{"id":1680,"date":"2013-01-25T19:31:58","date_gmt":"2013-01-25T19:31:58","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1680"},"modified":"2013-01-25T19:31:58","modified_gmt":"2013-01-25T19:31:58","slug":"detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2013\/01\/25\/detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft\/","title":{"rendered":"Detecting Extended Attributes (ZeroAccess) and other Frankenstein&#8217;s Monsters with HMFT"},"content":{"rendered":"<p>The topic of Extended Attributes (EA) has been recently covered in an excellent post by Corey. Entitled <a href=\"http:\/\/journeyintoir.blogspot.com\/2012\/12\/extracting-zeroaccess-from-ntfs.html\">Extracting ZeroAccess from NTFS Extended Attributes<\/a> it goes into (amazing) depth explaining on what EA is and how to extract this artifact from the system. It&#8217;s a pure forensic gold and if you haven&#8217;t read this post yet, please go ahead and do so before reading mine.<\/p>\n<p>Similarly to Corey, I was very interested in researching EA, and I finally took some time tonight to have a deeper look at it myself. I actually wanted to dig in the code more than the $MFT artifacts alone not only to have something to write about (after all, Corey already covered everything! :-)), but also because I wanted to see how the EA is actually created and what system functions\/APIs are used by malware. The reason behind this curiosity was improvement of my analysis tools and techniques, and a few other ideas that I will be quiet about for the moment.<\/p>\n<p>I first assumed that the ZeroAccess&#8217; EAs are created using <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/hardware\/ff961908%28v=vs.85%29.aspx\"><strong>ZwSetEaFile\/NtSetEaFile<\/strong><\/a> function from ntdll.dll. I saw this API name popping up on some blogs and I saw it being referenced in my ZeroAccess memory\/file dumps so it was a natural &#8216;breakpoint&#8217; choice for OllyDbg analysis:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1681\" alt=\"zeroaccess_ea_1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_1.png\" width=\"668\" height=\"357\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_1.png 668w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_1-300x160.png 300w\" sizes=\"(max-width: 668px) 100vw, 668px\" \/><\/a><\/p>\n<p>To my surprise, none of the samples I checked used this function at all!<\/p>\n<p>Curious, I started digging into it a bit more and realized that for the samples I looked at, the EAs are actually created not by\u00a0 <strong>ZwSetEaFile\/NtSetEaFile<\/strong> function, but by <strong><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/bb432380%28v=vs.85%29.aspx\">ZwCreateFile\/NtCreateFile<\/a><\/strong>.<\/p>\n<p>Surprised?<\/p>\n<p>I was!<\/p>\n<p>Looking at a <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/bb432380%28v=vs.85%29.aspx\">documentation<\/a>, you can see the following function parameters described on MSDN:<\/p>\n<pre style=\"padding-left: 30px;\">NTSTATUS NtCreateFile(\r\n  _Out_\u00a0\u00a0\u00a0\u00a0\u00a0PHANDLE FileHandle,\r\n  _In_\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ACCESS_MASK DesiredAccess,\r\n  _In_\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0POBJECT_ATTRIBUTES ObjectAttributes,\r\n  _Out_\u00a0\u00a0\u00a0\u00a0\u00a0PIO_STATUS_BLOCK IoStatusBlock,\r\n  _In_opt_\u00a0\u00a0PLARGE_INTEGER AllocationSize,\r\n  _In_\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ULONG FileAttributes,\r\n  _In_\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ULONG ShareAccess,\r\n  _In_\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ULONG CreateDisposition,\r\n  _In_\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ULONG CreateOptions,\r\n<span style=\"color: #ff0000;\">  _In_\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0PVOID EaBuffer,\r\n  _In_\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ULONG EaLength<\/span>\r\n);<\/pre>\n<p>Yes, it&#8217;s that simple.<\/p>\n<p>One thing to note &#8211; the EA is added to files on both windows XP and Windows 7, but only under Windows 7 I observed the modification of services.exe. On Windows XP, it only appended EA to the\u00a0 &#8216;U&#8217; file and nothing else.<\/p>\n<p>Okay, I mentioned I had a couple of ideas why I wanted to research this feature. Now it&#8217;s time to reveal them!<\/p>\n<h3>Idea #1 &#8211; POC<\/h3>\n<p>Once I found out what APIs are being used by the malware, I was also able to produce a simple snippet of code that reproduces the functionality:<\/p>\n<pre style=\"padding-left: 60px;\">.586\r\n.MODEL FLAT,STDCALL\r\n\r\n\u00a0o equ OFFSET\r\n\u00a0include\u00a0\u00a0\u00a0 windows.inc\r\n\u00a0include\u00a0\u00a0\u00a0 kernel32.inc\r\n\u00a0includelib kernel32.lib\r\n\u00a0include\u00a0\u00a0\u00a0 ntdll.inc\r\n\u00a0includelib ntdll.lib\r\n\u00a0include\u00a0\u00a0\u00a0 masm32.inc\r\n\u00a0includelib masm32.lib\r\n\r\nIO_STATUS_BLOCK STRUCT\r\n\u00a0\u00a0 \u00a0union\r\n\u00a0\u00a0 \u00a0Status\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0dd ?\r\n\u00a0\u00a0 \u00a0Pointer\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0dd ?\r\n\u00a0\u00a0 \u00a0ends\r\n\u00a0\u00a0 \u00a0Information\u00a0\u00a0 \u00a0dd ?\r\nIO_STATUS_BLOCK ENDS\r\n\r\n.data?\r\n\u00a0file db 256 dup (?)\r\n\u00a0fa\u00a0\u00a0 db 256 dup (?)\r\n\u00a0_FILE_FULL_EA_INFORMATION struct\r\n\u00a0\u00a0 NextEntryOffset dd ?\r\n\u00a0\u00a0 Flags\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 db ?\r\n\u00a0\u00a0 EaNameLength\u00a0\u00a0\u00a0 db ?\r\n\u00a0\u00a0 EaValueLength\u00a0\u00a0 dw ?\r\n\u00a0\u00a0 EaName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 db ?\r\n\u00a0_FILE_FULL_EA_INFORMATION ends\r\n\u00a0FEA equ _FILE_FULL_EA_INFORMATION\r\n\u00a0io IO_STATUS_BLOCK &lt;&gt;\r\n.code\r\n\u00a0 Start:\r\n\u00a0 invoke GetCL,1, o file\r\n\u00a0 lea\u00a0\u00a0\u00a0 edi,[fa+_FILE_FULL_EA_INFORMATION.EaName]\r\n\u00a0 invoke GetCL,2, edi\r\n\u00a0 invoke lstrlenA,edi\r\n\u00a0 lea\u00a0\u00a0\u00a0 esi,[fa+_FILE_FULL_EA_INFORMATION.EaNameLength]\r\n\u00a0 mov\u00a0\u00a0\u00a0 [esi],al\r\n\u00a0 add\u00a0\u00a0\u00a0 edi,eax\r\n\u00a0 inc\u00a0\u00a0\u00a0 edi\r\n\u00a0 invoke GetCL,3, edi\r\n\u00a0 invoke lstrlenA,edi\r\n\u00a0 lea\u00a0\u00a0\u00a0 esi,[fa+_FILE_FULL_EA_INFORMATION.EaValueLength]\r\n\u00a0 mov\u00a0\u00a0\u00a0 [esi],al\r\n\u00a0 add\u00a0\u00a0\u00a0 edi,eax\r\n\u00a0 invoke CreateFileA, o file, \\\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 GENERIC_WRITE, \\\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0, \\\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 NULL, \\\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CREATE_NEW, \\\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 FILE_ATTRIBUTE_NORMAL, \\\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 NULL\r\n\u00a0 xchg\u00a0\u00a0 eax,ebx\r\n\u00a0 mov\u00a0\u00a0\u00a0 eax,edi\r\n\u00a0 sub\u00a0\u00a0\u00a0 eax,o fa\r\n\u00a0 <strong><span style=\"color: #ff0000;\">invoke NtSetEaFile,ebx,o io,o fa, eax<\/span><\/strong>\r\n\u00a0 invoke CloseHandle,ebx\r\n\u00a0 invoke ExitProcess,0\r\nEND Start<\/pre>\n<p>This code can be used for testing purposes in a lab environment.<\/p>\n<p>You can either compile the code yourself using masm32 or you can use a precompiled binary &#8211; download it <a href=\"https:\/\/hexacorn.com\/examples\/2013-01-26_ea.zip\">here<\/a>.<\/p>\n<p>To run:<\/p>\n<pre style=\"padding-left: 30px;\">ea.exe &lt;full path name to a file&gt; &lt;EA name&gt; &lt;EA value&gt;<\/pre>\n<p>e.g.:<\/p>\n<pre style=\"padding-left: 30px;\">ea.exe g:\\test.txt foo bar<\/pre>\n<p>Remember to specify a full path to a file. Also, choose a non-existing file name for a file (the program won&#8217;t work with files that are already present).<\/p>\n<p>Last, but not least &#8211; there is no error checks, you can add it yourself if you wish \ud83d\ude42<\/p>\n<h3>Idea #2 &#8211; Reduce the FUD factor<\/h3>\n<p>While it is a novelty technique, it is not very advanced &#8211;\u00a0 a single API call does all the dirty job to _create_ the EA.<\/p>\n<p>To _detect_ EA is not very difficult either &#8211; as long as you have a right tool to do so \ud83d\ude42<\/p>\n<h3>Idea #3 &#8211; Show how to detect EA on a live system<\/h3>\n<p>Now that I got a POC, I can run it:<\/p>\n<pre style=\"padding-left: 30px;\">g:\\test.txt foo bar<\/pre>\n<p>and then analyze changes introduced to the file system.<\/p>\n<p>I can do it quickly\u00a0 with <a href=\"https:\/\/www.hexacorn.com\/blog\/category\/software-releases\/hmft\/\">hmft<\/a>.<\/p>\n<pre style=\"padding-left: 30px;\">hmft -l g: mft_list<\/pre>\n<p>I tested the program on a small drive that I use for my tests. I formatted it first to ensure its MFT is clean:<br \/>\n<a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-1686 aligncenter\" alt=\"hmft_ea_1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_1.png\" width=\"565\" height=\"383\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_1.png 565w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_1-300x203.png 300w\" sizes=\"(max-width: 565px) 100vw, 565px\" \/><\/a><\/p>\n<p>I then opened the\u00a0<strong>mft_list<\/strong> file in a Total Commander&#8217;s Lister and searched for <strong>MFTA_EA<\/strong>. <a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-1687 aligncenter\" alt=\"hmft_ea_2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_2.png\" width=\"460\" height=\"805\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_2.png 460w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_2-171x300.png 171w\" sizes=\"(max-width: 460px) 100vw, 460px\" \/><\/a><\/p>\n<p>I am pasting the full record for your reference:<\/p>\n<pre style=\"padding-left: 60px;\">\u00a0 [FILE]\r\n\u00a0\u00a0\u00a0 SignatureD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1162627398\r\n\u00a0\u00a0\u00a0 OffsetToFixupArrayW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 48\r\n\u00a0\u00a0\u00a0 NumberOfEntriesInFixupArrayW\u00a0 = 3\r\n\u00a0\u00a0\u00a0 LogFileSequenceNumberQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1062946\r\n\u00a0\u00a0\u00a0 SequenceValueW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1\r\n\u00a0\u00a0\u00a0 LinkCountW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1\r\n\u00a0\u00a0\u00a0 OffsetToFirstAttributeW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 56\r\n\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1\r\n\u00a0\u00a0\u00a0 UsedSizeOfMFTEntryD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 368\r\n\u00a0\u00a0\u00a0 AllocatedSizeOfMFTEntryD\u00a0\u00a0\u00a0\u00a0\u00a0 = 1024\r\n\u00a0\u00a0\u00a0 FileReferenceToBaseRecordQ\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0 NextAttributeIdD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 5\r\n\u00a0\u00a0 --\r\n\r\n\u00a0\u00a0\u00a0 RESIDENT ATTRIBUTE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeTypeIdentifierD = 16\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfAttributeD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 96\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 NonResidentFlagB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToNameW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeIdentifierW\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 SizeOfContentD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 72\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToContentW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTA_STANDARD_INFORMATION\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CreationTimeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 130036100539989520\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ModificationTimeQ\u00a0\u00a0\u00a0\u00a0 = 130036100539989520\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTModificationTimeQ\u00a0 = 130036100539989520\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AccessTimeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 130036100539989520\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 32\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MaxNumOfVersionsD\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 VersionNumberD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ClassIdD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 OwnerIdD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SecurityIdD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 261\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 QuotaQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 USNQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CreationTime (epoch)\u00a0\u00a0\u00a0 = 1359136453\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ModificationTime (epoch)\u00a0 = 1359136453\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTModificationTime (epoch)\u00a0 = 1359136453\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AccessTime (epoch)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1359136453\r\n\u00a0\u00a0 --\r\n\r\n\u00a0\u00a0\u00a0 RESIDENT ATTRIBUTE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeTypeIdentifierD = 48\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfAttributeD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 112\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 NonResidentFlagB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToNameW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeIdentifierW\u00a0\u00a0\u00a0\u00a0 = 2\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 SizeOfContentD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 82\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToContentW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTA_FILE_NAME\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ParentID6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 5\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ParentUseIndexW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 5\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CreationTimeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 130036100539989520\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ModificationTimeQ\u00a0\u00a0\u00a0\u00a0 = 130036100539989520\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTModificationTimeQ\u00a0 = 130036100539989520\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AccessTimeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 130036100539989520\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CreationTime (epoch)\u00a0\u00a0\u00a0 = 1359136453\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ModificationTime (epoch)\u00a0 = 1359136453\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTModificationTime (epoch)\u00a0 = 1359136453\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AccessTime (epoch)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1359136453\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AllocatedSizeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RealSizeQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 32\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ReparseValueD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 8\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 NameSpaceB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 3\r\n\u00a0\u00a0\u00a0\u00a0 FileName = test.txt\r\n\u00a0\u00a0 --\r\n\r\n\u00a0\u00a0\u00a0 RESIDENT ATTRIBUTE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeTypeIdentifierD = 128\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfAttributeD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 NonResidentFlagB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToNameW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeIdentifierW\u00a0\u00a0\u00a0\u00a0 = 1\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 SizeOfContentD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToContentW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MFTA_DATA\r\n\u00a0\u00a0 --\r\n\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0\u00a0<\/span><span style=\"color: #ff0000;\">\r\n\u00a0\u00a0\u00a0 RESIDENT ATTRIBUTE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeTypeIdentifierD = 208\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfAttributeD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 32\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 NonResidentFlagB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToNameW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeIdentifierW\u00a0\u00a0\u00a0\u00a0 = 3\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 SizeOfContentD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 8\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToContentW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>MFTA_EA_INFORMATION<\/strong>\r\n\u00a0\u00a0 --\r\n\r\n\u00a0\u00a0\u00a0 RESIDENT ATTRIBUTE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeTypeIdentifierD = 224\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfAttributeD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 40\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 NonResidentFlagB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToNameW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeIdentifierW\u00a0\u00a0\u00a0\u00a0 = 4\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 SizeOfContentD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 16\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToContentW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>MFTA_EA\r\n<\/strong><\/span><\/pre>\n<p>There are two EA-related entries here:<\/p>\n<ul>\n<li>MFTA_EA_INFORMATION<\/li>\n<li>MFTA_EA record<\/li>\n<\/ul>\n<p>Manual analysis like this are quite tiring, so we can write a short perl snippet that can help us with postprocessing:<\/p>\n<pre style=\"padding-left: 30px;\">use strict;\r\nmy $f='';\r\nmy $l='';\r\nwhile (&lt;&gt;)\r\n{\r\n  s\/[\\r\\n]+\/\/g;\r\n  $f = $1 if \/FileName = (.+)$\/;\r\n  print \"$f has $1 record\\n\" if ($l =~ \/(MFTA_EA(_[A-Z]+)?)\/);\r\n  $l = $_;\r\n}<\/pre>\n<p>Saving it into <strong>ea.pl<\/strong> file, and running it as:<\/p>\n<pre style=\"padding-left: 30px;\">ea.pl mft_list<\/pre>\n<p>produces the following output:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-1688 aligncenter\" alt=\"hmft_ea_3\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_3.png\" width=\"413\" height=\"143\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_3.png 413w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/hmft_ea_3-300x103.png 300w\" sizes=\"(max-width: 413px) 100vw, 413px\" \/><\/a><\/p>\n<h3>Idea #4 &#8211; Detect ZeroAccess with hmft<\/h3>\n<p>It&#8217;s simple \ud83d\ude42<\/p>\n<ul>\n<li>I ran hmft before the ZeroAccess installation<\/li>\n<li>Then I infected my test box<\/li>\n<li>I then ran hmft after the ZeroAccess installation<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-1691 aligncenter\" alt=\"zeroaccess_ea_2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_2.png\" width=\"653\" height=\"419\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_2.png 653w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_2-300x192.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_2-80x50.png 80w\" sizes=\"(max-width: 653px) 100vw, 653px\" \/><\/a><\/p>\n<p>At this stage, all I had to do was to run <strong>ea.pl<\/strong> on both outputs and I got the following results:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-1692 aligncenter\" alt=\"zeroaccess_ea_3\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_3.png\" width=\"469\" height=\"263\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_3.png 469w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/zeroaccess_ea_3-300x168.png 300w\" sizes=\"(max-width: 469px) 100vw, 469px\" \/><\/a><\/p>\n<p>Or, for the sake of copy &amp; paste (and web bots :)):<\/p>\n<pre style=\"padding-left: 30px;\">r:\\&gt;<strong>ea.pl before_installation<\/strong>\r\nV20~1.6 has MFTA_EA_INFORMATION record\r\nV20~1.6 has MFTA_EA record\r\n\r\nr:\\&gt;<strong>ea.pl after_installation<\/strong>\r\n<span style=\"color: #ff0000;\">U has MFTA_EA_INFORMATION record<\/span>\r\n<span style=\"color: #ff0000;\">U has MFTA_EA record<\/span>\r\nV20~1.6 has MFTA_EA_INFORMATION record\r\nV20~1.6 has MFTA_EA record\r\n<span style=\"color: #ff0000;\">U has MFTA_EA_INFORMATION record<\/span>\r\n<span style=\"color: #ff0000;\">U has MFTA_EA record<\/span>\r\n<span style=\"color: #ff0000;\">services.exe has MFTA_EA_INFORMATION record<\/span>\r\n<span style=\"color: #ff0000;\">services.exe has MFTA_EA record\/span&gt;\r\n<\/span><\/pre>\n<p>As we can see, the malware activity is immediately visible.<\/p>\n<p>Btw. <strong>V20~1.6 is<\/strong> a $MFT FILE record that refers to <strong>C:\\Windows\\CSC\\v2.0.6<\/strong> and is related to Offline files (client-side caching). I don&#8217;t have any information about the content of this EA. Perhaps someone will be more curious than me to poke around there \ud83d\ude42<\/p>\n<h3>Idea #5 &#8211; Create a Frankenstein&#8217;s monster<\/h3>\n<p>Using EA and ADS (Alternate Data Streams) with a single file is also possible.<\/p>\n<p>You can use <strong>ea.exe<\/strong> to create such Frankenstein&#8217;s monster in 2 simple steps:<\/p>\n<ul>\n<li>by running it first with a\u00a0 filename only &#8211; this will create EA record<\/li>\n<li>and then re-runing it with a stream name, this will create the ADS, but EA for ADS will fail (sometimes it&#8217;s OK to fail :))<\/li>\n<\/ul>\n<p style=\"text-align: left;\">The result is shown on the following screenshot:<a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/ea_frankensteins_monster_1.png\"><br \/>\n<img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-1693 aligncenter\" alt=\"ea_frankensteins_monster_1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/ea_frankensteins_monster_1.png\" width=\"605\" height=\"491\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/ea_frankensteins_monster_1.png 605w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/ea_frankensteins_monster_1-300x243.png 300w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><\/a><\/p>\n<p>Using hmft and a combination of <strong>ea.pl<\/strong> and <strong>ads.pl<\/strong> (posted in older post related to HMFT) in a single <strong>eads.pl<\/strong> script:<\/p>\n<pre style=\"padding-left: 30px;\">use strict;\r\nmy $f='';\r\nmy $l='';\r\nwhile (&lt;&gt;)\r\n{\r\n\u00a0 s\/[\\r\\n]+\/\/g;\r\n\u00a0 $f = $1 if \/FileName = (.+)$\/;\r\n\u00a0 print \"$f has $1 record\\n\" if ($l =~ \/(MFTA_EA(_[A-Z]+)?)\/);\r\n\u00a0 print \"$f:$1\\n\" if ($l =~ \/MFTA_DATA\/&amp;&amp;\/AttributeName = (.+)$\/);\r\n\u00a0 $l = $_;\r\n}<\/pre>\n<p>we can easily detect such beast as well.<\/p>\n<p>That&#8217;s all, thanks for reading!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The topic of Extended Attributes (EA) has been recently covered in an excellent post by Corey. Entitled Extracting ZeroAccess from NTFS Extended Attributes it goes into (amazing) depth explaining on what EA is and how to extract this artifact from &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2013\/01\/25\/detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,15,19,20,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1680"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1680"}],"version-history":[{"count":12,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1680\/revisions"}],"predecessor-version":[{"id":1699,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1680\/revisions\/1699"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}