Corey Harrel recently posted a triage challenge on his Journey Into Incident Response (jIIr) blog here: http://journeyintoir.blogspot.in/2015/11/triage-practical-malware-event-prefetch.html
This writeup provides answers to the questions he provided there and how I analyzed the evidence files.
The evidence provided for investigation are the following:
- PCAP for generating the IDS alerts in Security Onion.
- Prefetch files from the system in AD1 format.
- $MFT and the file hash list from the system.
Corey was also kind enough to provide a document helping to setup Security Onion for replaying the PCAP and also FTK imager.
So starting out with the IDS, after replaying the PCAP the SGUIL IDS generated the following alert.
 |
| Fig. 1. Security Onion IDS alert |
From the packet data it can be seen that HawkEye Keylogger data exfiltration is being done. For the actual timestamps we can look at the packet capture in Wireshark applying filter for the IP 107.180.21.230. As we can see in Fig. 2, the first connection was made at 2015-08-15 05:34:20 UTC.
 |
| Fig. 2. Wireshark |
Also the FTP communication is interesting.
 |
| Fig. 3. FTP communication |
And the file being transferred was the following.
 |
| Fig. 4. File transfer |
So to know which process was communicating, let us take a look at the prefetch files provided. Sorting by their timestamps, we can quickly notice that "OVERDUE%20INVOICE%20DOCUMENTS-BB3C03FD.pf" is suspicious and has timestamp just a few seconds before the network alert.
Using Nirsoft Prefetch Viewer, the path of the executable can be known to be "\DEVICE\HARDDISKVOLUME1\USERS\LAB\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\TSFMVXQM\OVERDUE%20INVOICE%20DOCUMENTS%20FOR%20PAYMENT%20082015[1].EXE"
It is clear that this was executed from the Temporary Internet Files folder of IE. It is most likely a phishing attempt which can be told from the documents name and also its location.
For parsing the $MFT I used MFT Parser GUI from RedWolf Computer Forensics. Sorting by timestamps and looking around our suspicious timestamp, we can notice that there are many internet artifacts created which also include Yahoo mail as shown in Fig. 5. This is also a strong indication of likely phishing attempt.
 |
| Fig. 5. MFT Parser |
Checking the file hash from VirusTotal gives a strong indication that this is a known malware.
Also the FTP IP address looks suspicious from VirusTotal output.
Conclusion:
1. This is a confirmed malware event as it can be identified from the reports above.
2. Hawkeye keylogger which has gained notoriety in the blackhat world is the malware.
3. This type of data can pose a lot of risk to any organization. Sensitive data such as passwords for banks, company resources and others can be captured. They can also have botnet capabilities.
4. As explained above, the most likely event would be that a user received an email claiming to be a document and he/she was tricked into opening it. This can be confirmed by creating a timeline of Web History using IEF or any other tools.
I really enjoyed doing the challenge. I hope Corey provides many more like this which can be very useful for beginners like me.
No comments:
Post a Comment