This blog post is a work in progress and I'd love to get feedback while writing it.
So while this note appears on top, the blog post is not finished.
(Please come back again later!)
For once I'll write about something a bit different than before. It's still about Ponmocup malware, or more precise about the Zuponcic Kit for delivery, but more about how to do Live Response and Detection on the host using Redline.
If you're not familiar with the Zuponcic Kit yet, you should read the following posts:
- Not quite the average exploit kit: Zuponcic
- Zuponcic: "Is it a bird?... Is it a plane?... No, it's another Exploit Kit" - Part 1
- Zuponcic: "Is it a bird?... Is it a plane?... No, it's another... wait, what!?" - Part 2
- 2014-03-17 - ZUPONCIC EK
- 2014-07-09 - ZUPONCIC EK FROM 18.104.22.168 - MZ.WATCHWEEDSEPISODES.NET
Redline User Guide (latest version at time of writing v1.12)
You should be familiar with the two distinct phases, collection and analysis, and the difference of a "Redline Collector" (standalone CLI tool for collection) and "Redline", the feature rich GUI application for analysis of collection data.
So, for this blog post I infected a VM via Zuponcic Kit capturing network traffic with Wireshark and doing a Redline analysis afterwards.
PCAP analysis with Wireshark
Here an overview of the DNS and HTTP traffic from the infection:
Some of the most interesting DNS and HTTP requests are:
www.niceshop.at: type A, class IN, addr 22.214.171.124
perrugina.sciencehunk.com: type A, class IN, addr 126.96.36.199
mw.prodigymsnteregala.com: type A, class IN, addr 188.8.131.52
fasternation.net: type A, class IN, addr 253.101.238.123
www.sanctionedmedia.com: type CNAME, class IN, cname sanctionedmedia.com
sanctionedmedia.com: type A, class IN, addr 184.108.40.206
Default browser UA:
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11
Content-Disposition: attachment; filename="xuqfvb"
Last-Modified: Sun, 13 Jul 2014 22:01:35 GMT
Time since request: 9.267738000 seconds
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Wrong IE version in UA!
Detailed HTTP traffic of the Zuponcic Kit infection and initial C&C:
Screenshots during VM infection
During the infection the user might see some Java warnings (depending on installed Java version and settings), trying to warn him from getting infected.
Using ProcessHacker the malware process shows like this:
Running Redline Collector
The recommended way for running Redline Collector on a host is via USB key. However, if you're not concerned about modification of the host under investigation you can also run Redline Collector remotely by copying it over the network or running it from a mounted share.
I may write more details about how to run Redline Collector remotely over the net in a later blog post. In this post I'd like to focus on the details available from a Redline analysis.
The XML files created during collection can get pretty large, depending on which modules are executed and settings in the script. The registry, event logs and filesystem make the largest part of this collection. However, the 537 MB of raw data nicely compress into a much smaller 33 MB. Compare this to a hard drive image or a memory dump.
Analysis using Redline
After running Redline Collector on a suspicious or infected host you get lots of data (in XML format) to analyze with Redline, but also using grep and some other bash-fu (on Linux or Cygwin) can be very useful.
Using the timeline function from Redline is very easy and powerful. It lines up any artifacts collected using several timestamps that are selectable.
Here are some artifacts from the timeline of this infection.
Google redirection URL
A cookie is set from the infected web server the mark the first visit:
First request to Zuponcic Kit domain:
Request to "java.js" for loading the Java applet:
Prefetch file for "java.exe" created or updated:
Registry key created / updated for Malware domain serving malicious JAR:
Prefetch file for malware TMP file dropped:
Creating persistence using registry RUN key under HKCU:
Creation of port listeners:
ConclusionMandiant's Redline software is free to download and use. I find it amazing how much details can be found by analyzing a host with Redline and how easy it is to create a timeline for analysis.
Redline can combine disk and memory artifacts in a timeline, showing processes created and ports opened in time relation to files and registry keys created.
I think Redline is much more useful than what it costs!
Are you using Redline yet and have some feedback or suggestions? I'd love to hear it...