Hi all )
i'm playing some forensics challanges and games to test me out and keep on training but this one is really driving me crazy )
i'm in the situation where i have a file stored in a directory and i have to understand how it got there.
it's a zip file
i searched around for any human action on the OS that came up in my mind (removable media, internet downloads, etc) but couldn't find anything.
so since this game is supposed to be a challenge on a malware infection i analyzed the timeline to see if there were events or processes / access to any executable that could have caused the file to be copied/downloaded/created there.
but nothing.
so i'm appelling to your skill and knowledge and ask
does a zip file have some sort of metadata that can help me out in understanding when, who and eventually where the file was actually created for the first time?
the file activity timeline suggests that the file is copied over and over again whenever it gets removed/altered in some way couse a "born" event accours a couple of seconds after a "change" event.
I have also analyzed prefetch folder and probably there's something suspicious in there couse there are a lot of rundll32.exe prefetch files, all with different hashes, but i couldn't find a way to obtain the whole command (including arguments passed to the executable) to determine if some sort of malicious code is executed.
obviously chkrootkit or antivirus software didn't return a result, but since this is a challenge it was supposed to be so.
how would you procede?
Can you share the details of challenge - I think if other people work the challenge real-time, rather than just thinking about it, you might get some better ideas.
I find though, that deadbox malware analysis is very hard - it's much easier if you have either a live system, or an identified malware process that can be analyzed in a sandbox.
zip format is public
http//
http//
BUT different "zipping apps" may have slightly different approaches.
By trying re-creating the .zip file with different compressors you may be able to find which app created it originally, this was the approach used to take advantage of a couple of password ptrotection vulnerabilities, but I guess it would be of no use for your problem.
As well, you may get know under which environment the .zip has been created, but again I don't think that it can be useful, and of course most if not all of these fields may have been faked.
jaclaz
Can you share the details of challenge - I think if other people work the challenge real-time, rather than just thinking about it, you might get some better ideas.
I find though, that deadbox malware analysis is very hard - it's much easier if you have either a live system, or an identified malware process that can be analyzed in a sandbox.
the challenge was assigned to us during our course in CF and it's pretty hard to share due to the size of the image.
it's an entire 80gb HD, it was given to us as is physically, so that we could train from the basics (acquisition and such) to the analysis and to the reporting.
as for the memory, i have a flat memory dump of the ram taken just before the poweroff.
i tried to analyze it using volatility but couldn't find any suspicious process running.
also the zip containing the executable of the malware has a name wich is in my native language, and this makes me think about something prepared ad-hoc.
or at least the zip is prepared and then redownloaded from somewhere when it's altered or deleted.
but i dunno how it's possible without a process monitoring that file.
the only thing i didn't analyze yet are the GPO.
from the registry and from the users directories in documents and settings it's evident that the machine was a member of a domain, so maybe there is a group polocy directive compromised to distribute the malware around.
does anyone know where such policies are stored on the clients?
oh and also
strings like this one appears in the userassist of one of the users
UEME_RUNPATH{871C5380-42A0-1069-A2EA-08002B30309D} (24)
damn, they put a lot of effort in building this game (
i also noticed that a portable version of firefox has been executed from an external drive.
i'm posting here the file timeline portion related to the zip file activity..
maybe this will means something to you.
Thu Mar 04 2010 103703 112819 ..c. r/rrwxrwxrwx 0 0 52354-128-3 C/ati/data/dati.zip
Thu Mar 04 2010 105158 420 ...b r/rrwxrwxrwx 0 0 51944-128-1 C/System Volume Information/_restore{B58EF332-44F8-4CDD-A996-2E95A7C5A6A6}/RP30/A0003408.lnk
420 ...b r/rrwxrwxrwx 0 0 52266-128-1 C/System Volume Information/_restore{B58EF332-44F8-4CDD-A996-2E95A7C5A6A6}/RP29/A0003331.lnk
Thu Mar 04 2010 105901 11378 ...b r/rrwxrwxrwx 0 0 52345-128-4 C/WINDOWS/Prefetch/FIND.EXE-0EC32F1E.pf
5692 ...b r/rrwxrwxrwx 0 0 52346-128-4 C/WINDOWS/Prefetch/MORE.COM-32DCB7E4.pf
Thu Mar 04 2010 112023 480 .a.. d/drwxrwxrwx 0 0 27895-144-5 C/WINDOWS/
670 m.cb r/rrwxrwxrwx 0 0 52344-128-4 C/Documents and Settings/user/Recent/scan.application.lnk
509 m.cb r/rrwxrwxrwx 0 0 52347-128-1 C/Documents and Settings/user/Recent/scan.lnk
Thu Mar 04 2010 112025 409600 .a.. r/rrwxrwxrwx 0 0 41993-128-4 C/WINDOWS/assembly/GAC_MSIL/System.Deployment.resources/2.0.0.0_it_b03f5f7f11d50a3a/System.Deployment.resources.dll
14336 .a.. r/rrwxrwxrwx 0 0 42362-128-3 C/WINDOWS/assembly/NativeImages_v2.0.50727_32/dfsvc/a2865dcec9c5d3cc9c55f026cbad6fcc/dfsvc.ni.exe
1800704 .a.. r/rrwxrwxrwx 0 0 42433-128-4 C/WINDOWS/assembly/NativeImages_v2.0.50727_32/System.Deployment/df1efcbac5973454c608890f72eb994d/System.Deployment.ni.dll
21368 macb r/rrwxrwxrwx 0 0 52349-128-4 C/WINDOWS/Prefetch/RUNDLL32.EXE-334582AF.pf
Thu Mar 04 2010 112026 676352 .a.. r/rrwxrwxrwx 0 0 42380-128-4 C/WINDOWS/assembly/NativeImages_v2.0.50727_32/System.Security/0418eb6dbffe9b46aa4c989153d6a3b5/System.Security.ni.dll
Thu Mar 04 2010 112027 71456 mac. r/rrwxrwxrwx 0 0 52269-128-4 C/WINDOWS/Prefetch/DFSVC.EXE-331C2A5B.pf
Thu Mar 04 2010 112028 425984 .a.. r/rrwxrwxrwx 0 0 42002-128-4 C/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms.resources/2.0.0.0_it_b77a5c561934e089/System.Windows.Forms.Resources.dll
Thu Mar 04 2010 112032 970752 .a.. r/rrwxrwxrwx 0 0 28712-128-4 C/WINDOWS/assembly/GAC_MSIL/System.Deployment/2.0.0.0__b03f5f7f11d50a3a/System.Deployment.dll
144 m.c. d/drwxrwxrwx 0 0 28913-144-1 C/ati
6516 macb r/rrwxrwxrwx 0 0 52348-128-4 C/Documents and Settings/user/Impostazioni locali/Temporary Internet Files/Content.IE5/GXMJCPUJ/CAMMC2MO.log
152 ...b d/drwxrwxrwx 0 0 52350-144-1 C/ati/data
Thu Mar 04 2010 112033 152 m.c. d/drwxrwxrwx 0 0 52350-144-1 C/ati/data
112819 .a.b r/rrwxrwxrwx 0 0 52354-128-3 C/ati/data/dati.zip
Thu Mar 04 2010 112035 52998 macb r/rrwxrwxrwx 0 0 52356-128-4 C/WINDOWS/Prefetch/SCAN.EXE-1D61FF55.pf
as you can see in the first line the file is changed dati.zip is changed.
then a couple of seconds later it's born again and accessed.
a file called scan.exe was run couse a prefetch file gets created, but i cant find the executable.
i think my next step will be to power on the image using liveview with a sniffer sticked to the network interface.
if you have anything to suggest me for monitor the process activities, any help is really welcome )
Looks like a good start - is the goal to determine how it got there? So going back in time from the drop date of the ZIP file - what do you find?