As long-time readers of my blog know, I have a second-hand system that I like to do a lot of my malware and tool testing on that I affectionately call my "Malware Box of Evil". For this example, I installed a malicious file onto the system and ran the Windows Live Response tools.
One of the first things that I like to look for on a system are persistence mechanisms. This could be slew of different items, such as a registry entry, scheduled task, installing as a service, etc. For this case, I opened up the "PersistenceMechanisms" folder and took a look at "autorunsc.txt"
|Data contained in "PersistenceMechanisms" folder in Windows Live Response collection|
The batch script is written so that autorunsc.exe runs with the "* -a -v -m -f" options:
* - prints data for all users
-a - shows all entries
-v - attempts to verify digital signatures
-m - hides signed Microsoft entries (NOTE: I include this to try to limit the sheer amount of data that is shown as Windows runs a LOT automatically. Even if malware is a signed Microsoft entry it "should" show up in other output from the Live Response tools. I haven't encountered that yet, but I am well aware it could be an issue)
-f - prints hashes of files
After opening our autoruns file, there is one entry of particular interest here, namely one for a "Java SE Platform Updater". The two main reasons that it jumps out of interest to me are that the version is apparently 220.127.116.11 and the company name is "K-Software". While we all know Java has its short-comings (and there are many) I would be very surprised if "K-Software" was a legitimate name associated with Java.
One of the nice features of autorunsc is that it can also give the hashes of files that have been identified by the tool. A quick search on just the hash reveals quite a bit of interesting items on the first page alone.
|Searching for the md5 of the file|
Of course, of particular interest is a VirusTotal entry, which tells us that 28/48 engines identified the file as malicious.
|VirusTotal results on file (captured on 19 March 2014)|
But what if I didn't have internet access from wherever I gathered this data? Fortunately, there are some other items in the collection that can help you highlight "abnormal". One of my favorites is the "Installed Software" output from running WMIC.
|Installed software from WMIC|
One of the items that I want to highlight here is that out of all of the applications installed on my machine (admittedly, there are not many as it is a stand-alone system), Java is not one of them. This is not a 100% sure-fire method to highlight potential evil, however, it can once again help lead you in the right direction (for example, DeepFreeze is installed on the system and it does not show up here.)
What if the malware was a little more advanced and purposely disabled some tools, like anything from sysinternals, and ended up preventing them from running on a system? Well, that is part of the reason that I try to pull the data using a couple of different mechanisms. If a certain tool or process fails, hopefully one of the other ones will pull out the data. In this case, we turn to the output from WinAudit. The output shows us the same autorun entry, as well as the running service again with the "K-Software" name and "18.104.22.168" version.
|WinAudit startup programs|
|WinAudit running programs|
So hopefully this brief example helps highlight just how beneficial having something like the Windows Live Response collection can be. We didn't even look at the executable file itself; we simply are able to highlight some items of interest and do our best to try to identify "abnormal" as quickly as possible. I tried to make the script's data output as basic as possible so that anyone can open them and view the data with ease.
LiveResponseCollection-Bambiraptor.zip - download here
Updated: December 12, 2016