{"id":1701,"date":"2013-02-17T13:18:04","date_gmt":"2013-02-17T13:18:04","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1701"},"modified":"2013-02-18T04:33:36","modified_gmt":"2013-02-18T04:33:36","slug":"hmft-3-0-extended-attributes-short-update","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2013\/02\/17\/hmft-3-0-extended-attributes-short-update\/","title":{"rendered":"HMFT 0.3 + Extended Attributes, short update"},"content":{"rendered":"<p><strong>update<\/strong><\/p>\n<p>fixed the title of the post\u00a0 &#8211; it&#8217;s obviously a version 0.3 and not 3.0 \ud83d\ude42<\/p>\n<p><strong>old post<\/strong><\/p>\n<p>In my last post <a title=\"Detecting Extended Attributes (ZeroAccess) and other Frankenstein\u2019s Monsters with HMFT\" href=\"https:\/\/www.hexacorn.com\/blog\/2013\/01\/25\/detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft\/\">I talked<\/a> about detecting Extended Attributes (used by ZeroAccess malware) using HMFT.\u00a0 Today I got a chance to update it a bit with some more information.<\/p>\n<p>First of all, I clustered some of the ZeroAccess samples I had and I came up with a list of comprehensive (of course it&#8217;s limited by a sampleset I have) file locations and their Extended Attributes that are used by the malware:<\/p>\n<ul>\n<li>%SYSTEMROOT%\\system32\\services.exe::<span style=\"color: #ff0000;\"><strong>731<\/strong><\/span><\/li>\n<li>%USERPROFILE%\\appdata\\local\\a4ca9b9c\\u::<strong><span style=\"color: #ff0000;\">@@@<\/span>\u00a0<\/strong><\/li>\n<li>%USERPROFILE%\\AppData\\Local\\{0c9c4ca4-c3a9-47cf-2e3e-4db8bf2ad457}\\U::<span style=\"color: #ff0000;\"><strong>001<\/strong><\/span><\/li>\n<li>%SYSTEMROOT%\\$NtUninstallKB16214$\\2764741532\\U::<span style=\"color: #ff0000;\"><strong>CFG<\/strong><\/span><\/li>\n<\/ul>\n<p>You can find a full list of samples using EAs together with hashes (md5_sha1) <a href=\"https:\/\/hexacorn.com\/examples\/2013-02-17_zeroaccess_ea.txt\">here<\/a>.<\/p>\n<p>Secondly, I added some code to HMFT and now it can dump Extended Attribute&#8217;s name (and some printable content of the EA value) as well:<\/p>\n<pre style=\"padding-left: 30px;\">\u00a0\u00a0 RESIDENT ATTRIBUTE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeTypeIdentifierD = 224\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfAttributeD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 40\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 NonResidentFlagB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 LengthOfNameB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToNameW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 AttributeIdentifierW\u00a0\u00a0\u00a0\u00a0 = 4\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 SizeOfContentD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 16\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 OffsetToContentW\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 24\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 --\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<span style=\"color: #ff0000;\">\u00a0 MFTA_EA<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 OfsNextEAD\u00a0\u00a0\u00a0\u00a0\u00a0 = 16<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 FlagsB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 EaNameLenB\u00a0\u00a0\u00a0\u00a0\u00a0 = 3<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 EaValueLenW\u00a0\u00a0\u00a0\u00a0 = 3<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 EaName = <strong>FOO<\/strong><\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 EaValue= <strong>bar<\/strong><\/span><\/pre>\n<p>Using newer version of HMFT on one of the ZeroAccess samples gives the following result after postprocessing with eads.pl script:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/02\/2013-02-17_zeroaccess_ea1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1702\" alt=\"2013-02-17_zeroaccess_ea1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/02\/2013-02-17_zeroaccess_ea1.png\" width=\"477\" height=\"191\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/02\/2013-02-17_zeroaccess_ea1.png 477w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/02\/2013-02-17_zeroaccess_ea1-300x120.png 300w\" sizes=\"(max-width: 477px) 100vw, 477px\" \/><\/a><\/p>\n<p>After HMFT update, eads.pl had to be slightly modified::<\/p>\n<pre style=\"padding-left: 30px;\">use strict;\r\nmy $f='';\r\nmy $l='';\r\nwhile (&lt;&gt;)\r\n{\r\n\u00a0 s\/[\\r\\n]+\/\/g;\r\n\u00a0 $f = $1 if \/FileName = (.+)$\/;\r\n\u00a0 print \"$f has $1 record\\n\" if ($l =~ \/(MFTA_EA(_[A-Z]+)?)\/);\r\n\u00a0 print \"$f:\".\":$1\\n\" if (\/EaName = (.+)$\/);\r\n\u00a0 print \"$f:$1\\n\" if ($l =~ \/MFTA_DATA\/&amp;&amp;\/AttributeName = (.+)$\/);\r\n\u00a0 $l = $_;\r\n}<\/pre>\n<p>Btw. if you look at the screenshot above you will notice :SummaryInformation ADS used by this sample (5D23ACF4C2221B687BC96A2701786C13\/ AB7EEC68F9438E31523D0A67E7612CA666C8F56A) as well &#8211; it can be even better seen in the window of Process Monitor during the malware installation:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/02\/2013-02-17_zeroaccess_ea2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1703\" alt=\"2013-02-17_zeroaccess_ea2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/02\/2013-02-17_zeroaccess_ea2.png\" width=\"796\" height=\"330\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/02\/2013-02-17_zeroaccess_ea2.png 1020w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/02\/2013-02-17_zeroaccess_ea2-300x124.png 300w\" sizes=\"(max-width: 796px) 100vw, 796px\" \/><\/a><\/p>\n<p>In terms of APIs used by ZeroAccess to create EAs, I finally came across a few samples that use ZwSetEaFile to do so,. Interestingly. none of the samples used this API to create EA for services.exe &#8211; all the samples using this API create the following EA:<\/p>\n<ul>\n<li>%USERPROFILE%\\appdata\\local\\a4ca9b9c\\u::<span style=\"color: #ff0000;\"><strong>@@@<\/strong><\/span><\/li>\n<\/ul>\n<p>(Please refer to the older post for more information about the context of this discussion.)<\/p>\n<p>You can download latest hmft <a href=\"https:\/\/hexacorn.com\/download.php?f=hmft.exe\">here<\/a>.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>update fixed the title of the post\u00a0 &#8211; it&#8217;s obviously a version 0.3 and not 3.0 \ud83d\ude42 old post In my last post I talked about detecting Extended Attributes (used by ZeroAccess malware) using HMFT.\u00a0 Today I got a chance &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2013\/02\/17\/hmft-3-0-extended-attributes-short-update\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,15,19,20,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1701"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1701"}],"version-history":[{"count":8,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1701\/revisions"}],"predecessor-version":[{"id":1711,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1701\/revisions\/1711"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}