You are browsing the archive for Forensic Analysis.

The Wizard of X – Oppa PlugX style

July 31, 2017 in Anti-*, Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

Xwizard is an ‘Extensible wizard host process’. While I am not 100% sure what it is doing I know for certain that – whatever it is – PlugX guys would approve.

Why?

When you run it with a ‘/h’ command line parameter, you will get this info:


Something about the unusual command line parameters described there caught my eye.

After a quick inspection I discovered why. The arguments are actually… names of functions exported from xwizards.dll!

Very nice!

And even nicer is the fact the LoadLibraryEx that loads that xwizards.dll finds its conveniently in the current path…

Ouch…

So… all you have to do is copy c:\WINDOWS\system32\xwizard.exe to your folder, drop your xwizards.dll DLL there and call xwizard.exe with at least two arguments.

And the Microsoft-signed xwizards.exe will load xwizards.dll of your choice…

Beyond good ol’ Run key, Part 64

July 12, 2017 in Anti-*, Autostart (Persistence), Compromise Detection, Forensic Analysis

I recently updated my ‘collect all cool persistence mechanism described elsewhere’ post. After I announced it on Twitter, 3gstudent replied with one more link – one that led to his demo of persistence via bitsadmin. I looked at BITS before, but it never occurred to me to look at all command line options of the bitsadmin tool – the fact it allows persistence was a nice surprise. It intrigued me that it was not recognized by autoruns.

I immediately tested the mechanism on a Win7 VM and quickly discovered that the BITS stores info about tasks inside the following location:

  • c:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
  • c:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

Sometimes you may find also qmgr0.bak & qmgr1.bak files there.

I have ran a test adding as many tasks as possible and noticed that the only visible difference is growth of the file size of both files. After the first test the files on my system were around 4MiB (Win7). Adding new tasks eventually made BITS run out of space – at that time it simply extends the file.

Googling around for these file names doesn’t provide that much info. The format of the file is unknown – some serialized data.

One thing is sure though –  if you come across these during the exam, you should defo look at possible BITS persistence.