You are browsing the archive for Compromise Detection.

DeXRAY update

June 25, 2016 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Malware Analysis, Software Releases

Added:

  • ESafe (VIR)
  • Microsoft Windows Defender (partial support)
  • Spypot – Search & Destroy

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP)
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Any binary file (using X-RAY scanning)

You can download it here.

Beyond good ol’ Run key, Part 40

June 2, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

And here we are… another round anniversary…

To celebrate this special event, I have prepared a special dish for Windows 10 lovers 🙂

To inaugurate the celebration:

  • Create C:\Program Files\Internet Explorer\suspend.dll
  • Profit

Yup. It will launch anytime user starts IE. And when they exit it (the life of a DLL…).

To continue the festivities:

  • Create phoneinfo.dll anywhere the PATH points to, or inside the c:\windows\system, C:\Windows\System32\wbem or on the Desktop – IE will try really hard to load it:
    phoneinfo
  • Profit

Yup. It will launch anytime user starts IE too. And yup, when they exit it too.

It does work for 64-bit processes too.

And the final fanfares…

When your program crashes on Windows 10, werfault.exe will attempt to load loads of non-existing debugging extensions.:

  • C:\Windows\SYSTEM32\WINXP\uext.dll
  • C:\Windows\SYSTEM32\winext\uext.dll
  • C:\Windows\SYSTEM32\winext\arcade\uext.dll
  • C:\Windows\SYSTEM32\pri\uext.dll
  • C:\Windows\System32\uext.dll
  • C:\Windows\SYSTEM32\winext\arcade\uext.dll
  • C:\Windows\System32\uext.dll
  • C:\Windows\SYSTEM32\WINXP\ntsdexts.dll
  • C:\Windows\SYSTEM32\winext\ntsdexts.dll
  • C:\Windows\SYSTEM32\winext\arcade\ntsdexts.dll
  • C:\Windows\SYSTEM32\pri\ntsdexts.dll
  • C:\Windows\System32\ntsdexts.dll
  • C:\Windows\SYSTEM32\winext\arcade\ntsdexts.dll
  • C:\Windows\System32\ntsdexts.dll

Bonus #1:

The phoneinfo.dll DLL seems to be used by a lot of processes (it is actually loaded by urlmon.dll, so lots of processes are affected).

Bonus #2:

Cursory analysis of code that is responsible for loading this DLL indicates that it’s most likely code used on Windows phones-only and it’s just the DLL is not present on Desktop Windows (yet the code loading the phantom DLL remained). The DLL is responsible for telling the urlmon what Phone Manufacturer and Model to add to one of the internal User Agent strings inside the urlmon library