Anti-forensics – live examples, Part 2

June 27, 2014 in Anti-Forensics, Compromise Detection, Forensic Analysis, Malware Analysis

I wrote about malware using anti-forensics tricks back in 2012. Recently I have been seeing quite a few (I believe CryptoWall) samples coming to my spambait mailbox that use anti-forensics and evasion tricks that I believe is worth documenting.

The malware arrives as one of the typical VOICE<phone number>.zip packages embedding unencrypted VOICE<phone number>.scr file which when executed, delivers the payload.

The payload is delivered in an evasive way

  •  a new suspended explorer.exe process is created and a malicious thread is injected into it
  • the code injected into explorer.exe decrypts the second stage of the payload and drops a file into a directory directly on c:\ drive (c:\<hex-digits>\<hex-digits>.exe);

this is the first (kinda light) anti-forensic trick I want to talk about; it would seem malware authors try to avoid dropping the copies of malware into %APPDATA% folder (or to this folder only) as it is the place where it’s the easiest to find it

dropping the file into more than one folder and especially into folders that are less prone to be inspected is (I believe) an attempt to evade early detection

  • the malware also copies itself to
    • %APPDATA%\Start Menu\Programs\Startup\<hex digits>.exe – a typical, old-school persistence mechanism
    • %APPDATA%\<hex digits>.exe

      and then adds 2 Run Keys under HKCU to ensure its persistence on the system
  • the 2 keys point to
    • %APPDATA%\<hex digits>.exe
    • c:\<hex-digits>\<hex-digits>.exe (the location described earlier)
  • so, there are 3 autostart entries total and 3 copies of malware; that’s the second one – clean up of such infections may be a bit tricky and it highlights the importance of checking all the possible persistence mechanisms
  • next, the malware creates another suspended process, this time svchost.exe and injects code into it the same way as previously into explorer; it will be used to connect out to C&C
  • in the meantime, the explorer.exe launches vssadmin tool with a destructive command line arguments as follows:
    • vssadmin.exe Delete Shadows /All /Quietthat’s the third anti-forensic trick which basically deletes all the shadow copies (note, it doesn’t work under XP)
  • malware also disables the System Restore by setting the following key
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
      DisableSR (REG_DWORD) = 1that’s the fourth anti-forensic trick used by this malware
  • and then also tries to kill a couple of services
    • wscsvc
    • WinDefend
    • wuauserv
    • BITS
    • ERSvc
    • WerSvc
  • finally, it tries to connect out to the C&C (from the hijacked svchost.exe process)
    • bolizarsospos(.)com
    • covermontislol(.)com
    • milimalipali(.)com
    • torichipinis(.)com
    • vivatsaultppc(.)com

Some variants also disable Startup Repair using the following command

  • bcdedit /set {default} recoveryenabled No

Comments are closed.