{"id":2416,"date":"2014-06-27T16:45:34","date_gmt":"2014-06-27T16:45:34","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2416"},"modified":"2014-09-02T09:46:52","modified_gmt":"2014-09-02T09:46:52","slug":"anti-forensics-live-examples-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2014\/06\/27\/anti-forensics-live-examples-part-2\/","title":{"rendered":"Anti-forensics \u2013 live examples, Part 2"},"content":{"rendered":"<p>I wrote about malware using anti-forensics tricks back in <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/02\/18\/anti-forensics-live-examples\/\">2012<\/a>. Recently I have been seeing quite a few (I believe CryptoWall) samples coming to my spambait mailbox that use anti-forensics and evasion tricks that I believe is worth documenting.<\/p>\n<p>The malware arrives as one of the typical <strong>VOICE&lt;phone number&gt;.zip<\/strong> packages embedding unencrypted <strong>VOICE&lt;phone number&gt;.scr<\/strong> file which when executed, delivers the payload.<\/p>\n<p>The payload is delivered in an evasive way<\/p>\n<ul>\n<li>\u00a0a new suspended explorer.exe process is created and a malicious thread is injected into it<\/li>\n<\/ul>\n<ul>\n<li>the code injected into explorer.exe decrypts the second stage of the payload and drops a file into a directory directly on c:\\ drive (<strong>c:\\&lt;hex-digits&gt;\\&lt;hex-digits&gt;.exe<\/strong>);<\/li>\n<\/ul>\n<p style=\"padding-left: 60px;\">this is the first (kinda light) anti-forensic trick I want to talk about; it would seem malware authors try to avoid dropping the copies of malware into %APPDATA% folder (or to this folder only) as it is the place where it&#8217;s the easiest to find it<\/p>\n<p style=\"padding-left: 60px;\">dropping the file into more than one folder and especially into folders that are less prone to be inspected is (I believe) an attempt to evade early detection<\/p>\n<ul>\n<li>the malware also copies itself to\n<ul>\n<li><strong>%APPDATA%\\Start Menu\\Programs\\Startup\\&lt;hex digits&gt;.exe<\/strong> &#8211; a typical, old-school persistence mechanism<\/li>\n<li><strong>%APPDATA%\\&lt;hex digits&gt;.exe<br \/>\n<\/strong><br \/>\nand then adds 2 Run Keys under HKCU to ensure its persistence on the system<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>the 2 keys point to<\/li>\n<\/ul>\n<ul>\n<ul>\n<li><strong>%APPDATA%\\&lt;hex digits&gt;.exe<\/strong><\/li>\n<li><strong>c:\\&lt;hex-digits&gt;\\&lt;hex-digits&gt;.exe <\/strong>(the location described earlier)<\/li>\n<\/ul>\n<\/ul>\n<ul>\n<li>so, there are 3 autostart entries total and 3 copies of malware; that&#8217;s the second one &#8211; clean up of such infections may be a bit tricky and it highlights the importance of checking all the possible persistence mechanisms<\/li>\n<\/ul>\n<ul>\n<li>next, the malware creates another suspended process, this time svchost.exe and injects code into it the same way as previously into explorer; it will be used to connect out to C&amp;C<\/li>\n<\/ul>\n<ul>\n<li>in the meantime, the explorer.exe launches vssadmin tool with a destructive command line arguments as follows:\n<ul>\n<li>vssadmin.exe Delete Shadows \/All \/Quietthat&#8217;s the third anti-forensic trick which basically deletes all the shadow copies (note, it doesn&#8217;t work under XP)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>malware also disables the\u00a0System Restore by setting the following key\n<ul>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore<br \/>\nDisableSR (REG_DWORD) = 1that&#8217;s the fourth anti-forensic trick used by this malware<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>and then also tries to kill a couple of services\n<ul>\n<li>wscsvc<\/li>\n<li>WinDefend<\/li>\n<li>wuauserv<\/li>\n<li>BITS<\/li>\n<li>ERSvc<\/li>\n<li>WerSvc<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>finally, it tries to connect out to the C&amp;C (from the hijacked svchost.exe process)\n<ul>\n<li>bolizarsospos(.)com<\/li>\n<li>covermontislol(.)com<\/li>\n<li>milimalipali(.)com<\/li>\n<li>torichipinis(.)com<\/li>\n<li>vivatsaultppc(.)com<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Some variants also disable Startup Repair using the following command<\/p>\n<ul>\n<li>bcdedit \/set {default} recoveryenabled No<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>I wrote about malware using anti-forensics tricks back in 2012. Recently I have been seeing quite a few (I believe CryptoWall) samples coming to my spambait mailbox that use anti-forensics and evasion tricks that I believe is worth documenting. The &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/06\/27\/anti-forensics-live-examples-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,15,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2416"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2416"}],"version-history":[{"count":16,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2416\/revisions"}],"predecessor-version":[{"id":2489,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2416\/revisions\/2489"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}