Forensic Analysis | Hexacorn

If there is one proof that online collaboration works it is DeXRAY. Since the tool was first released it received quite a bit of attention from the DFIR community. Every once in a while I get not only a positive feedback from the users, but also very important contributing ideas and code offered by security researchers and professionals.

This release is not different.

A few days ago I was pinged by Luis Rocha (@countuponsec) who generously offered his insight and results of his and Antonio Monaca’s research on Kaspersky’s System Watcher feature (available in KES10) that quarantines files in the following location:

C:\ProgramData\Kaspersky Lab\KES10\SysWHist\file_cache\<md5>.bin

Luis discovered that the files are encrypted with a static XOR key 397b4d58c9397b4d58c9.

Based on his research I have quickly implemented a routine in Dexray to decrypt these files.

Thanks Luis and Antonio!

You can download the latest version here.

The full list of supported or recognized file formats is listed below:

AhnLab (V3B)
ASquared (EQF)
Avast (Magic@0=’-chest- ‘)
Avira (QUA)
Baidu (QV)
BitDefender (BDQ)
BullGuard (Q)
CMC Antivirus (CMC)
Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
ESafe (VIR)
ESET (NQF)
F-Prot (TMP) (Magic@0=’KSS’)
Kaspersky (KLQ, System Watcher’s <md5>.bin)
Lavasoft AdAware (BDQ) /BitDefender files really/
Lumension LEMSS (lqf)
MalwareBytes Data files (DATA) – 2 versions
MalwareBytes Quarantine files (QUAR) – 2 versions
McAfee Quarantine files (BUP) /full support for OLE format/
Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
Panda <GUID> Zip files
Spybot – Search & Destroy 2 ‘recovery’
SUPERAntiSpyware (SDB)
Symantec ccSubSdk files: {GUID} files and submissions.idx
Symantec Quarantine Data files (QBD)
Symantec Quarantine files (VBN)
Symantec Quarantine Index files (QBI)
Symantec Quarantine files on MAC (quarantine.qtn)
TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
QuickHeal <hash> files
Vipre (<GUID>_ENC2)
Zemana <hash> files+quarantine.db
Any binary file (using X-RAY scanning)

This little trick can be used to prank your friend more than using it as a real nation-state pwning technique, but it’s worth documenting, as usual, so here it goes…

I mentioned previously the Autoruns program registers the file type HKCR\Autoruns.Logfile.1 / HKCR\.ARN. The file stores the information autoruns grabbed from the system. You can save the autoruns log, and you can load them.

The last bit is the interesting part – if we can force the system to redirect all autoruns instances to one we can control, and also one that will always load the preserved data from the .arn file (instead of loading the fresh data set directly from the system), we will be able to fool the user that the state of the system has not changed.

So… the recipe goes like this:

Remove HKCR\Autoruns.Logfile.1 and HKCR\.ARN registry entries
Save autoruns.exe as e.g. c:\test\AutoNOruns.exe
Run c:\test\AutoNOruns.exe
- This will create new association for .ARN file in Registry (ones that point to c:\test\AutoNOruns.exe)
- This will also enumerate all autoruns entries on the system
  - Save these results to e.g. c:\test\AutoNOruns.arn
Modify registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
App Paths\autoruns.exe
to point to
c:\test\AutoNOruns.arn
Add some ‘bad’ entry to e.g. HKCU\Run
Run autoruns from the terminal, or via Windows+R
The new ‘bad’ entry won’t be shown.

Caveats:

It takes observable time to load c:\test\AutoNOruns.arn
Refreshing the view (F5) will unhide all the ‘hidden’ entries as Autoruns will refresh the view directly from the system
Double-clicking autoruns.exe is not routed via App Paths key so autoruns.exe will run properly

So, there you have it. The first Autoruns Rootkit ;)))

It’s superlame and has so many caveats that it’s impossible to treat it seriously, but maybe you will be able to fool someone 🙂

Hexacorn

Hexacorn

Category Archives: Forensic Analysis

DeXRAY 2.05 update

Yet another way to hide from Sysinternals’ tools, part 1.5