Helpful Navigation Toolbar

Monday, March 24, 2014

Windows Live Response collection vs. JackPOS

The primary reason on why I took the time to put together the Windows Live Response tool collection is that I got to the point where I was experiencing the same things over and over again and I wanted an easy way for either myself or anyone else to be able to collect this data in an easy fashion. While combing through the output of the script itself may not solve your case completely, it does have the potential to help point you in the right direction very quickly and can greatly reduce the size of the haystack in which you are trying to find a needle.

As long-time readers of my blog know, I have a second-hand system that I like to do a lot of my malware and tool testing on that I affectionately call my "Malware Box of Evil". For this example, I installed a malicious file onto the system and ran the Windows Live Response tools.

One of the first things that I like to look for on a system are persistence mechanisms. This could be slew of different items, such as a registry entry, scheduled task, installing as a service, etc. For this case, I opened up the "PersistenceMechanisms" folder and took a look at "autorunsc.txt"

Data contained in "PersistenceMechanisms" folder in Windows Live Response collection


The batch script is written so that autorunsc.exe runs with the "* -a -v -m -f" options:

* - prints data for all users
-a - shows all entries
-v - attempts to verify digital signatures
-m - hides signed Microsoft entries (NOTE: I include this to try to limit the sheer amount of data that is shown as Windows runs a LOT automatically. Even if malware is a signed Microsoft entry it "should" show up in other output from the Live Response tools. I haven't encountered that yet, but I am well aware it could be an issue)
-f - prints hashes of files

After opening our autoruns file, there is one entry of particular interest here, namely one for a "Java SE Platform Updater". The two main reasons that it jumps out of interest to me are that the version is apparently 1.0.0.0 and the company name is "K-Software". While we all know Java has its short-comings (and there are many) I would be very surprised if "K-Software" was a legitimate name associated with Java.

Autorunsc output 


One of the nice features of autorunsc is that it can also give the hashes of files that have been identified by the tool. A quick search on just the hash reveals quite a bit of interesting items on the first page alone.


Searching for the md5 of the file


Of course, of particular interest is a VirusTotal entry, which tells us that 28/48 engines identified the file as malicious.

VirusTotal results on file (captured on 19 March 2014)


But what if I didn't have internet access from wherever I gathered this data? Fortunately, there are some other items in the collection that can help you highlight "abnormal". One of my favorites is the "Installed Software" output from running WMIC. 

Installed software from WMIC

One of the items that I want to highlight here is that out of all of the applications installed on my machine (admittedly, there are not many as it is a stand-alone system), Java is not one of them. This is not a 100% sure-fire method to highlight potential evil, however, it can once again help lead you in the right direction (for example, DeepFreeze is installed on the system and it does not show up here.)

What if the malware was a little more advanced and purposely disabled some tools, like anything from sysinternals,  and ended up preventing them from running on a system? Well, that is part of the reason that I try to pull the data using a couple of different mechanisms. If a certain tool or process fails, hopefully one of the other ones will pull out the data. In this case, we turn to the output from WinAudit. The output shows us the same autorun entry, as well as the running service again with the "K-Software" name and "1.0.0.0" version.

WinAudit startup programs

WinAudit running programs


So hopefully this brief example helps highlight just how beneficial having something like the Windows Live Response collection can be. We didn't even look at the executable file itself; we simply are able to highlight some items of interest and do our best to try to identify "abnormal" as quickly as possible. I tried to make the script's data output as basic as possible so that anyone can open them and view the data with ease. 


LiveResponseCollection-Cedarpelta.zip - download here 

MD5: 7bc32091c1e7d773162fbdc9455f6432
SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63
Updated: September 5, 2019









2 comments:

  1. Sir. Well done! This is a pretty awesome. Worked wonderful as admin on my test machines. I like the way you put it all together.

    ReplyDelete
    Replies
    1. Thanks!! Your initial TriageIR is what led me to work on creating this in the first place. It is still in the early stages of development and compilation, but even if it helps one person at some point, all of the work will be worth it.

      (It is also great for testing malware, automating the initial data gathering (and memory dump) saves a ton of time!) :)

      Delete