You are browsing the archive for Reversing.

Enter Sandbox – part 15: The muddy, heavy water world of atomic formats…

September 22, 2017 in Batch Analysis, Clustering, Malware Analysis, Reversing, Sandboxing

Sample analysis process typically covers looking at the most common forensic suspects including mutexes, event names, and atoms. However, there is one more sub-artifact sitting on the same bench with the last one I have listed… one that often escapes the scrutiny of sandboxes and malware analysts – the clipboard format.

The clipboard format is registered using the RegisterClipboardFormat function – it allows applications to interchange data as long as they understand the format. The registration is implemented with the use of atoms as explained in this presentation.

Sandboxes and analysts inspecting the calls to RegisterClipboardFormat can use the received data in many ways. It can help to determine a file type of the sample, its modules, detect a family of a malware/adware, or perhaps a programming framework, and in some cases heuristically detect capabilities of the tested sample. I have listed a few example clipboard formats below. If you look at it one set that immediately stands out are Delphi clipboard formats:

  • Delphi Picture
  • Delphi Component
  • ControlOfs<HEX-STRING> (f.ex. ControlOfs00400000000007A8)

Finding these in the API calls or even in memory is a good indication that there is a Delphi application running.

The same goes for ATL samples:

  • WM_ATLGETCONTROL
  • WM_ATLGETHOST

There are also malware-adware-specific formats e.g.:

  • AmInst__Runing
  • yimomotoTec Picture
  • yimomotoTec Component
  • PowerSpider
  • RinLoggerInstance
  • SatoriWM_SetNetworkShareableFlag
  • Transfer_File_Success_Doyo
  • 180StartDownload

… RAT-related formats:

  • WinVNC.Update.Mouse
  • WinVNC.Update.DrawRect
  • WinVNC.Update.CopyRect
  • WinVNC.AddClient.Message
  • UltraVNC.Viewer.FileTransferSendPacketMessage

… test formats:

  • Hey, this is unicough single instance test
  • UWM_GAMETESTCMD_{75AEED17-2310-4171-94C6-08AC4438E814}_MSG
  • Message.My.Super.Puper.Test.Program.XXX
  • KSDB_TEST: Message communciation between Agent and its TEST host client.
  • FONT-TEST

… various functionality-related formats:

  • WM_HTML_GETOBJECT
  • RasDialEvent
  • EXPLORER.EXEIsDebuggerPresentExEdLl
  • winmm_devicechange
  • WM_HOOKEX_RK
  • UWM_KEYHOOK_MSG-968C3043-1128-43dc-83A9-55122C8D87C1
  • Transfer_File_Success_Doyo
  • 3rdeye_tb_hacking_dll
  • keyhook_msg

… P2P programs formats:

  • EMULE-{4EADC6FC-516F-4b7c-9066-97D893649570}
  • KazaaNewSearch

… possible hints on programmer’s mother tongue:

  • Karte ziehen
  • querodarmeucu

…random:

  • trhgtehgfsgrfgtrwegtre
  • frgjbfdkbnfsdjbvofsjfrfre
  • hgtrfsgfrsgfgregtregtr
  • gsegtsrgrefsfsfsgrsgrt

A short list of top 30 formats I collected from my sampleset:

 46894 TaskbarCreated
 30020 commdlg_FindReplace
 27886 Delphi Picture
 27886 Delphi Component
 27491 commdlg_help
 13920 WM_ATLGETCONTROL
 13914 WM_ATLGETHOST
 11000 3
  8395 commctrl_DragListMsg
  7445 1
  6909 WM_GETCONTROLNAME
  5475 FileName
  5020 Embedded Object
  4899 Link Source
  4885 Rich Text Format
  4787 Object Descriptor
  4652 commdlg_ColorOK
  4576 OwnerLink
  4574 Embed Source
  4569 Link Source Descriptor

The Archaeologologogology #3 – Downloading stuff with cmdln32

April 30, 2017 in Archaeology, Reversing

One of the less-known tools residing in Windows system32 directory is cmdln32.exe. It is being used by CMAK (Connection Manager Administration Kit) to set up Connection Manager service profiles. The profile is typically packaged into an .exe that can be deployed to the user system. The package installs the profile that can be used to launch a Dial-up/VPN connection.

On older versions of Windows f.ex. XP you could fool cmdln32.exe to act as a simple downloader.

You can create 3 files:

  • A profile file
    [Profile Format]
    
    Version=4
    
    [Connection Manager]
    
    CMSFile=<settings file name - described next>
  • A settings file
    [Connection Manager]
    
    TunnelFile=<tunnel file name - described next>
  • A tunnel file
    [Settings]
    
    UpdateUrl=URL pointing to the file

The file that UpdateUrl points to needs to start with a [VPN Servers] Profile Section, followed by the actual data  f.ex.:

[VPN Servers]
This could be anything...

All you have to do now is to launch cmdl32.exe passing to it a full path to the profile file and providing a VPN argument f.ex.:

cmdln32 c:\test\profile /vpn

The program will read the profile file, then read the file name of the settings file; then read the settings file and extract the file name of the VPN tunnel file, and finally from the VPN file it will retrieve the URL for the update. Once downloaded, the file that the UpdateUrl location point to will replace the tunnel file (overwrite).

If it sounds complicated, it definitely is :), but it works and such download could potentially fly under radar of security products.

The request sent by the tool looks as follows:

GET / HTTP/1.1
User-Agent: Microsoft(R) Connection Manager Vpn File Update
Host: <domain>

So it’s easy to look for it in the logs. The version of the tool that is used on newer versions of Windows is a bit more careful. It checks if the RAS connection provided in the settings file is present (note, in my example the RAS connection is not listed inside the settings file) and only if it does, the tool continues. The alternative to the VPN download is the PhoneBook download, but this also requires the presence of the RAS connection. You can read about Connection Manager Tools and Settings on the Microsoft web page from 2003.

If you have a spare XP box you can test this functionality by downloading this package, placing its content inside c:\test and launching the cmdl32.exe via the following command:

cmdln32 c:\test\cmdl32_xp.cmp /vpn

Will this still work on newer versions?

I don’t know, but here are two ideas:

  • As long as _some_ program can be smuggled in to the victim’s system (f.ex. from the malicious attachment) it could launch cmdln32.exe under control of custom debugger and patch the RAS Enumeration check during run-time
  • Perhaps it’s possible to find a configuration where the RAS Enumeration check will work and knowing the RAS connection’s name one could set up a profile that would allow the download

In terms of forensics, you may find the following file inside the %TEMP% folder (XP-only):

  • %Temp%\VPN<random>.tmp

In any case, it’s just a trivia – it cannot really become a replacement for BITS…