Thursday, February 25, 2016

System, Memory and Network Forensic Analysis with Log2timeline and Splunk (part 2)

In my last post, "System, Memory and Network Forensic Analysis with Log2timeline and Splunk" I explained the steps to create a supertimeline from a system timeline, memory timeline and network traffic. Later one, the CSV supertimeline file was imported into Splunk in order to analyse the incident. Now ,it is time to get the hands dirty with Splunk :)

In the case of this scenario we do not have any additional information from the incident, like for example an IDS alert, a proxy alert, or anything else which could give us some hint to investigate.  As I am totally blind, I am going to start looking for the network traffic, checking the DNS traffic as first step.

To do this I run a Splunk query with some regex to extract the time when the DNS query was done and the domain. The output will be a simple table:

index="forensic-investigation" host="Windows7" "Protocol Data: DNS Query" AND NOT wpad.localdomain | rex max_match=10 field=desc ".*DNS Query for (?<domain>.*) Stream Data"| dedup time,domain | table time,domain





From that list, all the domains sound familiar to me, with the exception of "NOTSOURCESUBPROGRAMSAND.COM".  That DNS request was done at 10:10:13

When doing a whois for that domain I see already something interesting:


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: NOTSOURCESUBPROGRAMSAND.COM
Registry Domain ID: 2003532384_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.internet.bs
Registrar URL: http://www.internetbs.net
Updated Date: 2016-02-17T09:15:22Z
Creation Date: 2016-02-17T09:15:22Z
Registrar Registration Expiration Date: 2017-02-17T09:15:22Z
Registrar: Internet Domain Service BS Corp.
Registrar IANA ID: 2487
Registrar Abuse Contact Email: abuse@internet.bs
Registrar Abuse Contact Phone: +1.5167401179
Reseller:

This domain has been registered a few days ago. 

Next step, is to search in Splunk for that domain. I filter all the DNS traffic as I am not interested in them. Also, I sort the output in order to have the oldest events as first one in Splunk. 


index="forensic-investigation" host="Windows7"  notsourcesubprogramsand.com AND NOT DNS| sort time

There are several events, and I can see that at 10:10:13 there is a GET for the resource /images/xI_2F7hUY_2BB9o1_2Bly/pegPJtllMxlWViBX/iy10bO2UTfO1Bpt/MEKH0Qs2n7fQbaMGtz/hM7vE8kkL/7Cmu7B0_2FvgdtMMauEo/awWdt4rt7gTmIpwu_2F/NpOEejTs_2FewiNuRTqkUE/yVvWmOAwDDOBceeqCqk/zt6.gif

The IP accessed is 87.98.254.64





The next step is to check all the events involving that IP. I discard the traffic I already now, like DNS, or HTTP GET.


index="forensic-investigation" host="Windows7"  87.98.254.64 AND NOT DNS AND NOT GET





The traffic is the HTTP response from the server. I can see the '200 OK' status. This happened at 10:10:14


This HTTP conversation looks like kind of C&C communication, so I will take the time 10:10:14 as my initial reference time. I am going to check what happened before that moment. For that, I run a query in splunk with a specific time frame (10 minutes in the past)


index="forensic-investigation" host="Windows7" earliest=02/23/2016:10:00:0 latest=02/23/2016:10:10:14




Still there are 508 events in that time frame. This is quite a lot information :)

Let's try to look first to any interesting network activity, besides the HTTP connection discussed before. I run a query in Splunk in order to create a table with all the connections in that time frame. 


index="forensic-investigation" host="Windows7" earliest=02/23/2016:10:00:0 latest=02/23/2016:10:10:14 NOT filename=OS:/mnt/hgfs/angel/malware/gozi/analysis3/timelines.body NOT DNS AND NOT  239.255.255.250 AND NOT 224.0.0.252 AND NOT "192.168.113.255" AND NOT "192.168.113.254" AND NOT "255.255.255.255"| rex field=desc  ".*Source IP: (?<SRCIP>.*) Destination IP: (?<DSTIP>.*) Source Port: (?<SRCPORT>.*) Destination Port: (?<DSTPORT>.*) Protocol: (?<PROTOCOL>.*) Type.*" | table time,SRCIP,SRCPORT,DSTIP,DSTPORT,PROTOCOL




There is just a connection one second before, at 10:10:12 to IP 208.118.113.235. Let's take a look to that event




The connection is an HTTP GET request to www.gnu.org/licenses/gpl.txt at 10:10:12. 
This could be normal behaviour, but also could be something to take into consideration. This malware family is known to access some valid websites to gather some files, usually TXT file, as the 'seed' for their DGA algorithm. This is described in this post http://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature

For the same timeframe, I am going to filter for the events produced in the filesytem, as I already analysed the network part. Dependent on this I will take a look to the memory or just will focus on the file system. Those filter are create with the "filename" which reference to the source of the data.


index="forensic-investigation" host="Windows7" earliest=02/23/2016:10:00:0 latest=02/23/2016:10:10:14 AND NOT filename=OS:/mnt/hgfs/angel/malware/gozi/analysis3/timelines.body AND NOT filename=OS:/mnt/hgfs/angel/malware/gozi/analysis3/capture.pcap





Unfortunately, there is only one event, which is related to a JOB from Chrome, in order to update the browser. This doesn't look related to our incident. It is also a bit far away from the time (10:02:00) I was expecting to have some strange behaviour.


Next step, is to check from the memory the "exe" files executed in that time frame. Maybe this way I am able to detect something anomalous.


index="forensic-investigation" host="Windows7" earliest=02/23/2016:10:00:0 latest=02/23/2016:10:10:14 filename=OS:/mnt/hgfs/angel/malware/gozi/analysis3/timelines.body  *.exe






I find 396 events, so I am going to try to filter the ones which I think could be normal executables from the OS. It is possible that doing this I filter some malicious process which is using the same name than a valid executable, like for example svchost.exe. Some malware use techniques to hide in valid executables. However, usually the initial infection binary has a different name so it would be easy to catch and detect through this approach.

I run the same query than before but filtering some well known binaries: svchost.exe, taskhost.exe, Wireshark.exe, vmtoolsd.exe.


index="forensic-investigation" host="Windows7" earliest=02/23/2016:10:00:0 latest=02/23/2016:10:10:14 filename=OS:/mnt/hgfs/angel/malware/gozi/analysis3/timelines.body  *.exe AND NOT explorer.exe AND NOT "MpCmdRun.exe" AND NOT svchost.exe AND NOT Wireshark.exe AND NOT vmtoolsd.exe AND NOT taskhost.exe

The first result I get is something really interesting:




A binary file "C:\Users\angel\Desktop\47114d41bdaaa118b4d07101514b5ad4e6d181266501ac318a7521760eb6e922.exe" is registered in the "USER ASSIST" register key. This key is used to keep track of all the executed binaries in the system as described here. This event happened at 10:10:06. 


What do we know so far?

-At 10:00:06 a suspicious binary is executed as seen in the memory of the system.
-At 10:00:12 and 10:00:12  there is DNS request to resolve www.gnu.org
-At 10:00:12 there is an HTTP request to www.gnu.org/licenses/gpl.txt
-At 10:00:13 there is a DNS request to notsourcesubprogramsand.com/
-At 10:00:13 there is an HTTP request to notsourcesubprogramsand.com//images/xI_2F7hUY_2BB9o1_2Bly/pegPJtllMxlWViBX/iy10bO2UTfO1Bpt/MEKH0Qs2n7fQbaMGtz/hM7vE8kkL/7Cmu7B0_2FvgdtMMauEo/awWdt4rt7gTmIpwu_2F/NpOEejTs_2FewiNuRTqkUE/yVvWmOAwDDOBceeqCqk/zt6.gif 

What has happened between 10:00:06 and 10:00:12? What happened after the 10:00:13?

More to come :)