Wednesday, January 26, 2022

Who is "DESKTOP-Group"?

Update 2023-07-05: Suspected key figure of notorious cybercrime group arrested in joint operation. Operation Nervone has dealt a significant blow to the OPERA1ER group.

INTERPOL announcement about Operation Nervone


Update 2022-11-06: A few days ago Group-IB released the report "OPERA1ER - Playing God without permission" (blog, report PDF, webinar), linking different aliases to "DESKTOP-Group":

  • Group-IB: OPERA1ER
  • Orange-CERT-CC: NXSMS
  • SWIFT: Common Raven
  • Symantec: Bluebottle
  • Mandiant: UNC4044  (not in the report)

--

This is just a preliminary post about my research of a threat actor (TA) or group (TG) that we have named "DESKTOP-Group". Other companies (Orange-CERT, Group-IB, SWIFT) have other names for this TA, but they are not yet publicly known or linked yet. (I will update this post, as soon as more becomes public)

We started tracking this TA's activity in early 2018, while analyzing the first malware laden attack mails during February 2018. For the next three years, we saw and analyzed 170 distinct attack mails (campaigns) from this TA, but during 2021 it became harder to link malware mails back to them with high confidence.

The first public presentation "DESKTOP-Group – Tracking a Persistent Threat Group (using Email Headers)" was at BotConf 2019. Slides (PDF) are available from my Github repo.

In 2020, I also presented about this TA at ReversingLabs #Reversing2020 online conference. A video (starts around 14:30m) and PDF slides are also available.

In 2019, I started sharing on Twitter about this TA, later starting to use the hashtag #DESKTOPgroup.


There is also a closed Google-group for research collaboration, mostly with people tracking or having access to emails or logs, related this TA's activity.

Malware samples and URLs have been shared and tagged on Abuse.ch Malware Bazaar or URLhaus.


Wednesday, December 6, 2017

Is this blog still alive?

Is this blog still alive? That's a valid question since I haven't blogged for quite some time. 
(wow, has it really been more than 3 years!?)
So I finally decided to write another post about some stuff that happened in the meantime...

For the past few years I have been more active on Twitter (@c_APT_ure) and also presenting at conferences and collaborating in closed / trusted groups.

My most recent area of interest has been increasing endpoint visibility using Sysinternals Sysmon and sending logs into Splunk for incident detection and threat hunting.

My first presentation was in December 2016 at BotConf:

"Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)"

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR12-Sysmon-UELTSCHI.pdf
Video: https://www.youtube.com/watch?v=vv_VXntQTpE

In 2017 I gave an updated version on the same topic at the FIRST annual conference.

Slides: https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf

In April 2018 at FIRST TC Amsterdam, I gave an updated version from the FIRST 2017 talk.

Slides: FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf (Github / raw | D/L)


At BotConf 2018, I presented again on using Sysmon and Splunk, but also including Powershell Logging and MITRE ATT&CK as well.
"Hunting and Detecting APTs using Sysmon and PowerShell Logging"

Slides: 2018-Tom-Ueltschi-Sysmon.pdf
Video: (was recorded and will be published soon)

CERT-EU annual conf 2019 presentation about "Practical Threat Hunting"
Slides: [github / raw | D/L]

BotConf 2019
"DESKTOP-Group" – Tracking a Persistent Threat Group (using Email Headers)
Slides should be published soon.
(Tweet)

For anything related to "DESKTOP-Group", please see my later post:
http://c-apt-ure.blogspot.com/2022/01/who-is-desktop-group.html

Most presentation slides should also be available on my Github page.
There are many good resources for further reading that I can suggest.


The list of resources may get updated every so often...

(last updated: 2022-01-26)

Tuesday, August 12, 2014

3R4LR - Running Redline Remotely for Live Response

This blog post is a work in progress and I'd love to get feedback while writing it. 

So while this note appears on top, the blog post is not finished. 

(Please come back again later!)

This blog post will likely not be updated (finished) anymore, sorry!


This is the second post about using Redline for Live Response. The first post covered Using Redline for Live Response - Part 1, showing how many details from artifacts can be collected with Redline.

Let's take a look at the steps necessary for running Redline Collector remotely.

  1. copy the collector to the host
  2. run the collector on the host
  3. compress the collection data (optional)
  4. copy the collection data back

I'm sure there are many ways to accomplish this, but here is the way I did it.

A short batch script, taking a hostname as parameter, uses PsExec to copy and execute a remote-script to the host. The remote-script does actually the steps described above.

Prerequisites:
  • read-only network share (for collector source)
    •  \\RO-Share-Host\Redline\
  • writable network share (to copy collection data back)
    •  \\RW-Share-Host\Data-Upload\
  • psexec rights (as admin) on remote host for user starting scripts
    • D:\Tools\Sysinternals>psexec -s \\hostname cmd /c whoami
      • --> nt authority\system

Considerations / Disadvantages:
  • needs privileged credentials for running the collector remotely
  • collector software and data overwrites unallocated space (changing harddisk from host under investigation)

Here are the two scripts, just slightly modified (anonymized) from the original previously used. (I hope I didn't introduce any typos or find/replace errors -- if so, please let me know)






REM ============================================================================
REM | Usage: run-redline.cmd hostname
REM ============================================================================
 

@echo off

REM  check if remote host is online
ping -n 1 %1 >NUL || echo Client %1 is offline. && goto FINISHED

echo Running Redline Collector remotely on System: %1
time /t

D:\Tools\Sysinternals\psexec.exe -accepteula \\%1 -s -c D:\Tools\Mandiant\Redline\run-redline-remote.cmd %1 >> E:\Data-Upload\Audits\%1_Redline_Log.txt

sleep 3

D:\Tools\7z.exe x -oE:\Data-Upload\Audits\%1 E:\Data-Upload\Audits\%1\audit_%1.7z

move E:\Data-Upload\Audits\%1_Redline_Log.txt E:\Data-Upload\Audits\%1\

dir /s E:\Data-Upload\Audits\%1

:FINISHED
echo *** Finished Redline Collector script !!!
time /t


REM ============================================================================
REM | Usage: run-redline-remote.cmd hostname
REM ============================================================================

@echo off

REM create new dir for Redline Collector
mkdir C:\Redline
cd C:\Redline

echo Starting "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

REM copy Redline Collector executable and scripts from share
xcopy /E /C /Y /Q \\RO-Share-Host\Redline\Redline-Collector-Latest .
sleep 10
dir /s

rem ----------------------------------------------------------------------------
rem include Helper.bat   (using "call Helper.bat" didn't work)
rem ----------------------------------------------------------------------------

SETLOCAL enableextensions enabledelayedexpansion

ECHO Ensuring the proper working directory
%~d0
cd %~dp0

REM Verify the files exist
SET agent64=.\x64\MIRAgent.exe
SET agent32=.\x86\MIRAgent.exe
SET script=MemoryzeAuditScript.xml
SET outputdir=.
SET bitness=%PROCESSOR_ARCHITECTURE%

IF NOT EXIST "%agent64%" GOTO :failed
REM IF NOT EXIST "%agent32%" GOTO :failed
IF NOT EXIST "%script%" GOTO :failed

IF "%1"=="" GOTO :usedefault
SET outputdir=%1
:usedefault
REM Check that the directory exists, and if not create it.
IF NOT EXIST "%outputdir%" CALL mkdir "%outputdir%"

SET args=-o "..\%outputdir%" -f -script "..\%script%" -encoding none -allowmultiple

SET agent=%agent32%
IF "%bitness%"=="x86" GOTO :agentset
IF "%bitness%"=="IA64" GOTO :unsupported
SET agent=%agent64%
:agentset

ECHO %agent% %args%
REM PAUSE
call %agent% %args%

GOTO :end

:failed
ECHO.
ECHO.
ECHO Failure Encountered:
ECHO Agent and/or Redline Audit Script not found.
GOTO :end

:unsupported
ECHO.
ECHO.
ECHO Failure Encountered:
ECHO This Operating System is not supported by the Memoryze Agent
GOTO :end

:auditfail
ECHO.
ECHO.
ECHO Failure Encountered
ECHO %errorlevel% return from "%lastcmd%"
IF EXIST "%buildlog%" START notepad "%buildlog%"
GOTO :end

:end
REM PAUSE
ENDLOCAL
rem ----------------------------------------------------------------------------

 

echo Finished "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

mkdir \\RW-Share-Host\Data-Upload\Audits\%1
rem copy run-redline-remote.log \\RW-Share-Host\Data-Upload\Audits\%1

rem ** copy collection without compression
rem xcopy /E /C /Y %1 \\RW-Share-Host\Data-Upload\Audits\%1

rem ** copy collection WITH (7z) compression
7z.exe a audit_%1.7z %1
copy audit_%1.7z \\RW-Share-Host\Data-Upload\Audits\%1

sleep 20

echo Finished "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

copy run-redline-remote.log \\RW-Share-Host\Data-Upload\Audits\%1



The scripts are provided as is without any warranty. Use at your own risk. They may be changed without notice.

I will update this post later  with a PoC running the scripts "remotely" from the VM-host on the infected VM from the previous post.

Stay tuned for more...

Cheers,
@c_APT_ure

Tuesday, July 29, 2014

Using Redline for Live Response - Part 1

For once I'll write about something a bit different than before. It's still about Ponmocup malware, or more precise about the Zuponcic Kit for delivery, but more about how to do Live Response and Detection on the host using Redline.

If you're not familiar with the Zuponcic Kit yet, you should read the following posts:
If you're not familiar with Redline, the great free tool from Mandiant, I recommend reading the following:

Redline User Guide (latest version at time of writing v1.12)

You should be familiar with the two distinct phases, collection and analysis, and the difference of a "Redline Collector" (standalone CLI tool for collection) and "Redline", the feature rich GUI application for analysis of collection data.

So, for this blog post I infected a VM via Zuponcic Kit capturing network traffic with Wireshark and doing a Redline collection and analysis afterwards.


PCAP analysis with Wireshark


Here an overview of the DNS and HTTP traffic from the infection:

Some of the most interesting DNS and HTTP requests are:

DNS:

www.niceshop.at: type A, class IN, addr 85.13.129.172
perrugina.sciencehunk.com: type A, class IN, addr 31.210.96.155
mw.prodigymsnteregala.com: type A, class IN, addr 178.33.192.35
fasternation.net: type A, class IN, addr 253.101.238.123
www.sanctionedmedia.com: type CNAME, class IN, cname sanctionedmedia.com
sanctionedmedia.com: type A, class IN, addr 64.210.128.29

HTTP:

Default browser UA:

  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

http://www.google.ch/url?url=http://www.niceshop.at/&rct=j&frm=1&q=&esrc=s&sa=U&ei=eQHDU9acLdP07Aa-oICIAg&ved=0CBQQFjAA&usg=AFQjCNHz4D179x2aXXoTOLfSK_k71qrAlw

http://www.niceshop.at/

http://perrugina.sciencehunk.com/__utm.gif?utmwv=5.3.3&utms=7&utmn=1812125645&utmhn=isroi.com&utmcs=UTF-8&utmsr=800x600&utmvp=783x444&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=10.0%20r22&utmdt=Gambar%20Animasi%20

http://mw.prodigymsnteregala.com/

http://mw.prodigymsnteregala.com/js/java.js

http://mw.prodigymsnteregala.com/ANLxMYn.jar

http://mw.prodigymsnteregala.com/ (POST)
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11
  Content-Length: 90
 
  i=2ZUpfq7G6Ke3q42Ny1c19p61...E78IJH3yVQJZL70k67ZEPHn9kW

Response:
  Content-Type: application/octet-stream
  Content-Length: 957688
  Content-Disposition: attachment; filename="xuqfvb"
  Last-Modified: Sun, 13 Jul 2014 22:01:35 GMT
    Time since request: 9.267738000 seconds

http://93.115.88.220/listing/chn/all.html
  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

Wrong IE version in UA! (looks like the rest of the UA was left unchanged, except the major version)


Detailed HTTP traffic of the Zuponcic Kit infection and initial C&C:

Request to infected website (malicious .htaccess file) coming from a Google search redirection: (checks for Cookie, Referrer, User-Agent)

Redirection to first stage Zuponcic Kit (checks client IP)

Request to main Zuponcic Kit page:

Request to "java.js" for browser (and Java) fingerprinting:

Malicious JAR downloader signed with stolen certificate:

POST request submitting a long parameter (key?) and receiving a large binary (encrypted) file:

GET request to IP (computed from DNS lookup to "fasternation.net" -- anti-sinkholing technique) sending data as Cookie values and using faked User-Agent:

Screenshots during VM infection

During the infection the user might see some Java warnings (depending on installed Java version and settings), trying to warn him from getting infected.






Using ProcessHacker the malware process shows like this:


Running Redline Collector

The recommended way for running Redline Collector on a host is via USB key. However, if you're not concerned about modification of the host under investigation you can also run Redline Collector remotely by copying it over the network or running it from a mounted share.


I may write more details about how to run Redline Collector remotely over the net in a later blog post. In this post I'd like to focus on the details available from a Redline analysis.

Here is a list of modules and options selected for this collection:



The XML files created during collection can get pretty large, depending on which modules are executed and settings in the script. The registry, event logs and filesystem make the largest part of this collection. However, the 537 MB of raw data nicely compress into a much smaller 33 MB. Compare this to a hard drive image or a memory dump. 






Analysis using Redline

After running Redline Collector on a suspicious or infected host you get lots of data (in XML format) to analyze with Redline, but also using grep and some other bash-fu (on Linux or Cygwin) can be very useful.

Using the timeline function from Redline is very easy and powerful. It lines up any artifacts collected using several timestamps that are selectable.


 


Here are some artifacts from the timeline of this infection.

Google redirection URL


A cookie is set from the infected web server the mark the first visit:


First request to Zuponcic Kit domain:

Request to "java.js" for loading the Java applet:

Prefetch file for "java.exe" created or updated:

Registry key created / updated for Malware domain serving malicious JAR:


Prefetch file for malware TMP file dropped:




Malware EXE file created:




Malware EXE process started:
 

 

Malware EXE process opened port listener:


Registry key with binary data created:


Creating persistence using registry RUN key under HKCU:



Creation of port listeners:



Using Bash-Fu on Redline XML data

Using some bash commands (possibly even using Cygwin on Windows) can be very useful and powerful. Here some examples.

Searching for some network indicators:

$ time egrep -ci "(prodigymsnteregala.com|\/js\/java\.js|ANLxMYn\.jar|qkejZDj\.jar|\/listing\/chn\/all\.html|93\.115\.88\.220)" *.* | egrep -v ":0"
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:4
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:5
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:2

real    0m17.630s
user    0m17.456s
sys     0m0.171s

$ egrep -i "(prodigymsnteregala.com|\/js\/java\.js|ANLxMYn\.jar|qkejZDj\.jar|\/listing\/chn\/all\.html|93\.115\.88\.220)" *.*
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/favicon.ico</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/tr.gif</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/js/java.js</SourceURL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com/favicon.ico</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>:Host: mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:<Path>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</Path>
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:<KeyPath>Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</KeyPath>

$ egrep -in -C 10 "prodigymsnteregala.com" w32registryapi.* | egrep -m 1 -A 15 "<RegistryItem " | egrep -m 1 -B 15 "</RegistryItem>"
6674509-<RegistryItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="FEBFAC4B-E50C-469E-A25A-2C42BE0653BE" created="2014-07-14T01:14:20Z">
        <Username>TOMS-VM-WIN7X64\Tom</Username>
6674510-<SecurityID>S-1-5-21-3096987436-3122932343-3109395949-1000</SecurityID>
6674511:<Path>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</Path>
6674512-<Hive>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000</Hive>
6674513:<KeyPath>Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</KeyPath>
6674514-<Type>REG_KEY</Type>
6674515-<Modified>2014-07-13T22:01:39Z</Modified>
6674516-<NumSubKeys>0</NumSubKeys>
6674517-<NumValues>0</NumValues>
6674518-</RegistryItem>

Searching for some host indicators (filenames, registry keys):

$ time egrep -ci "(DPNLOBBYG.EXE|483759317.TMP|Egkyxzdcin|7538554d-326909f3|JXZFUV)" *.* | egrep -v ":0"
w32apifiles.8xDv3nsauGodpXnrHsaHqg:8
w32apifiles.issues.6F4XA71eDhdfIujMDqoLCI:1
w32eventlogs.eOZaQVjGh3PdAuYt0LXxMR:8
w32prefetch.biHxIPURFOEdQgUKV9vyvp:12
w32processes-memory.jblWPV86pwBeohXjunTY1h:3
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:20
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:5

real    0m17.755s
user    0m17.565s
sys     0m0.170s

$ egrep -i "(DPNLOBBYG.EXE|483759317.TMP|Egkyxzdcin|7538554d-326909f3|JXZFUV)" w32apifiles.* w32scripting-persistence.*
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Users\Tom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7538554d-326909f3</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>7538554d-326909f3</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Users\Tom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7538554d-326909f3.idx</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>7538554d-326909f3.idx</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Windows\Prefetch\483759317.TMP-EB4905C2.pf</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>483759317.TMP-EB4905C2.pf</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Windows\Prefetch\DPNLOBBYG.EXE-603267D1.pf</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>DPNLOBBYG.EXE-603267D1.pf</FileName>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<RegText>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</RegText>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FilePath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FilePath>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FullPath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FullPath>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FileName>dpnlobbyg.exe</FileName>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<Text>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</Text>

$ egrep -in -B 10 -A 120 "DPNLOBBYG.EXE" w32scripting-persistence.* | egrep -m 1 -A 100 "<PersistenceItem " | egrep -m 1 -B 100 "</PersistenceItem>"
96-<PersistenceItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="C10D94E7-43A9-4160-A0EC-2C5BB246697F" created="2014-07-14T01:11:17Z">
   <PersistenceType>registry</PersistenceType>
97-<RegPath>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLLS</RegPath>
98:<RegText>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</RegText>
99-<RegOwner>NT AUTHORITY\SYSTEM</RegOwner>
100-<RegModified>2014-07-13T22:44:51Z</RegModified>
101:<FilePath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FilePath>
102-<FileOwner>TOMS-VM-WIN7X64\Tom</FileOwner>
103-<FileCreated>2014-07-13T22:01:47Z</FileCreated>
104-<FileModified>2014-07-13T22:01:47Z</FileModified>
105-<FileAccessed>2014-07-13T22:01:47Z</FileAccessed>
106-<FileChanged>2014-07-13T22:01:47Z</FileChanged>
107-<md5sum>105ead6f908f0d8cbab11a0f4408d373</md5sum>
108-<FileItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="7B6CDDEB-3A25-4568-9D31-AF18EB68C23E" created="2014-07-14T01:11:17Z">
    <DevicePath>\Device\HariskVolume1</DevicePath>
109:<FullPath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FullPath>
110-<Drive>c</Drive>
111-<FilePath>Users\Tom\AppData\Roaming</FilePath>
112:<FileName>dpnlobbyg.exe</FileName>
113-<FileExtension>exe</FileExtension>
114-<SizeInBytes>276992</SizeInBytes>
115-<Created>2014-07-13T22:01:47Z</Created>
116-<Modified>2014-07-13T22:01:47Z</Modified>
117-<Accessed>2014-07-13T22:01:47Z</Accessed>
118-<Changed>2014-07-13T22:01:47Z</Changed>
119-<FileAttributes>ReadOnly Hidden System Archive</FileAttributes>
120-<Username>TOMS-VM-WIN7X64\Tom</Username>
121-<SecurityID>S-1-5-21-3096987436-3122932343-3109395949-1000</SecurityID>
122-<SecurityType>SidTypeUser</SecurityType>
123-<Md5sum>105ead6f908f0d8cbab11a0f4408d373</Md5sum>
124-<PEInfo>
    <Type>Executable</Type>
125-<Subsystem>Windows_GUI</Subsystem>
126-<BaseAddress>4194304</BaseAddress>
127-<PETimeStamp>2012-02-23T05:41:05Z</PETimeStamp>
128-<PEChecksum><PEFileRaw>0</PEFileRaw>
129-<PEFileAPI>0</PEFileAPI>
130-<PEComputedAPI>287748</PEComputedAPI>
131-</PEChecksum>
132-<ExtraneousBytes>229376</ExtraneousBytes>
133-<DetectedAnomalies><string>checksum_is_zero</string>
134-<string>contains_eof_data</string>
135-</DetectedAnomalies>
136-<Sections>
    <NumberOfSections>3</NumberOfSections>
137-<ActualNumberOfSections>3</ActualNumberOfSections>
138-<Section><Name>.text</Name>
139-<Type>None</Type>
140-<SizeInBytes>43008</SizeInBytes>
141-<DetectedCharacteristics>Read Execute Code</DetectedCharacteristics>
142-<Entropy AverageValue="0.77262239772402574"/>
143-</Section>
144-<Section><Name>.rsrc</Name>
145-<Type>None</Type>
146-<SizeInBytes>3584</SizeInBytes>
147-<DetectedCharacteristics>Read</DetectedCharacteristics>
148-<Entropy AverageValue="0.54873274859376076"/>
149-</Section>
150-<Section><Name>.reloc</Name>
151-<Type>None</Type>
152-<SizeInBytes>512</SizeInBytes>
153-<DetectedCharacteristics>Read</DetectedCharacteristics>
154-<Entropy AverageValue="0.048149053317863157"/>
155-</Section>
156-</Sections>
157-</PEInfo>
158-<PeakEntropy>0.77262239772402574</PeakEntropy>
159-<PeakCodeEntropy>0.77262239772402574</PeakCodeEntropy>
160-</FileItem>
161-<RegistryItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="91340226-5657-48BB-9DAB-44F07BFD14BD" created="2014-07-14T01:11:17Z">
    <KeyPath>Microsoft\ndows\CurrentVersion\Run\</KeyPath>
162-<Type>REG_SZ</Type>
163-<Modified>2014-07-13T22:44:51Z</Modified>
164-<ValueName>DLLS</ValueName>
165-<Username>NT AUTHORITY\SYSTEM</Username>
166:<Text>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</Text>
167-<ReportedLengthInBytes>86</ReportedLengthInBytes>
168-<Hive>HKEY_CURRENT_USER\Software</Hive>
169-<Path>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLLS</Path>
170-<SecurityID>S-1-5-18</SecurityID>
171-</RegistryItem>
172-</PersistenceItem>

Looking at the raw XML usually should help with creating IOC's later.

Conclusion

Mandiant's Redline software is free to download and use. I find it amazing how much details can be found by analyzing a host with Redline and how easy it is to create a timeline for analysis.

Redline can combine disk and memory artifacts in a timeline, showing processes created and ports opened in time relation to files and registry keys created.

I think Redline is much more useful than what it costs! :-)

Are you using Redline yet and have some feedback or suggestions? I'd love to hear it...

In the next post I plan to show how to create IOC's from this analysis and how to check for IOC matches on a host. Stay tuned...

Cheers,
@c_APT_ure