$MFT scanning for fun and err… Flame

May 31, 2012 in Compromise Detection, Forensic Analysis, HCD, Malware Analysis, Software Releases

Update 2012-July

Expect this tool to grow over next couple of months.

Old Post

I was toying around with $MFT parsing and came up with a simple demo tool that parses $MFT looking for remnants of malware. Tool is written in x86 assembly so I guess it is forensically sound ;)

At the moment it only scans for flame malware (I used list from all the places I could find including my own research, CrySyS Lab, Kaspersky, BitDefender, malware.lu, kernelmode.info, etc. -  list pasted below).

It should find entries that are both live (existing files) and deleted entries.

This is how it works – if it is bad news for you:

 

Note: this is an experimental tool – DO NOT test it on production system. You can always use fls.exe from sleuthkit.

The tool can be downloaded here.

This is a list of files it searches for:

  • advnetcfg.ocx
  • Advpck.dat
  • audache
  • audfilter.dat
  • authcfg.dat
  • authpack.ocx
  • boot32drv.sys
  • browse32.ocx
  • ccalc32.sys
  • cmutlcfg.ocx
  • commgr32
  • comspol32.dll
  • comspol32.ocx
  • contents.btr
  • ctrllist.dat
  • dcomm.dat
  • desc.ini
  • dmmsapi.dat
  • dsmgr.ocx
  • dstrlog.dat
  • Ef_trace.log
  • fib32.bat
  • frog.bat
  • gppref32.exe
  • grb9m2.bat
  • guninst32
  • indsvc32.ocx
  • lib.ocx
  • lmcache.dat
  • lss.ocx
  • m4aaux.dat
  • modevga.com
  • mprhlp
  • MSAPackages
  • MSAudio
  • MSAuthCtrl
  • mscrypt.dat
  • msglu32.ocx
  • mssecmgr.ocx
  • MSSecurityMgr
  • MSSndMix
  • mssui.drv
  • mssvc32.ocx
  • netcfgi.ocx
  • ntaps.dat
  • nteps32
  • nteps32.ocx
  • Pcldrvx.ocx
  • rdcvlt32.exe
  • Rpcnc.dat
  • rpcns4.ocx
  • scaud32.exe
  • scsec32.exe
  • sdclt32.exe
  • secindex.dat
  • soapr32.ocx
  • ssitable
  • stamn32
  • svchost1ex.mof
  • Svchostevt.mof
  • target.lnk
  • to961.tmp
  • urpd.ocx
  • watchxb.sys
  • wavesup3.drv
  • winconf32.ocx
  • winrt32.dll
  • winrt32.ocx
  • wlndh32
  • Wpab32.bat
  • wpgfilter.dat
  • wrm3f0
  • zff042
  • ~8C5FF6C.tmp
  • ~a29.tmp
  • ~d43a37b.tmp
  • ~DEB83C.tmp
  • ~DEB93D.tmp
  • ~DF05AC8.tmp
  • ~dfc855.tmp
  • ~DFD85D3.tmp
  • ~DFL*.tmp
  • ~DFL983.tmp
  • ~dra*.tmp
  • ~dra52.tmp
  • ~dra53.tmp
  • ~f28.tmp
  • ~fghz.tmp
  • ~HLV
  • ~HLV*.tmp
  • ~KWI
  • ~KWI988.tmp
  • ~KWI989.tmp
  • ~mso2a0.tmp
  • ~mso2a1.tmp
  • ~mso2a2.tmp
  • ~nms534
  • ~rcf0
  • ~rcj0
  • ~rei524.tmp
  • ~rei525.tmp
  • ~rf288.tmp
  • ~rft374.tmp
  • ~TFL848.tmp
  • ~TFL849.tmp
  • ~ZLM0D1.ocx
  • ~ZLM0D2.ocx

 

Comments Off