Category Archives: Malware Analysis

Beyond good ol’ Run key, Part 22

Posted on by

Perl2exe executables are perl programs embedded inside the executable wrapper that allows making the script ‘portable’ and easy to execute without a need of installing any perl interpreter.

It turns out that the way it loads things is kinda ‘open-minded’ i.e. it tries to look for loadable stuff all over the place – because of this ‘feature’ it is possible to abuse it and create yet another (bizarre) persistence mechanism (actually, plenty of them).

As an example, we can look at a very old hdd.exe perl2exe program – I got it from a friend back in a day – it display info about the HDD properties. Running it under procmon shows a lot of interesting artifacts related to files and directories that are… not found on the system.

For the sake of the demonstration, I will show only 2 hijacks, but if you browse through the log below you will find a lot of other potential phantom file names and directories that could be abused this way.

Example #1

Creating a ‘(null)’ directory in the same place where the perl2exe file is executed and dropping a sitecustomize.pl perl script inside it will lead to the perl script being executed when perl2exe is launched:

  • (null)\sitecustomize.pl containing just a simple line
    • print “Foobar\n”;

sitecustomize

Example #2

You can create f.ex. PERL2EXE_STORAGE\auto\Cwd\Cwd.dll – while it is perl2exe-specific module (since it requires CWD module to be used), it’s quite a popular module anyway so it could be a good target:

CwdCwd2And in debug view:

Cwd3Last, but not least – the (edited) log…

CreateFile                    %USERPROFILE%\Local Settings\Temp\p2xtmp-1736
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\5.8.8\MSWin32-x86-multi-thread
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\5.8.8\
QueryOpen                     %SCRIPT_PATH%\PERL2EXE_STORAGE\5.8.8\MSWin32-x86-multi-thread
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\5.8.8
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE
QueryOpen                     %SCRIPT_PATH%\PERL2EXE_STORAGE\5.8.8
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\MSWin32-x86-multi-thread
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE
QueryOpen                     %SCRIPT_PATH%\PERL2EXE_STORAGE\MSWin32-x86-multi-thread
CreateFile                    %SCRIPT_PATH%\5.8.8\MSWin32-x86-multi-thread
CreateFile                    %SCRIPT_PATH%\5.8.8
QueryOpen                     %SCRIPT_PATH%\5.8.8\MSWin32-x86-multi-thread
CreateFile                    %SCRIPT_PATH%\5.8.8
QueryDirectory                %SCRIPT_PATH%\5.8.8
QueryOpen                     %SCRIPT_PATH%\5.8.8
CreateFile                    %SCRIPT_PATH%\MSWin32-x86-multi-thread
QueryDirectory                %SCRIPT_PATH%\MSWin32-x86-multi-thread
QueryOpen                     %SCRIPT_PATH%\MSWin32-x86-multi-thread
CreateFile                    %USERPROFILE%\LOCALS~1\Temp\p2xtmp-1736\5.8.8\MSWin32-x86-multi-thread
CreateFile                    %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\5.8.8
QueryOpen                     %USERPROFILE%\LOCALS~1\Temp\p2xtmp-1736\5.8.8\MSWin32-x86-multi-thread
CreateFile                    %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\5.8.8
QueryDirectory                %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\5.8.8
QueryOpen                     %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\5.8.8
CreateFile                    %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\MSWin32-x86-multi-thread
QueryDirectory                %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\MSWin32-x86-multi-thread
QueryOpen                     %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\MSWin32-x86-multi-thread
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\(null)\sitecustomize.pl
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\(null)\
QueryOpen                     %SCRIPT_PATH%\PERL2EXE_STORAGE\(null)\sitecustomize.pl
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\Cwd\Cwd.dll
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\Cwd\
QueryOpen                     %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\Cwd\Cwd.dll
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\Cwd
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\
QueryOpen                     %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\Cwd
CreateFile                    %SCRIPT_PATH%\auto\Cwd
CreateFile                    %SCRIPT_PATH%\auto
QueryOpen                     %SCRIPT_PATH%\auto\Cwd
CreateFile                    %USERPROFILE%\LOCALS~1\Temp\p2xtmp-1736\auto\Cwd
CreateFile                    %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\auto
QueryOpen                     %USERPROFILE%\LOCALS~1\Temp\p2xtmp-1736\auto\Cwd
CreateFile                    %SCRIPT_PATH%\auto\Cwd
CreateFile                    %SCRIPT_PATH%\auto
QueryOpen                     %SCRIPT_PATH%\auto\Cwd
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\DynaLoader\dl_findfile.al
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\DynaLoader\
QueryOpen                     %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\DynaLoader\dl_findfile.al
CreateFile                    %SCRIPT_PATH%\-L%USERPROFILE%\LOCALS~1\Temp\p2xtmp-1736
CreateFile                    %SCRIPT_PATH%\-L%USERPROFILE%\LOCALS~1\Temp\
QueryOpen                     %SCRIPT_PATH%\-L%USERPROFILE%\LOCALS~1\Temp\p2xtmp-1736
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE
QueryDirectory                %SCRIPT_PATH%\PERL2EXE_STORAGE
QueryOpen                     %SCRIPT_PATH%\PERL2EXE_STORAGE
CreateFile                    %SCRIPT_PATH%\Cwd.dll
QueryDirectory                %SCRIPT_PATH%\Cwd.dll
QueryOpen                     %SCRIPT_PATH%\Cwd.dll
CreateFile                    %SCRIPT_PATH%\Cwd.dll
QueryDirectory                %SCRIPT_PATH%\Cwd.dll
QueryOpen                     %SCRIPT_PATH%\Cwd.dll
CreateFile                    %SCRIPT_PATH%\libCwd.dll
QueryDirectory                %SCRIPT_PATH%\libCwd.dll
QueryOpen                     %SCRIPT_PATH%\libCwd.dll
CreateFile                    %SCRIPT_PATH%\Cwd
QueryDirectory                %SCRIPT_PATH%\Cwd
QueryOpen                     %SCRIPT_PATH%\Cwd
CreateFile                    %USERPROFILE%\Local Settings\Temp\p2xtmp-1736
QueryAllInformationFile       %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\Cwd.dll
CreateFile                    %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\Cwd.bs
QueryDirectory                %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\Cwd.bs
QueryOpen                     %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\Cwd.bs
CreateFile                    C:\bin\pwd
CreateFile                    C:\bin
QueryOpen                     C:\bin\pwd
CreateFile                    C:\usr\bin\pwd
CreateFile                    C:\usr\bin\
QueryOpen                     C:\usr\bin\pwd
CreateFile                    C:\QOpenSys\bin\pwd
CreateFile                    C:\QOpenSys\bin\
QueryOpen                     C:\QOpenSys\bin\pwd
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\Win32\OLE
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\Win32\
QueryOpen                     %SCRIPT_PATH%\PERL2EXE_STORAGE\auto\Win32\OLE
CreateFile                    %SCRIPT_PATH%\auto\Win32\OLE
CreateFile                    %SCRIPT_PATH%\auto\Win32\
QueryOpen                     %SCRIPT_PATH%\auto\Win32\OLE
CreateFile                    %USERPROFILE%\LOCALS~1\Temp\p2xtmp-1736\auto\Win32\OLE
CreateFile                    %USERPROFILE%\LOCALS~1\Temp\p2xtmp-1736\auto\Win32\
QueryOpen                     %USERPROFILE%\LOCALS~1\Temp\p2xtmp-1736\auto\Win32\OLE
CreateFile                    %SCRIPT_PATH%\auto\Win32\OLE
CreateFile                    %SCRIPT_PATH%\auto\Win32\
QueryOpen                     %SCRIPT_PATH%\auto\Win32\OLE
CreateFile                    %SCRIPT_PATH%\-L%USERPROFILE%\LOCALS~1\Temp\p2xtmp-1736
CreateFile                    %SCRIPT_PATH%\-L%USERPROFILE%\LOCALS~1\Temp\
QueryOpen                     %SCRIPT_PATH%\-L%USERPROFILE%\LOCALS~1\Temp\p2xtmp-1736
CreateFile                    %SCRIPT_PATH%\PERL2EXE_STORAGE
QueryDirectory                %SCRIPT_PATH%\PERL2EXE_STORAGE
QueryOpen                     %SCRIPT_PATH%\PERL2EXE_STORAGE
CreateFile                    %SCRIPT_PATH%\OLE.dll
QueryDirectory                %SCRIPT_PATH%\OLE.dll
QueryOpen                     %SCRIPT_PATH%\OLE.dll
CreateFile                    %SCRIPT_PATH%\OLE.dll
QueryDirectory                %SCRIPT_PATH%\OLE.dll
QueryOpen                     %SCRIPT_PATH%\OLE.dll
CreateFile                    %SCRIPT_PATH%\libOLE.dll
QueryDirectory                %SCRIPT_PATH%\libOLE.dll
QueryOpen                     %SCRIPT_PATH%\libOLE.dll
CreateFile                    %SCRIPT_PATH%\OLE
QueryDirectory                %SCRIPT_PATH%\OLE
QueryOpen                     %SCRIPT_PATH%\OLE
CreateFile                    %USERPROFILE%\Local Settings\Temp\p2xtmp-1736
QueryAllInformationFile       %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\OLE.dll
CreateFile                    %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\OLE.bs
QueryDirectory                %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\OLE.bs
QueryOpen                     %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\OLE.bs
QueryOpen                     %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\WS2_32.dll
QueryOpen                     %USERPROFILE%\Local Settings\Temp\p2xtmp-1736\WS2HELP.dll
SetDispositionInformationFile %USERPROFILE%\Local Settings\Temp\p2xtmp-1736

When you are a temp your days are often numbered. So are your file names. Part 1

Posted on by

Many application create temp files. In the past it was completely random and various directories were chosen depending on application developer’s whim, nowadays the file names are often somehow predictable (as long as the app is legitimate, that is) and both placed inside the %TEMP% folder and named using a pattern that contains a unique prefix followed by a digit, or a number. We can quite often encounter them during forensic investigations. And if you are wondering how these temp. files are created – the applications that know how to behave typically use a Windows API called GetTempFileName; it allows programmers to specify a prefix used by temporary files used by their application. Programmers often specify prefix longer than 3 characters, but the API is using only the first 3 characters as explained in the API description on MSDN:

lpPrefixString [in]

The null-terminated prefix string. The function uses up to the first three characters of this string as the prefix of the file name. This string must consist of characters in the OEM-defined character set.

It may be handy to get familiar with a few well-known temporary file names and prefixes as it may allow us to recognize specific temporary file names families, and potentially use this knowledge to reduce data for analysis (of course, don’t do it blindly).

The list below contains popular temp. file names / prefixes – I am also including other well-known temporary file names:

  • C:\~GLC1034.TMP – side-effect of running Wise Installer; stage 2
  • %TEMP%\<digits>.tmp – typically caused by GetTempFileName API called with an empty prefix (or, file is created ‘manually’)
  • %TEMP%\7zS<digits>.tmp – side-effect of running Self-Extracting installer based on 7z
  • %TEMP%\~DF<hexdigits>.tmp – side-effect of running a Visual Basic Application; described in my older post
  • %TEMP%\~dfs<digits>.tmp – dropped by Adware.DomaIQ
  • %TEMP%\GLB<digits>.tmp – side-effect of running Wise Installer; stage 1 – this is a stub dropping DLL performing the installation (WISE*.dll)
  • %TEMP%\GLC<digits>.tmp – side-effect of running Wise Installer; this is the WISE*.dll – a DLL performing the installation
  • %TEMP%\GLD<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLF<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLG<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLI<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLJ<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLK<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLL<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GLM<digits>.tmp – side-effect of running Wise Installer; stage 3
  • %TEMP%\GL<other letter><digits>.tmp – possible side-effect of running Wise Installer; stage 3
  • %TEMP%\IXP<digits>.TMP – directory created by old-school installers developed using IEXPRESS
  • %TEMP%\nsi<digits>.tmp – side-effect of running Nullsoft Installer
  • %TEMP%\nst<digits>.tmp – side-effect of running very old Nullsoft Installer; it uses a hardcoded ‘nst’ as a prefix
  • %TEMP%\ns<other letter><digits>.tmp – side-effect of running older Nullsoft Installer; it uses a random letter following the prefix ‘ns’
  • %TEMP%\scs<digits>.tmp – side effect of running ntvdm.exe on Windows XP; usually two temporary files containing the same content as autoexec.nt and config.nt
  • %TEMP%\sfx<digits>.tmp – side-effect of running GkWare Installer
  • %TEMP%\stp<digits>.tmp – side-effect of running Wise Installer; stage 1
  • %TEMP%\sxe<digits>.tmp – self-extracting executable, a custom installer often used by malware (I am not sure who developed it, it could be some old legitimate installer, or even Windows) – it is dropping a compressed clean DLL (SZDD at the top of the file – usually sxe1.tmp), the DLL is decompressed (usually sxe2.tmp) and reveals itself to be just a decompression library (only one exported function DllInflate), and finally sxe3.tmp is the payload

I am still crunching some data, so there will be part 2.