Detecting APT remnants in $MFT

Update 2018-12-15

This tool was an experiment; please do not use it anymore as it produces unreliable reports; the tool has not been updated for many years. Use modern AV/EDR software instead. Thanks!

Old Post

In a post from 2012 I introduced a simple tool that was scanning $MFT for traces of flame.

Today i decided to update the list of file names the tool recognizes to include:

  • the latest in many APT campaigns – credit goes to kbandla @ https://github.com/kbandla/APTnotes/
  • some tools typically used by hackers (their full and short file names)
  • ‘stashed data’ file names e.g. ‘1.rar’
  • other file names commonly used by hackers [lots of generic names]

This is an experimental tool so do not jump if you see something in RED (well, you should not anyway, cuz it could mean you got pwned).

Just assess it and take it from there – look for the file names highlighted by HCD on your drive. If you can’t find it, use a forensic tool to export a full list of file names. p.s. I will add a feature to include full paths in future versions – code is ready, but needs some more polishing.

In any case, if you you see something red you should probably look at your system anyway… If you find bugs, or False Positives pls let me know. Thanks.

Download the tool from here.

Example:

HCD ran on the system where DoubleFantasy installer was executed previously; system also contains various reversing tools e.g. ollydbg.exe and bintext.exe:

pic

Last, but not least, I am aware of some bugs, but better have something than nothing to fight clowns writing malware for governments…

What’s next?

If you suspect something ‘funny’ you can use the following tools to extract a full filelist from $MFT:

Another way to test your system is by running LOKI by Florian Roth – a tool that scans your system for IOCs (Indicators Of Compromise) for many well-known APT campaigns.

$MFT scanning for fun and err… Flame

Update 2018-12-15

This tool was an experiment; please do not use it anymore as it produces unreliable reports; the tool has not been updated for many years. Use modern AV/EDR software instead. Thanks!

Update 2012-July

Expect this tool to grow over next couple of months.

Old Post

I was toying around with $MFT parsing and came up with a simple demo tool that parses $MFT looking for remnants of malware. Tool is written in x86 assembly so I guess it is forensically sound 😉

At the moment it only scans for flame malware (I used list from all the places I could find including my own research, CrySyS Lab, Kaspersky, BitDefender, malware.lu, kernelmode.info, etc. –  list pasted below).

It should find entries that are both live (existing files) and deleted entries.

This is how it works – if it is bad news for you:

Note: this is an experimental tool – DO NOT test it on production system. You can always use fls.exe from sleuthkit.

The tool can be downloaded here.

This is a list of files it searches for:

  • advnetcfg.ocx
  • Advpck.dat
  • audache
  • audfilter.dat
  • authcfg.dat
  • authpack.ocx
  • boot32drv.sys
  • browse32.ocx
  • ccalc32.sys
  • cmutlcfg.ocx
  • commgr32
  • comspol32.dll
  • comspol32.ocx
  • contents.btr
  • ctrllist.dat
  • dcomm.dat
  • desc.ini
  • dmmsapi.dat
  • dsmgr.ocx
  • dstrlog.dat
  • Ef_trace.log
  • fib32.bat
  • frog.bat
  • gppref32.exe
  • grb9m2.bat
  • guninst32
  • indsvc32.ocx
  • lib.ocx
  • lmcache.dat
  • lss.ocx
  • m4aaux.dat
  • modevga.com
  • mprhlp
  • MSAPackages
  • MSAudio
  • MSAuthCtrl
  • mscrypt.dat
  • msglu32.ocx
  • mssecmgr.ocx
  • MSSecurityMgr
  • MSSndMix
  • mssui.drv
  • mssvc32.ocx
  • netcfgi.ocx
  • ntaps.dat
  • nteps32
  • nteps32.ocx
  • Pcldrvx.ocx
  • rdcvlt32.exe
  • Rpcnc.dat
  • rpcns4.ocx
  • scaud32.exe
  • scsec32.exe
  • sdclt32.exe
  • secindex.dat
  • soapr32.ocx
  • ssitable
  • stamn32
  • svchost1ex.mof
  • Svchostevt.mof
  • target.lnk
  • to961.tmp
  • urpd.ocx
  • watchxb.sys
  • wavesup3.drv
  • winconf32.ocx
  • winrt32.dll
  • winrt32.ocx
  • wlndh32
  • Wpab32.bat
  • wpgfilter.dat
  • wrm3f0
  • zff042
  • ~8C5FF6C.tmp
  • ~a29.tmp
  • ~d43a37b.tmp
  • ~DEB83C.tmp
  • ~DEB93D.tmp
  • ~DF05AC8.tmp
  • ~dfc855.tmp
  • ~DFD85D3.tmp
  • ~DFL*.tmp
  • ~DFL983.tmp
  • ~dra*.tmp
  • ~dra52.tmp
  • ~dra53.tmp
  • ~f28.tmp
  • ~fghz.tmp
  • ~HLV
  • ~HLV*.tmp
  • ~KWI
  • ~KWI988.tmp
  • ~KWI989.tmp
  • ~mso2a0.tmp
  • ~mso2a1.tmp
  • ~mso2a2.tmp
  • ~nms534
  • ~rcf0
  • ~rcj0
  • ~rei524.tmp
  • ~rei525.tmp
  • ~rf288.tmp
  • ~rft374.tmp
  • ~TFL848.tmp
  • ~TFL849.tmp
  • ~ZLM0D1.ocx
  • ~ZLM0D2.ocx