected Malware Box of Evil


Interestingly enough, the "key.dat" file for both teslacrypt.exe and teslacrypt2.exe follow the same structure, but the file created by "teslacrypt2.exe" has an additional twelve bytes of data at the very end of the file. The file size of "key.dat" that was generated by teslacrypt.exe was 636 bytes. The file size of "key.dat" that was generated by teslacrypt2.exe was 648 bytes. The difference between these two versions is something that I hope to explore more in the coming weeks.


Comparing the contents of "key.dat" generated by "teslacrypt.exe" and "teslacrypt2.exe". Note the additional 12 bytes associated with the file generated by teslacrypt2.exe


The original file(s) that Teslacrypt searches for (based on file extension) appear to be encrypted, the file name is created, and then renamed with the .ecc file extension. Although this appears to be fairly benign in nature, the way that this occurs means that there is no way to recover the contents of the actual file(s) through traditional data recovery methods. I have some more digging to do through the disk image that is going to take more time, but my initial take is that there is indeed no "easy" way to recover the data from within the encrypted files.



Teslacrypt (ovsbhpa.exe) in action


PE Studio

Marc Ochsenmeier released a new version of PE Studio, 8.47, earlier this month. I took a look at both the teslacrypt.exe and teslacrypt2.exe executable files in PE Studio. teslacrypt.exe was the more "basic" of the malware, as it contained many strings that were noteworthy during the static analysis phase. It was also a few weeks older than "teslacrypt2.exe".


"teslacrypt.exe" (md5: 209a288c68207d57e0ce6e60ebf60729)
(sha256: 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370)


teslacrypt.exe file information, as seen in PE Studio 8.47



teslacrypt.exe file header, as seen in PE Studio 8.47



teslacrypt.exe indicators, as seen in PE Studio 8.47


teslacrypt.exe blacklisted strings, as seen in PE Studio 8.47


"teslacrypt2.exe" (md5: 81f44c27c1c765890384095fe6f5f8bf)
(sha256: 3129c794296d54606d9f1771672250ee57b798ce6f9ab8335d677f48e552ae80)



teslacrypt2.exe file information, as seen in PE Studio 8.47


teslacrypt2.exe file header, as seen in PE Studio 8.47


teslacrypt2.exe indicators, as seen in PE Studio 8.47


teslacrypt2.exe blacklisted strings, as seen in PE Studio 8.47



Live Response Collection

I used the "Complete" option of the Live Response Collection so I would have a memory dump, system information, and a full disk image of the system each time it was infected. I was also curious to see exactly "what" persistence mechanism was used for both variants of teslacrypt.exe. The memory dump and disk image portion will be saved for a future post (when I have more time to do some deep dive analysis) and quite honestly, the memory dump itself will probably have it's own blog post. For the purposes of this blog post, we will focus on the persistence mechanism used by each variant.



"teslacrypt.exe" (md5: 209a288c68207d57e0ce6e60ebf60729)
(sha256: 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370)


A key is created in the NTUSER.dat hive of the currently logged on user, under the path "Software\Microsoft\Windows\CurrentVersion\Run". This is a commonly used key for persistence; however, if another user was to log on the system, teslacrypt would likely not run. The name associated with this entry is "crypto13".



teslacrypt.exe persistence mechanism, as seen in autorusc.txt



"teslacrypt2.exe" (md5: 81f44c27c1c765890384095fe6f5f8bf)
(sha256: 3129c794296d54606d9f1771672250ee57b798ce6f9ab8335d677f48e552ae80)


A key is created in the SOFTWARE hive on the system, under the path "Software\Microsoft\Windows\CurrentVersion\Run". Unlike the "teslacrypt.exe" variant, this persistence mechanism affects the entire machine, not just the currently logged on user, which enables system wide persistence, rather than persistence based on a particular user.. The name associated with this entry is "svcav_module". This is likely an effort by the author(s) to try to make it blend in a little bit more on the system.

teslacrypt2.exe persistence mechanism, as seen in autorusc.txt






EXTRA BONUS!!

This blog post is already very long, but I wanted to include a plain-text listing of all of the file extensions that teslacrypt seems to target. This was taken directly from the original version; however, my initial research is that both files target the exact same file extensions. I put the file extension in descending order, for ease of browsing convenience.



.001
.3fr
.7z
.accdb
.ai
.apk
.arch00
.arw
.asset
.avi
.bar
.bay
.bc6
.bc7
.big
.bik
.bkf
.bkp
.blob
.bsa
.cas
.cdr
.cer
.cfr
.cr2
.crt
.crw
.css
.csv
.d3dbsp
.das
.DayZProfile
.dazip
.db0
.dbfv
.dcr
.der
.desc
.dmp
.dng
.doc
.docm
.docx
.dwg
.dxg
.epk
.eps
.erf
.esm
.ff
.flv
.forge
.fos
.fpk
.fsh
.gdb
.gho
.hkdb
.hkx
.hplg
.hvpl
.ibank
.icxs
.indd
.itdb
.itl
.itm
.iwd
.iwi
.jpe
.jpeg
.jpg
.js
.kdb
.kdc
.kf
.layout
.lbf
.litemod
.lrf
.ltx
.lvl
.m2
.m3u
.m4a
.map
.mcgame
.mcmeta
.mdb
.mdbackup
.mddata
.mdf
.mef
.menu
.mlx
.mpqge
.mrwref
.ncf
.nrw
.ntl
.odb
.odc
.odm
.odp
.ods
.odt
.orf
.p12
.p7b
.p7c
.pak
.pdd
.pdf
.pef
.pem
.pfx
.pkpass
.png
.ppt
.pptm
.pptx
.psd
.psk
.pst
.ptx
.py
.qdf
.qic
.r3d
.raf
.rar
.raw
.rb
.re4
.rgss3a
.rim
.rofl
.rtf
.rw2
.rwl
.sav
.sb
.sc2save
.sid
.sidd
.sidn
.sie
.sis
.slm
.snx
.sr2
.srf
.srw
.sum
.svg
.syncdb
.t12
.t13
.tax
.tor
.txt
.unity3d
.upk
.vdf
.vfs0
.vpk
.vpp_pc
.vtf
.w3x
.wb2
.wma
.wmo
.wmv
.wotreplay
.wpd
.wps
.x3f
.xf
.xlk
.xls
.xlsb
.xlsm
.xlsx
.xxx
.ztmp