Timeline
Phish delivered to user. Taken from memory strings.
Date: Mon, 26 Nov 2012 14:59:38 -0500
The creation of the prefetch file indicates the dropper for the backdoor was executed
Mon Nov 26 2012 23:01:54 22428 macb r/rrwxrwxrwx 0 0 11722-128-4 c:/WINDOWS/Prefetch/SYMANTEC-1.43-1[2].EXE-3793B625.pf
At the same time 6to4ex.dll was executed
100895 .ac. r/rr-xr-xr-x 0 0 8610-128-4 c:/WINDOWS/system32/6to4ex.dll
Initial beacon identified
Mon Nov 26 2012 23:01:58
New directory created to place tools
Mon Nov 26 2012 23:03:10 56 ...b d/drwxrwxrwx 0 0 7556-144-5 c:/WINDOWS/webui
ipconfig is ran
Mon Nov 26 2012 23:03:21 26602 ...b r/rrwxrwxrwx 0 0 11706-128-4 c:/WINDOWS/Prefetch/IPCONFIG.EXE-2395F30B.pf
55808 .a.. r/rrwxrwxrwx 0 0 24145-128-3 c:/WINDOWS/system32/ipconfig.exe
Obvious tool drop based on exe being created in our newly created directory.
Mon Nov 26 2012 23:06:34 381816 ...b r/rrwxrwxrwx 0 0 11710-128-3 c:/WINDOWS/ps.exe
Mon Nov 26 2012 23:06:35 381816 m.c. r/rrwxrwxrwx 0 0 11710-128-3 c:/WINDOWS/ps.exe
Mon Nov 26 2012 23:06:47 303104 ...b r/rrwxrwxrwx 0 0 11719-128-3 c:/WINDOWS/webui/gs.exe
Mon Nov 26 2012 23:06:48 303104 mac. r/rrwxrwxrwx 0 0 11719-128-3 c:/WINDOWS/webui/gs.exe
Mon Nov 26 2012 23:06:52 403968 macb r/rrwxrwxrwx 0 0 11723-128-3 c:/WINDOWS/webui/ra.exe
Mon Nov 26 2012 23:06:56 20480 macb r/rrwxrwxrwx 0 0 11724-128-3 c:/WINDOWS/webui/sl.exe
Mon Nov 26 2012 23:06:59 208384 m.cb r/rrwxrwxrwx 0 0 11725-128-3 c:/WINDOWS/webui/wc.exe
wc.exe is also placed in the c:\windows\system32 directory
Mon Nov 26 2012 23:06:59 208384 m... r/rrwxrwxrwx 0 0 11739-128-3 c:/WINDOWS/system32/wc.exe
ipconfig is ran a second time
Mon Nov 26 2012 23:07:31 26602 mac. r/rrwxrwxrwx 0 0 11706-128-4 c:/WINDOWS/Prefetch/IPCONFIG.EXE-2395F30B.pf
netuse.dll is borne on the filesystem in our tool drop directory the same time ipcconfig is ran
Mon Nov 26 2012 23:07:31 11844 ...b r/rrwxrwxrwx 0 0 11726-128-3 c:/WINDOWS/webui/netuse.dll
net.exe is executed
Mon Nov 26 2012 23:07:53 14394 ...b r/rrwxrwxrwx 0 0 11727-128-4 c:/WINDOWS/Prefetch/NET.EXE-01A53C2F.pf
sl.exe looks like it was executed twice based on the mac times of the prefetch file
Mon Nov 26 2012 23:10:35 6768 ...b r/rrwxrwxrwx 0 0 11729-128-4 c:/WINDOWS/Prefetch/SL.EXE-010E2A23.pf
Mon Nov 26 2012 23:11:33 6768 mac. r/rrwxrwxrwx 0 0 11729-128-4 c:/WINDOWS/Prefetch/SL.EXE-010E2A23.pf
netuse.dll is accessed and modified as well as gs.exe is executed. samsrv.dll is also accessed at the same time. This makes me highly suspicious of hash dumping as samsrv.dll handles local security accounts among other things. Note: The order that these files are placed does not necessarily reflect the order in which they were executed.
Mon Nov 26 2012 23:11:58 11844 mac. r/rrwxrwxrwx 0 0 11726-128-3 c:/WINDOWS/webui/netuse.dll
10002 macb r/rrwxrwxrwx 0 0 11730-128-4 c:/WINDOWS/Prefetch/GS.EXE-3796DDD9.pf
415744 .a.. r/rrwxrwxrwx 0 0 23392-128-3 c:/WINDOWS/system32/samsrv.dll
ping.exe is executed twice
Mon Nov 26 2012 23:15:44 13296 ...b r/rrwxrwxrwx 0 0 11731-128-4 c:/WINDOWS/Prefetch/PING.EXE-31216D26.pf
Mon Nov 26 2012 23:16:14 13296 mac. r/rrwxrwxrwx 0 0 11731-128-4 c:/WINDOWS/Prefetch/PING.EXE-31216D26.pf
wc.exe is executed
Mon Nov 26 2012 23:58:51 13208 ...b r/rrwxrwxrwx 0 0 11732-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf
ps.exe is executed
Tue Nov 27 2012 00:00:57 12542 ...b r/rrwxrwxrwx 0 0 11733-128-4 c:/WINDOWS/Prefetch/PS.EXE-09745CC1.pf
wc.exe is executed for a second time
Tue Nov 27 2012 00:10:44 13208 mac. r/rrwxrwxrwx 0 0 11732-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf
ps.exe is executed for a second time
Tue Nov 27 2012 00:13:59 12542 mac. r/rrwxrwxrwx 0 0 11733-128-4 c:/WINDOWS/Prefetch/PS.EXE-09745CC1.pf
system.dll is modified
Tue Nov 27 2012 00:44:16 5711 m... r/rrwxrwxrwx 0 0 11734-128-3 c:/WINDOWS/webui/system.dll
system.dll is born on the filesystem. Based on the information above, I would think that system.dll was created on different machine a little less than 4 minutes earlier and copied to this machine.
Tue Nov 27 2012 00:49:01 5711 .acb r/rrwxrwxrwx 0 0 11734-128-3 c:/WINDOWS/webui/system.dll
The same would be true for svchost.dll
Tue Nov 27 2012 00:56:43 1230 m... r/rrwxrwxrwx 0 0 11735-128-3 c:/WINDOWS/webui/svchost.dll
Tue Nov 27 2012 00:57:20 1230 .acb r/rrwxrwxrwx 0 0 11735-128-3 c:/WINDOWS/webui/svchost.dll
The same would be true for https.dll
Tue Nov 27 2012 01:00:34 5282 m... r/rrwxrwxrwx 0 0 11736-128-3 c:/WINDOWS/webui/https.dll
Tue Nov 27 2012 01:01:39 5282 .acb r/rrwxrwxrwx 0 0 11736-128-3 c:/WINDOWS/webui/https.dll
The same would be true for netstat.dll
Tue Nov 27 2012 01:11:40 109092 m... r/rrwxrwxrwx 0 0 11737-128-3 c:/WINDOWS/webui/netstat.dll
Tue Nov 27 2012 01:14:48 109092 .acb r/rrwxrwxrwx 0 0 11737-128-3 c:/WINDOWS/webui/netstat.dll
system5.bat is created
Tue Nov 27 2012 01:26:47 88 macb r/rrwxrwxrwx 0 0 11738-128-1 c:/WINDOWS/webui/system5.bat
wc.exe is accessed and would appear to be copied to the system32 directory
Tue Nov 27 2012 01:27:03 208384 .a.. r/rrwxrwxrwx 0 0 11725-128-3 c:/WINDOWS/webui/wc.exe
208384 ...b r/rrwxrwxrwx 0 0 11739-128-3 c:/WINDOWS/system32/wc.exe
At the same time an at.exe was executed and a scheduled task borne
Tue Nov 27 2012 01:27:03 322 ...b r/rrwxrwxrwx 0 0 11740-128-1 c:/WINDOWS/Tasks/At1.job
12948 ...b r/rrwxrwxrwx 0 0 11741-128-4 c:/WINDOWS/Prefetch/AT.EXE-2770DD18.pf
It would appear that scheduled task was set to execute at 01:30:00. wc.exe was executed via the scheduled task and h.out was created as a result.
Tue Nov 27 2012 01:30:00 208384 .ac. r/rrwxrwxrwx 0 0 11739-128-3 c:/WINDOWS/system32/wc.exe
322 mac. r/rrwxrwxrwx 0 0 11740-128-1 c:/WINDOWS/Tasks/At1.job
268 macb r/rrwxrwxrwx 0 0 11742-128-1 c:/WINDOWS/system32/h.out
Additional prefetch file created for wc.exe
Tue Nov 27 2012 01:30:10 10720 macb r/rrwxrwxrwx 0 0 11743-128-4 c:/WINDOWS/Prefetch/WC.EXE-06BFE764.pf
Additional prefetch entry created for at.exe
Tue Nov 27 2012 01:32:36 12948 mac. r/rrwxrwxrwx 0 0 11741-128-4 c:/WINDOWS/Prefetch/AT.EXE-2770DD18.pf
Responder activity identified
Tue Nov 27 2012 01:42:21 95104 m... r/rrwxrwxrwx 0 0 11744-128-3 c:/mdd.exe
Memory analysis
Original phish. Notice the link pointing the user to http://58.64.132.8/download/Symantec-1.43-1.exe
34435092 ceived: from ubuntu-router ([172.16.150.8]) by dc-ustxhou.petro-market.org with Microsoft SMTPSVC(6.0.3790.0);
34435204 Mon, 26 Nov 2012 14:00:08 -0600
34435239 Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
34435306 by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
34435388 Mon, 26 Nov 2012 15:00:07 -0500
34435422 Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>
34435477 From: "Security Department" <isd@petro-markets.info>
34435531 To: <amirs@petro-market.org>, <callb@petro-market.org>,
34435588 <wrightd@petro-market.org>
34435624 Subject: Immediate Action
34435651 Date: Mon, 26 Nov 2012 14:59:38 -0500
34435690 MIME-Version: 1.0
34435709 Content-Type: multipart/alternative;
34435747 boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
34435802 X-Priority: 3
34435817 X-MSMail-Priority: Normal
34435844 X-Mailer: Microsoft Outlook Express 6.00.2900.5512
34435896 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
34435954 Return-Path: isd@petro-markets.info
34435991 X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
34436078 This is a multi-part message in MIME format.
34436126 ------=_NextPart_000_0015_01CDCBE6.A7B92DE0
34436171 Content-Type: text/plain;
34436198 charset="iso-8859-1"
34436221 Content-Transfer-Encoding: quoted-printable
34436268 Attn: Immediate Action is Required!!
34436308 The IS department is requiring that all associates update to the new =
34436380 version of anti-virus. This is critical and must be done ASAP! Failure =
34436456 to update anti-virus may result in negative actions.
34436512 Please download the new anti-virus and follow the instructions. Failure =
34436588 to install this anti-virus may result in loosing your job!
34436650 Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
34436720 Regards,
34436730 The IS Department
Evidence the user callb clicked the link in the phish
Visited: callb@http://58.64.132.8/download/Symantec-1.43-1.exe
Evidence the user callb clicked the link in the phish
Visited: callb@http://58.64.132.8/download/Symantec-1.43-1.exe
Finding the backdoor in memory
1. Try and determine if we can locate network connection and associate a pid to it. We will do this using volatility and it looks like pid 1024 is what we want to take a closer look at.
vol.py connscan -f memdump.bin --profile=WinXPSP3x86
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x01f60850 0.0.0.0:0 1.0.0.0:0 36569092
0x01ffa850 172.16.150.20:1291 58.64.132.141:80 1024
0x0201f850 172.16.150.20:1292 172.16.150.10:445 4
0x02084e68 172.16.150.20:1281 172.16.150.10:389 628
0x020f8988 172.16.150.20:2862 172.16.150.10:135 696
0x02201008 172.16.150.20:1280 172.16.150.10:389 628
0x18615850 172.16.150.20:1292 172.16.150.10:445 4
0x189e8850 172.16.150.20:1291 58.64.132.141:80 1024
0x18a97008 172.16.150.20:1280 172.16.150.10:389 628
0x18b8e850 0.0.0.0:0 1.0.0.0:0 36569092
0x18dce988 172.16.150.20:2862 172.16.150.10:135 696
2. We now want to find out exactly what process is running with that pid. Again we will use volatility for this.
vol.py pslist -f memdump.bin --profile=WinXPSP3x86 |grep 1024
Volatile Systems Volatility Framework 2.2
0x820b3da0 svchost.exe 1024 680 76 1645 0 0 2012-11-26 22:03:32
0x82045da0 wuauclt.exe 1628 1024 3 142 0 0 2012-11-26 22:04:43
0x82049690 wc.exe 364 1024 1 27 0 0 2012-11-27 01:30:00
3. Once again we will use volatility to see what loaded dll's are running under pid 1024. We see 6to4ex.dll which was the file created on the filesystem the same time the dropper was executed.
vol.py dlllist -f memdump.bin --profile=WinXPSP3x86 -p 1024
Volatile Systems Volatility Framework 2.2
skipping…
0x10000000 0x1c000 c:\windows\system32\6to4ex.dll
4. I will now use volatility to carve out the all and see if I can determine if this is in fact out Gh0st rat. Then will use use strings as a quick way to determine if this binary can be associated with the backdoor.
vol.py dlldump -f memdump.bin --profile=WinXPSP3x86 -p 1024 --dump-dir=dll
Volatile Systems Volatility Framework 2.2
Process(V) Name Module Base Module Name Result
---------- -------------------- ----------- -------------------- ------
skipping…
0x820b3da0 svchost.exe 0x010000000 6to4ex.dll OK: module.1024.20b3da0.10000000.dll
strings dll/module.1024.20b3da0.10000000.dll |more
skipping…
Gh0st Update
Global\Gh0st %d
(note: there are additional indicators in the binary that we will use to build detection for this backdoor)
ipconfig being ran via psexec (ps.exe). It looks like it was targeting 2 specific machines using credentials most likely obtained via hash dumping
111530668 C:\WINDOWS\System32\svchost.exe - ps.exe \\172.16.223.47 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig0e
111532380 C:\WINDOWS\System32\svchost.exe - ps.exe \\172.16.150.10 -u petro1-market\callb -p Mar1ners@4655 -accepteula cmd /c ipconfig
Because I saw gs.exe get executed plus samsrv.dll get accessed at the same time I had a suspicion that hash dumping occurred. My suspicions grew stronger when I saw ps.exe being executed with presumably valid credentials. I will use the following grep command to search for hashes in the memory strings file.
cat mem.str |grep -e '[a-f0-9]\{32\}\:[a-f0-9]\{32\}'
11377473 PETRO-MARKET\callb::115b24322c11908c85140f5d33b6232f:40d1d232d5f731ea966913ea458a16e7:::
11377563 PETRO-MARKET\ENG-USTXHOU-148$::00000000000000000000000000000000:d6717f1e5252fa87ed40af8c46d8b1e2:::
11377664 PETRO-MARKET\ENG-USTXHOU-148$::00000000000000000000000000000000:d6717f1e5252fa87ed40af8c46d8b1e2:::
11377765 Administrator(current):500:b7ae6225a35c376da8d03b0a558fdf1f:159cb99e6dfd8830d25e8592c505d4be:::
11377862 Guest(current):501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
11377951 HelpAssistant(current):1000:42dbf333659cabcd0b546a25124a5476:dfd19a421051e8329e0c7b5aa7fe7dbe:::
11378049 SUPPORT_388945a0(current):1002:aad3b435b51404eeaad3b435b51404ee:5168fdd9d699311c78acabde3c849622:::
11378150 sysbackup(current):1004:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057:::
145783076 xe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
188543748 xe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
219844660 IIS-SARIYADH-03\IUSR_IIS-SARIYADH-03::a56070d051fea2efc7b9d6cef7a31133:34cda5be1d8a5a95d16760173d9b953f:::
219844768 PETRO-MARKET\saadmin::fb288acceb76f0688625caa1be8406ea:7f0de79304fa2dafd770b917d7d8a545:::
219844860 PETRO-MARKET\IIS-SARIYADH-03$::00000000000000000000000000000000:9e185f46ee242c35d328eacc15bc62ab:::
219844961 PETRO-MARKET\IIS-SARIYADH-03$::00000000000000000000000000000000:9e185f46ee242c35d328eacc15bc62ab:::
219845062 Administrator(current):500:b7ae6225a35c376da8d03b0a558fdf1f:159cb99e6dfd8830d25e8592c505d4be:::
219845159 ASPNET(current):1007:5d7be66190782a7e815c3e85ee68a20f:0017e6c73eec714ad84200bc49752450:::
219845250 Guest(current):501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
219845339 IUSR_IIS-SARIYADH-03(current):1004:a56070d051fea2efc7b9d6cef7a31133:34cda5be1d8a5a95d16760173d9b953f:::
219845444 IWAM_IIS-SARIYADH-03(current):1005:3cfdff81d718e57a97db95a9e5c85a61:3c96b32a0a60fad5d5e43b71a2088471:::
219845549 SUPPORT_388945a0(current):1001:aad3b435b51404eeaad3b435b51404ee:a0b581112e87b82bce9201ce197fdd93:::
219845650 sysbackup(current):1008:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057:::
219845744 sysbackup(hist_01):1008:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057:::
Evidence of gsecdump found in memory
57731224 unable to start gsecdump as service
57731260 system
57731268 help
57731276 dump_all,a
57731288 dump all secrets
57731308 dump_hashes,s
57731324 dump hashes from SAM/AD
57731348 dump_lsa,l
57731360 dump lsa secrets
57731380 dump_usedhashes,u
57731400 dump hashes from active logon sessions
57731440 dump_wireless,w
57731456 dump microsoft wireless connections
57731492 help,h
57731500 show help
57731512 system,S
57731524 run as localsystem
57731544 gsecdump v0.7 by Johannes Gumbel (johannes.gumbel@truesec.se)
57731607 usage: gsecdump [options]
57731636 options
57731644 --iamservice
Evidence of gsecdump found in memory
57731224 unable to start gsecdump as service
57731260 system
57731268 help
57731276 dump_all,a
57731288 dump all secrets
57731308 dump_hashes,s
57731324 dump hashes from SAM/AD
57731348 dump_lsa,l
57731360 dump lsa secrets
57731380 dump_usedhashes,u
57731400 dump hashes from active logon sessions
57731440 dump_wireless,w
57731456 dump microsoft wireless connections
57731492 help,h
57731500 show help
57731512 system,S
57731524 run as localsystem
57731544 gsecdump v0.7 by Johannes Gumbel (johannes.gumbel@truesec.se)
57731607 usage: gsecdump [options]
57731636 options
57731644 --iamservice
An additional discovery that is made is the use of pass the hash via Windows Credentials Editor (wc.exe). We see the attacker elevating privileges to sys backup.
288587364 \WINDOWS\System32\svchost.exe - wc.exe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
We also see the attacker grabbing locally cached passwords via wce
33660952 wc.exe -w
33660963 WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
33661089 Use -h for help.
33661111 callb\PETRO-MARKET:Mar1ners@4655
33661145 NETWORK SERVICE\PETRO-MARKET:+A;dhzj%o<8xpD@,p5v)C:p2%?1Nkx&5OU!c[wt5BgV'r4p7/lWc[`XWPpN/.d$I.Ubc-7c $-ap(@?I7S6SD(U-zbdQHgT2& u\rgk(ga?y+GGE*E_0/2Qs
33661296 ENG-USTXHOU-148$\PETRO-MARKET:+A;dhzj%o<8xpD@,p5v)C:p2%?1Nkx&5OU!c[wt5BgV'r4p7/lWc[`XWPpN/.d$I.Ubc-7c $-ap(@?I7S6SD(U-zbdQHgT2& u\rgk(ga?y+GGE*E_0/2Qs
There was not much information regarding ra.exe, but we also did not see that file exectuted at all.
It appears that sl.exe is scanline from Foundstone
92493044 Foundstone Inc.
92493082 FileDescription
92493116 ScanLine
92493142 FileVersion
92493168 1, 0, 1, 0
92493198 InternalName
92493224 ScanLine
92493250 LegalCopyright
92493280 Copyright
92493302 2002 Foundstone Inc.
92493354 LegalTrademarks
92493388 Copyright
92493410 2002 Foundstone Inc.
92493462 OriginalFilename
92493496 sl.exe
92493518 PrivateBuild
92493550 ProductName
92493576 ScanLine
92493602 ProductVersion
We also see evidence of what was being scanned. The 172.16.150/24 network for ports 445, 80, 443, 21, 1433
\WINDOWS\System32\svchost.exe - sl.exe -bht 445,80,443,21,1433 172.16.150.1-254
net use command that appears to come from the Gh0st rat (svchost.exe) mapping a share on a remote machine. This may explain how the dll's appeared to be copied from a different machine based on the mac times.
\WINDOWS\System32\svchost.exe - net use z: \\172.16.223.47\z
Note: this looks like normal command line share mapping (cmd.exe)
\WINDOWS\system32\cmd.exe - net use r: \\172.16.150.10\ITShare
mft entry for system5.bat found in memory
0000090: 0000 0000 0000 0000 0000 0000 0000 4649 ..............FI
00000a0: 4c45 3000 0300 dcdc 6905 0000 0000 0300 LE0.....i.......
00000b0: 0100 3800 0100 8001 0000 0004 0000 0000 ..8.............
00000c0: 0000 0000 0000 0300 0000 da2d 0000 0400 ...........-....
00000d0: 0000 0000 0000 1000 0000 6000 0000 0000 ..........`.....
00000e0: 0000 0000 0000 4800 0000 1800 0000 4b81 ......H.......K.
00000f0: d144 3ecc cd01 aee3 d344 3ecc cd01 aee3 .D>......D>.....
0000100: d344 3ecc cd01 aee3 d344 3ecc cd01 2000 .D>......D>... .
0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000120: 0000 1301 0000 0000 0000 0000 0000 0000 ................
0000130: 0000 0000 0000 3000 0000 7000 0000 0000 ......0...p.....
0000140: 0000 0000 0200 5800 0000 1800 0100 841d ......X.........
0000150: 0000 0000 0200 4b81 d144 3ecc cd01 4b81 ......K..D>...K.
0000160: d144 3ecc cd01 4b81 d144 3ecc cd01 4b81 .D>...K..D>...K.
0000170: d144 3ecc cd01 0000 0000 0000 0000 0000 .D>.............
0000180: 0000 0000 0000 2000 0000 0000 0000 0b03 ...... .........
0000190: 7300 7900 7300 7400 6500 6d00 3500 2e00 s.y.s.t.e.m.5...
00001a0: 6200 6100 7400 8000 0000 7000 0000 0000 b.a.t.....p.....
00001b0: 1800 0000 0100 5800 0000 1800 0000 4065 ......X.......@e
00001c0: 6368 6f20 6f66 660d 0a63 6f70 7920 633a cho off..copy c:
00001d0: 5c77 696e 646f 7773 5c77 6562 7569 5c77 \windows\webui\w
00001e0: 632e 6578 6520 633a 5c77 696e 646f 7773 c.exe c:\windows
00001f0: 5c73 7973 7465 6d33 320d 0a61 7420 3139 \system32..at 19
0000200: 3a33 3020 7763 2e65 7865 202d 6520 2d6f :30 wc.exe -e -o
0000210: 2068 2e6f 7574 ffff ffff 8279 4711 0000 h.out.....yG...
The mft entry for h.out showing captured hashes
0000310: 4649 4c45 3000 0300 e216 6a05 0000 0000 FILE0.....j.....
0000320: 0400 0100 3800 0100 3002 0000 0004 0000 ....8...0.......
0000330: 0000 0000 0000 0000 0300 0000 de2d 0000 .............-..
0000340: 0500 0000 0000 0000 1000 0000 6000 0000 ............`...
0000350: 0000 0000 0000 0000 4800 0000 1800 0000 ........H.......
0000360: b25c afb7 3ecc cd01 b25c afb7 3ecc cd01 .\..>....\..>...
0000370: b25c afb7 3ecc cd01 b25c afb7 3ecc cd01 .\..>....\..>...
0000380: 2000 0000 0000 0000 0000 0000 0000 0000 ...............
0000390: 0000 0000 c806 0000 0000 0000 0000 0000 ................
00003a0: 0000 0000 0000 0000 3000 0000 6800 0000 ........0...h...
00003b0: 0000 0000 0000 0200 4c00 0000 1800 0100 ........L.......
00003c0: 1d00 0000 0000 0100 b25c afb7 3ecc cd01 .........\..>...
00003d0: b25c afb7 3ecc cd01 b25c afb7 3ecc cd01 .\..>....\..>...
00003e0: b25c afb7 3ecc cd01 0000 0000 0000 0000 .\..>...........
00003f0: 0000 0000 0000 0000 2000 0000 0000 0000 ........ .......
0000400: 0503 6800 2e00 6f00 7500 7400 0000 0000 ..h...o.u.t.....
0000410: 8000 0000 2801 0000 0000 1800 0000 0100 ....(...........
0000420: 0c01 0000 1800 0000 6361 6c6c 623a 5045 ........callb:PE
0000430: 5452 4f2d 4d41 524b 4554 3a31 3135 4232 TRO-MARKET:115B2
0000440: 3433 3232 4331 3139 3038 4338 3531 3430 4322C11908C85140
0000450: 4635 4433 3342 3632 3332 463a 3430 4431 F5D33B6232F:40D1
0000460: 4432 3332 4435 4637 3331 4541 3936 3639 D232D5F731EA9669
0000470: 3133 4541 3435 3841 3136 4537 0d0a 454e 13EA458A16E7..EN
0000480: 472d 5553 5458 484f 552d 3134 3824 3a50 G-USTXHOU-148$:P
0000490: 4554 524f 2d4d 4152 4b45 543a 3030 3030 ETRO-MARKET:0000
00004a0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00004b0: 3030 3030 3030 3030 3030 3030 3a44 3637 000000000000:D67
00004c0: 3137 4631 4535 3235 3246 4138 3745 4434 17F1E5252FA87ED4
00004d0: 3041 4638 4334 3644 3842 3145 320d 0a73 0AF8C46D8B1E2..s
00004e0: 7973 6261 636b 7570 3a63 7572 7265 6e74 ysbackup:current
00004f0: 3a43 3241 3339 3135 4446 3245 4337 3945 :C2A3915DF2EC79E
0000500: 4537 3331 3038 4542 3438 3037 3341 4342 E73108EB48073ACB
0000510: 373a 4537 4136 4632 3730 4631 4241 3536 7:E7A6F270F1BA56
0000520: 3241 3930 4532 4331 3333 4139 3544 3230 2A90E2C133A95D20
0000530: 3537 0d0a 0000 0000 ffff ffff 8279 4711 57...........yG.
This is great! I'm following along in the Art of Memory Forensics book and this really helps. Thank you!
ReplyDeleteThis comment has been removed by the author.
Delete