HandlerDiaries: dfir-challenge-FLD-SARIYADH-43

Timeline

User downloads and executes dropper noted by the creation of the prefetch file. Backdoor is placed on the machine.

Tue Nov 27 2012 00:17:58 100895 .ac. r/rr-xr-xr-x 0 0 12010-128-4 c:/WINDOWS/system32/6to4ex.dll

22270 macb r/rrwxrwxrwx 0 0 12011-128-4 c:/WINDOWS/Prefetch/SYMANTEC-1.43-1[2].EXE-330FB7E3.pf

Tool drop directory is created

Tue Nov 27 2012 00:18:31 56 ...b d/drwxrwxrwx 0 0 7555-144-5 c:/WINDOWS/webui

Tools being placed on the system

Tue Nov 27 2012 00:20:06 381816 macb r/rrwxrwxrwx 0 0 12000-128-3 c:/WINDOWS/ps.exe

Tue Nov 27 2012 00:20:33 303104 macb r/rrwxrwxrwx 0 0 12005-128-3 c:/WINDOWS/webui/gs.exe

Tue Nov 27 2012 00:20:36 381816 ...b r/rrwxrwxrwx 0 0 12012-128-3 c:/WINDOWS/webui/ps.exe

Tue Nov 27 2012 00:20:37 381816 m.c. r/rrwxrwxrwx 0 0 12012-128-3 c:/WINDOWS/webui/ps.exe

Tue Nov 27 2012 00:20:39 403968 ...b r/rrwxrwxrwx 0 0 12013-128-3 c:/WINDOWS/webui/ra.exe

Tue Nov 27 2012 00:20:40 403968 mac. r/rrwxrwxrwx 0 0 12013-128-3 c:/WINDOWS/webui/ra.exe

Tue Nov 27 2012 00:20:42 20480 macb r/rrwxrwxrwx 0 0 12014-128-3 c:/WINDOWS/webui/sl.exe

Tue Nov 27 2012 00:20:46 208384 m.cb r/rrwxrwxrwx 0 0 12015-128-3 c:/WINDOWS/webui/wc.exe

208384 m... r/rrwxrwxrwx 0 0 12031-128-3 c:/WINDOWS/system32/wc.exe

ipconfig is ran and at the same time netuse.dll is borne

Tue Nov 27 2012 00:21:12 10454 ...b r/rrwxrwxrwx 0 0 12016-128-3 c:/WINDOWS/webui/netuse.dll

55808 .a.. r/rrwxrwxrwx 0 0 24195-128-3 c:/WINDOWS/system32/ipconfig.exe

net commands, scanline and gsecdump dump are all ran. netuse.dll is modified

Tue Nov 27 2012 00:21:26 14550 ...b r/rrwxrwxrwx 0 0 12018-128-4 c:/WINDOWS/Prefetch/NET.EXE-01A53C2F.pf

Tue Nov 27 2012 00:21:41 14116 ...b r/rrwxrwxrwx 0 0 12019-128-4 c:/WINDOWS/Prefetch/NET1.EXE-029B9DB4.pf

Tue Nov 27 2012 00:23:09 6768 macb r/rrwxrwxrwx 0 0 12020-128-4 c:/WINDOWS/Prefetch/SL.EXE-010E2A23.pf

Tue Nov 27 2012 00:23:35 10454 mac. r/rrwxrwxrwx 0 0 12016-128-3 c:/WINDOWS/webui/netuse.dll

9990 macb r/rrwxrwxrwx 0 0 12021-128-4 c:/WINDOWS/Prefetch/GS.EXE-3796DDD9.pf

415744 .a.. r/rrwxrwxrwx 0 0 23442-128-3 c:/WINDOWS/system32/samsrv.dll

wc.exe (Windows Credentials Editor) is executed

Tue Nov 27 2012 00:24:18 13084 ...b r/rrwxrwxrwx 0 0 12022-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf

psexec is executed

Tue Nov 27 2012 00:27:21 10330 ...b r/rrwxrwxrwx 0 0 12023-128-4 c:/WINDOWS/Prefetch/PS.EXE-3A0FA6F9.pf

system1.bat is created

Tue Nov 27 2012 00:31:39 91 ...b r/rrwxrwxrwx 0 0 12024-128-4 c:/WINDOWS/system1.bat

psexec is ran a second time

Tue Nov 27 2012 00:33:32 9866 ...b r/rrwxrwxrwx 0 0 12025-128-4 c:/WINDOWS/Prefetch/PS.EXE-09745CC1.pf

system1.bat is modified

Tue Nov 27 2012 00:43:34 91 mac. r/rrwxrwxrwx 0 0 12024-128-4 c:/WINDOWS/system1.bat

system6.bat is created

Tue Nov 27 2012 00:43:45 184 macb r/rrwxrwxrwx 0 0 12026-128-1 c:/WINDOWS/system6.bat

psexec is ran again

Tue Nov 27 2012 00:44:16 9866 mac. r/rrwxrwxrwx 0 0 12025-128-4 c:/WINDOWS/Prefetch/PS.EXE-09745CC1.pf

Additional bat scripts are placed on the machine

Tue Nov 27 2012 00:53:29 69 ...b r/rrwxrwxrwx 0 0 12027-128-3 c:/WINDOWS/webui/system2.bat

Tue Nov 27 2012 00:56:18 69 mac. r/rrwxrwxrwx 0 0 12027-128-3 c:/WINDOWS/webui/system2.bat

Tue Nov 27 2012 00:59:00 56 macb r/rrwxrwxrwx 0 0 12028-128-1 c:/WINDOWS/webui/system3.bat

Tue Nov 27 2012 01:04:59 131 ...b r/rrwxrwxrwx 0 0 12029-128-3 c:/WINDOWS/webui/system4.bat

system4.bat is modified

Tue Nov 27 2012 01:11:00 131 mac. r/rrwxrwxrwx 0 0 12029-128-3 c:/WINDOWS/webui/system4.bat

system5.bat appears on the machine

Tue Nov 27 2012 01:19:41 88 ...b r/rrwxrwxrwx 0 0 12030-128-3 c:/WINDOWS/webui/system5.bat

56 mac. d/drwxrwxrwx 0 0 7555-144-5 c:/WINDOWS/webui

Tue Nov 27 2012 01:21:07 88 mac. r/rrwxrwxrwx 0 0 12030-128-3 c:/WINDOWS/webui/system5.bat

A scheduled task is created

Tue Nov 27 2012 01:21:18 208384 .a.. r/rrwxrwxrwx 0 0 12015-128-3 c:/WINDOWS/webui/wc.exe

208384 ...b r/rrwxrwxrwx 0 0 12031-128-3 c:/WINDOWS/system32/wc.exe

322 ...b r/rrwxrwxrwx 0 0 12032-128-1 c:/WINDOWS/Tasks/At1.job

12960 ...b r/rrwxrwxrwx 0 0 12033-128-4 c:/WINDOWS/Prefetch/AT.EXE-2770DD18.pf

25088 .a.. r/rrwxrwxrwx 0 0 24481-128-3 c:/WINDOWS/system32/at.exe

344 m.c. d/drwxrwxrwx 0 0 5458-144-1 c:/WINDOWS/Tasks

psexec is again executed

Tue Nov 27 2012 01:22:07 381816 .a.. r/rrwxrwxrwx 0 0 12012-128-3 c:/WINDOWS/webui/ps.exe

wc.exe is once again ran

Tue Nov 27 2012 01:23:23 13084 mac. r/rrwxrwxrwx 0 0 12022-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf

psexec is again ran

Tue Nov 27 2012 01:24:20 10330 mac. r/rrwxrwxrwx 0 0 12023-128-4 c:/WINDOWS/Prefetch/PS.EXE-3A0FA6F9.pf

net command being executed

Tue Nov 27 2012 01:27:31 14116 mac. r/rrwxrwxrwx 0 0 12019-128-4 c:/WINDOWS/Prefetch/NET1.EXE-029B9DB4.pf

124928 .a.. r/rrwxrwxrwx 0 0 23983-128-3 c:/WINDOWS/system32/net1.exe

42496 .a.. r/rrwxrwxrwx 0 0 23984-128-3 c:/WINDOWS/system32/net.exe

Scheduled task is executed

Tue Nov 27 2012 01:30:00 208384 .ac. r/rrwxrwxrwx 0 0 12031-128-3 c:/WINDOWS/system32/wc.exe

322 mac. r/rrwxrwxrwx 0 0 12032-128-1 c:/WINDOWS/Tasks/At1.job

268 macb r/rrwxrwxrwx 0 0 12034-128-1 c:/WINDOWS/system32/h.out

wce is executed as a result of the at job running

Tue Nov 27 2012 01:30:10 10720 macb r/rrwxrwxrwx 0 0 12035-128-4 c:/WINDOWS/Prefetch/WC.EXE-06BFE764.pf

Responder activity

Tue Nov 27 2012 01:42:21 95104 m... r/rrwxrwxrwx 0 0 12037-128-3 c:/Documents and Settings/amirs/mdd.exe

95104 m... r/rrwxrwxrwx 0 0 12038-128-3 c:/mdd.exe

Memory Analysis

Phishing email in memory

368906260 ceived: from ubuntu-router ([172.16.150.8]) by dc-ustxhou.petro-market.org with Microsoft SMTPSVC(6.0.3790.0);

368906372 Mon, 26 Nov 2012 14:00:08 -0600

368906407 Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])

368906474 by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;

368906556 Mon, 26 Nov 2012 15:00:07 -0500

368906590 Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>

368906645 From: "Security Department" <isd@petro-markets.info>

368906699 To: <amirs@petro-market.org>, <callb@petro-market.org>,

368906756 <wrightd@petro-market.org>

368906792 Subject: Immediate Action

368906819 Date: Mon, 26 Nov 2012 14:59:38 -0500

368906858 MIME-Version: 1.0

368906877 Content-Type: multipart/alternative;

368906915 boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"

368906970 X-Priority: 3

368906985 X-MSMail-Priority: Normal

368907012 X-Mailer: Microsoft Outlook Express 6.00.2900.5512

368907064 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512

368907122 Return-Path: isd@petro-markets.info

368907159 X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]

368907246 This is a multi-part message in MIME format.

368907294 ------=_NextPart_000_0015_01CDCBE6.A7B92DE0

368907339 Content-Type: text/plain;

368907366 charset="iso-8859-1"

368907389 Content-Transfer-Encoding: quoted-printable

368907436 Attn: Immediate Action is Required!!

368907476 The IS department is requiring that all associates update to the new =

368907548 version of anti-virus. This is critical and must be done ASAP! Failure =

368907624 to update anti-virus may result in negative actions.

368907680 Please download the new anti-virus and follow the instructions. Failure =

368907756 to install this anti-virus may result in loosing your job!

368907818 Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe

368907888 Regards,

368907898 The IS Department

Volatility connscan output shows C2 connection as well as connections to IIS-SARIYADH-03

Offset(P) Local Address Remote Address Pid

---------- ------------------------- ------------------------- ---

0x01fb0d48 172.16.223.187:2109 172.16.150.10:389 640

0x02023638 172.16.223.187:1265 58.64.132.141:80 1032

0x02035ae8 172.16.223.187:1259 172.16.150.10:445 4

0x02080930 172.16.223.187:1261 172.16.150.10:135 1032

0x020859d0 172.16.223.187:1210 172.16.223.47:445 4

0x020f0d38 172.16.223.187:2179 172.16.150.10:1025 696

0x0230d448 172.16.223.187:1241 172.16.150.10:389 632

0x0770fd48 172.16.223.187:2109 172.16.150.10:389 640

0x0836a638 172.16.223.187:1265 58.64.132.141:80 1032

0x084c7930 172.16.223.187:1261 172.16.150.10:135 1032

0x084ec9d0 172.16.223.187:1210 172.16.223.47:445 4

0x08594448 172.16.223.187:1241 172.16.150.10:389 632

0x09b5cae8 172.16.223.187:1259 172.16.150.10:445 4

0x0ac37d38 172.16.223.187:2179 172.16.150.10:1025 696

0x16066d48 172.16.223.187:2109 172.16.150.10:389 640

0x164d3638 172.16.223.187:1265 58.64.132.141:80 1032

0x16610930 172.16.223.187:1261 172.16.150.10:135 1032

0x16c559d0 172.16.223.187:1210 172.16.223.47:445 4

0x1869d448 172.16.223.187:1241 172.16.150.10:389 632

0x197a5ae8 172.16.223.187:1259 172.16.150.10:445 4

0x1a32ad38 172.16.223.187:2179 172.16.150.10:1025 696

0x1f209d48 172.16.223.187:2109 172.16.150.10:389 640

Volatility pslist plugin shows the backdoor is running svchost.exe. There are also psexec running as well as wce and cmd.exe processes with a ppid of 1032.

Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------

0x823c8830 System 4 0 51 287 ------ 0

0x82274b90 smss.exe 544 4 3 19 ------ 0 2012-11-26 22:01:51

0x82238da0 csrss.exe 608 544 13 387 0 0 2012-11-26 22:01:52

0x82214da0 winlogon.exe 632 544 17 652 0 0 2012-11-26 22:01:52

0x822ba638 services.exe 684 632 16 256 0 0 2012-11-26 22:01:53

0x822ab2d8 lsass.exe 696 632 20 411 0 0 2012-11-26 22:01:53

0x82244460 svchost.exe 860 684 14 188 0 0 2012-11-26 22:01:54

0x8217cb10 svchost.exe 944 684 9 261 0 0 2012-11-26 22:01:55

0x8228fda0 svchost.exe 1032 684 77 1558 0 0 2012-11-26 22:01:55

0x821753d8 svchost.exe 1076 684 6 84 0 0 2012-11-26 22:01:55

0x821bac10 svchost.exe 1128 684 14 249 0 0 2012-11-26 22:01:56

0x821b4a78 spoolsv.exe 1360 684 9 104 0 0 2012-11-26 22:01:58

0x82043da0 alg.exe 1888 684 6 104 0 0 2012-11-26 22:01:59

0x82223950 explorer.exe 296 260 9 366 0 0 2012-11-26 22:02:26

0x82226a20 msmsgs.exe 660 296 3 204 0 0 2012-11-26 22:02:32

0x821d43c0 ctfmon.exe 700 296 1 75 0 0 2012-11-26 22:02:32

0x821e8918 wuauclt.exe 1616 1032 3 142 0 0 2012-11-26 22:03:07

0x821d6598 msimn.exe 1984 296 7 361 0 0 2012-11-26 22:07:13

0x82034b40 cmd.exe 456 1032 0 -------- 0 0 2012-11-27 00:18:21 2012-11-27 00:27:30

0x8230dc88 ps.exe 1448 456 1 44 0 0 2012-11-27 00:27:11

0x820297b8 cmd.exe 1048 1032 0 -------- 0 0 2012-11-27 00:27:41 2012-11-27 01:22:20

0x821f7da0 ps.exe 1052 1048 2 60 0 0 2012-11-27 01:11:17

0x82228da0 cmd.exe 356 1032 0 -------- 0 0 2012-11-27 01:16:33 2012-11-27 01:22:17

0x81ffb2a0 ps.exe 228 356 2 65 0 0 2012-11-27 01:22:07

0x820001e0 wc.exe 1992 1032 1 27 0 0 2012-11-27 01:30:00

0x82004918 cmd.exe 1860 296 1 33 0 0 2012-11-27 01:42:52

0x8221d5a8 mdd.exe 988 1860 1 24 0 0 2012-11-27 01:46:00

Volatility plugin dlllist shows our backdoor in pid 1032

0x10000000 0x1c000 c:\windows\system32\6to4ex.dll

Successful privilege escalation to sysbackup user via wce

148200795 C:\WINDOWS\webui>

148202638 Use -h for help.

148202658 Changing NTLM credentials of current logon session (000003E7h) to:

148202726 Username: sysbackup

148202747 domain: current

148202764 LMHash: c2a3915df2ec79ee73108eb48073acb7

148202806 NTHash: e7a6f270f1ba562a90e2c133a95d2057

148202848 NTLM credentials successfully changed!

148202890 C:\WINDOWS\webui>

Attempts to run system1.bat against IIS-SARIYADH-03

442240521 Starting c:\windows\system1.bat on 172.16.223.47...
442240577 system1.bat exited on 172.16.223.47 with error code 1.

mft entry for system1.bat

0000300: 4649 4c45 3000 0300 d198 5a05 0000 0000 FILE0.....Z.....

0000310: 0400 0100 3800 0100 8801 0000 0004 0000 ....8...........

0000320: 0000 0000 0000 0000 0500 0000 f82e 0000 ................

0000330: 0900 0000 0000 0000 1000 0000 6000 0000 ............`...

0000340: 0000 0000 0000 0000 4800 0000 1800 0000 ........H.......

0000350: 512b 1191 36cc cd01 16df f33a 38cc cd01 Q+..6......:8...

0000360: 16df f33a 38cc cd01 16df f33a 38cc cd01 ...:8......:8...

0000370: 2000 0000 0000 0000 0000 0000 0000 0000 ...............

0000380: 0000 0000 1301 0000 0000 0000 0000 0000 ................

0000390: 0000 0000 0000 0000 3000 0000 7000 0000 ........0...p...

00003a0: 0000 0000 0000 0200 5800 0000 1800 0100 ........X.......

00003b0: 1c00 0000 0000 0100 512b 1191 36cc cd01 ........Q+..6...

00003c0: 512b 1191 36cc cd01 512b 1191 36cc cd01 Q+..6...Q+..6...

00003d0: 512b 1191 36cc cd01 0000 0000 0000 0000 Q+..6...........

00003e0: 0000 0000 0000 0000 2000 0000 0000 0000 ........ .......

00003f0: 0b03 7300 7900 7300 7400 6500 6d00 3100 ..s.y.s.t.e.m.1.

0000400: 2e00 6200 6100 7400 8000 0000 7800 0000 ..b.a.t.....x...

0000410: 0000 1800 0000 0400 5b00 0000 1800 0000 ........[.......

0000420: 4065 6368 6f20 6f66 660d 0a6d 6b64 6972 @echo off..mkdir

0000430: 2063 3a5c 7769 6e64 6f77 735c 7765 6275 c:\windows\webu

0000440: 690d 0a6e 6574 2073 6861 7265 207a 3d63 i..net share z=c

0000450: 3a5c 7769 6e64 6f77 735c 7765 6275 6920 :\windows\webui

0000460: 2f47 5241 4e54 3a73 7973 6261 636b 7570 /GRANT:sysbackup

0000470: 2c46 554c 4c0d 0a0d 0a0d 0a6e 6669 6720 ,FULL......nfig

0000480: ffff ffff 8279 4711 633a 5c77 696e 646f .....yG.c:\windo

0000490: 7773 5c77 6562 7569 5c73 7973 7465 6d2e ws\webui\system.

00004a0: 646c 6c0d 0a6e 6574 2073 6861 7265 203e dll..net share >

00004b0: 3e20 633a 5c77 696e 646f 7773 5c77 6562 > c:\windows\web

00004c0: 7569 5c73 7973 7465 6d2e 646c 6c0d 0a6e ui\system.dll..n

00004d0: 6574 2073 7461 7274 203e 3e20 633a 5c77 et start >> c:\w

00004e0: 696e 646f 7773 5c77 6562 7569 5c73 7973 indows\webui\sys

00004f0: 7465 6d2e 646c 6c0d 0a6e 6574 2076 6965 tem.dll..net vie

0000500: 7720 3e3e 2063 3a5c 7769 6e64 6f77 735c w >> c:\windows\

0000510: 7765 6275 695c 7379 7374 656d 2e64 6c6c webui\system.dll

0000520: 0d0a 0d0a 0000 0000 ffff ffff 8279 4711 .............yG.

system2.bat being executed against IIS-SARIYADH-03

\WINDOWS\System32\svchost.exe - ps \\172.16.223.47 -accepteula -c c:\windows\system2.bat

mft entry for system2.bat

0000340: 0000 0000 0000 0000 4649 4c45 3000 0300 ........FILE0...

0000350: 5632 5b05 0000 0000 0300 0100 3800 0100 V2[.........8...

0000360: 7001 0000 0004 0000 0000 0000 0000 0000 p...............

0000370: 0400 0000 fb2e 0000 0300 0000 0000 0000 ................

0000380: 1000 0000 6000 0000 0000 0000 0000 0000 ....`...........

0000390: 4800 0000 1800 0000 9016 789d 39cc cd01 H.........x.9...

00003a0: 98f9 4b02 3acc cd01 98f9 4b02 3acc cd01 ..K.:.....K.:...

00003b0: 98f9 4b02 3acc cd01 2000 0000 0000 0000 ..K.:... .......

00003c0: 0000 0000 0000 0000 0000 0000 1301 0000 ................

00003d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................

00003e0: 3000 0000 7000 0000 0000 0000 0000 0200 0...p...........

00003f0: 5800 0000 1800 0100 831d 0000 0000 0200 X...............

0000400: 9016 789d 39cc cd01 9016 789d 39cc cd01 ..x.9.....x.9...

0000410: 9016 789d 39cc cd01 9016 789d 39cc cd01 ..x.9.....x.9...

0000420: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0000430: 2000 0000 0000 0000 0b03 7300 7900 7300 .........s.y.s.

0000440: 7400 6500 6d00 3200 2e00 6200 6100 7400 t.e.m.2...b.a.t.

0000450: 8000 0000 6000 0000 0000 1800 0000 0300 ....`...........

0000460: 4500 0000 1800 0000 4065 6368 6f20 6f66 E.......@echo of

0000470: 660d 0a63 3a5c 7769 6e64 6f77 735c 7765 f..c:\windows\we

0000480: 6275 695c 6773 2e65 7865 202d 6120 3e3e bui\gs.exe -a >>

0000490: 2063 3a5c 7769 6e64 6f77 735c 7765 6275 c:\windows\webu

00004a0: 695c 7376 6368 6f73 742e 646c 6c73 742e i\svchost.dllst.

00004b0: ffff ffff 8279 4711 ffff ffff 8279 4711 .....yG

mft entry for system3.bat

0000380: 0000 0000 0000 0000 4649 4c45 3000 0300 ........FILE0...
0000390: 6356 5b05 0000 0000 0300 0100 3800 0100 cV[.........8...
00003a0: 6001 0000 0004 0000 0000 0000 0000 0000 `...............
00003b0: 0300 0000 fc2e 0000 0800 0000 0000 0000 ................
00003c0: 1000 0000 6000 0000 0000 0000 0000 0000 ....`...........
00003d0: 4800 0000 1800 0000 6783 2063 3acc cd01 H.......g. c:...
00003e0: c2e5 2263 3acc cd01 c2e5 2263 3acc cd01 .."c:....."c:...
00003f0: c2e5 2263 3acc cd01 2000 0000 0000 0000 .."c:... .......
0000400: 0000 0000 0000 0000 0000 0000 1301 0000 ................
0000410: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000420: 3000 0000 7000 0000 0000 0000 0000 0200 0...p...........
0000430: 5800 0000 1800 0100 831d 0000 0000 0200 X...............
0000440: 6783 2063 3acc cd01 6783 2063 3acc cd01 g. c:...g. c:...
0000450: 6783 2063 3acc cd01 6783 2063 3acc cd01 g. c:...g. c:...
0000460: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000470: 2000 0000 0000 0000 0b03 7300 7900 7300 .........s.y.s.
0000480: 7400 6500 6d00 3300 2e00 6200 6100 7400 t.e.m.3...b.a.t.
0000490: 8000 0000 5000 0000 0000 1800 0000 0100 ....P...........
00004a0: 3800 0000 1800 0000 4065 6368 6f20 6f66 8.......@echo of
00004b0: 6620 0d0a 6469 7220 2f53 2043 3a5c 2a2e f ..dir /S C:\*.
00004c0: 6477 6720 3e20 633a 5c77 696e 646f 7773 dwg > c:\windows
00004d0: 5c77 6562 7569 5c68 7474 7073 2e64 6c6c \webui\https.dll
00004e0: ffff ffff 8279 4711 0000 0000 0000 0000 .....yG.

system4.bat being executed against IIS-SARIYADH-03

480667072 ps \\172.16.223.47 -accepteula -c c:\windows\webui\system4.bat

mft entry for system4.bat

00003a0: 4649 4c45 3000 0300 afd8 5b05 0000 0000 FILE0.....[.....

00003b0: 0300 0100 3800 0100 b001 0000 0004 0000 ....8...........

00003c0: 0000 0000 0000 0000 0400 0000 fd2e 0000 ................

00003d0: 0700 0000 0000 0000 1000 0000 6000 0000 ............`...

00003e0: 0000 0000 0000 0000 4800 0000 1800 0000 ........H.......

00003f0: 655b c338 3bcc cd01 7011 e20f 3ccc cd01 e[.8;...p...<...

0000400: 7011 e20f 3ccc cd01 7011 e20f 3ccc cd01 p...<...p...<...

0000410: 2000 0000 0000 0000 0000 0000 0000 0000 ...............

0000420: 0000 0000 1301 0000 0000 0000 0000 0000 ................

0000430: 0000 0000 0000 0000 3000 0000 7000 0000 ........0...p...

0000440: 0000 0000 0000 0200 5800 0000 1800 0100 ........X.......

0000450: 831d 0000 0000 0200 655b c338 3bcc cd01 ........e[.8;...

0000460: 655b c338 3bcc cd01 655b c338 3bcc cd01 e[.8;...e[.8;...

0000470: 655b c338 3bcc cd01 0000 0000 0000 0000 e[.8;...........

0000480: 0000 0000 0000 0000 2000 0000 0000 0000 ........ .......

0000490: 0b03 7300 7900 7300 7400 6500 6d00 3400 ..s.y.s.t.e.m.4.

00004a0: 2e00 6200 6100 7400 8000 0000 a000 0000 ..b.a.t.........

00004b0: 0000 1800 0000 0300 8300 0000 1800 0000 ................

00004c0: 4065 6368 6f20 6f66 6620 0d0a 633a 5c77 @echo off ..c:\w

00004d0: 696e 646f 7773 5c77 6562 7569 5c72 612e indows\webui\ra.

00004e0: 6578 6520 6120 2d68 7068 636c 6c6c 7364 exe a -hphclllsd

00004f0: 646c 7364 6964 646b 6c6c 6a68 202d 7220 dlsdiddklljh -r

0000500: 633a 5c77 696e 646f 7773 5c77 6562 7569 c:\windows\webui

0000510: 5c6e 6574 7374 6174 2e64 6c6c 2022 433a \netstat.dll "C:

0000520: 5c45 6e67 696e 6565 7269 6e67 5c44 6573 \Engineering\Des

0000530: 6967 6e73 5c50 756d 7073 2220 2d78 2a2e igns\Pumps" -x*.

0000540: 646c 6cff 8279 4711 ffff ffff 8279 4711 dll..yG.

At1.job executing wc.exe

70379040 "At1.job" (wc.exe)
70379080 Started 11/27/2012 4:30:00 AM

system5.bat being executed against IIS-SARIYADH-03

426451324 \WINDOWS\System32\svchost.exe - ps \\172.16.223.47 -accepteula -c c:\windows\webui\system5.bat

mft entry for system5.bat

00002f0: 0000 0000 0000 4649 4c45 3000 0300 3d66 ......FILE0...=f

0000300: 5c05 0000 0000 0400 0100 3800 0100 8001 \.........8.....

0000310: 0000 0004 0000 0000 0000 0000 0000 0400 ................

0000320: 0000 fe2e 0000 0400 0000 0000 0000 1000 ................

0000330: 0000 6000 0000 0000 0000 0000 0000 4800 ..`...........H.

0000340: 0000 1800 0000 e589 9246 3dcc cd01 4288 .........F=...B.

0000350: ce79 3dcc cd01 4288 ce79 3dcc cd01 4288 .y=...B..y=...B.

0000360: ce79 3dcc cd01 2000 0000 0000 0000 0000 .y=... .........

0000370: 0000 0000 0000 0000 0000 1301 0000 0000 ................

0000380: 0000 0000 0000 0000 0000 0000 0000 3000 ..............0.

0000390: 0000 7000 0000 0000 0000 0000 0200 5800 ..p...........X.

00003a0: 0000 1800 0100 831d 0000 0000 0200 e589 ................

00003b0: 9246 3dcc cd01 e589 9246 3dcc cd01 e589 .F=......F=.....

00003c0: 9246 3dcc cd01 e589 9246 3dcc cd01 0000 .F=......F=.....

00003d0: 0000 0000 0000 0000 0000 0000 0000 2000 .............. .

00003e0: 0000 0000 0000 0b03 7300 7900 7300 7400 ........s.y.s.t.

00003f0: 6500 6d00 3500 2e00 6200 6100 7400 8000 e.m.5...b.a.t...

0000400: 0000 7000 0000 0000 1800 0000 0300 5800 ..p...........X.

0000410: 0000 1800 0000 4065 6368 6f20 6f66 660d ......@echo off.

0000420: 0a63 6f70 7920 633a 5c77 696e 646f 7773 .copy c:\windows

0000430: 5c77 6562 7569 5c77 632e 6578 6520 633a \webui\wc.exe c:

0000440: 5c77 696e 646f 7773 5c73 7973 7465 6d33 \windows\system3

0000450: 320d 0a61 7420 3034 3a33 3020 7763 2e65 2..at 04:30 wc.e

0000460: 7865 202d 6520 2d6f 2068 2e6f 7574 ffff xe -e -o h.out..

0000470: ffff 8279 4711 0000 0000 0000 0000 0000 ...yG

mft entry for h.out

000260: 4649 4c45 3000 0300 e654 5d05 0000 0000 FILE0....T].....
0000270: 0500 0100 3800 0100 3002 0000 0004 0000 ....8...0.......
0000280: 0000 0000 0000 0000 0300 0000 022f 0000 ............./..
0000290: 0500 0000 0000 0000 1000 0000 6000 0000 ............`...
00002a0: 0000 0000 0000 0000 4800 0000 1800 0000 ........H.......
00002b0: 6168 88b7 3ecc cd01 6168 88b7 3ecc cd01 ah..>...ah..>...
00002c0: 6168 88b7 3ecc cd01 6168 88b7 3ecc cd01 ah..>...ah..>...
00002d0: 2000 0000 0000 0000 0000 0000 0000 0000 ...............
00002e0: 0000 0000 c806 0000 0000 0000 0000 0000 ................
00002f0: 0000 0000 0000 0000 3000 0000 6800 0000 ........0...h...
0000300: 0000 0000 0000 0200 4c00 0000 1800 0100 ........L.......
0000310: 1d00 0000 0000 0100 6168 88b7 3ecc cd01 ........ah..>...
0000320: 6168 88b7 3ecc cd01 6168 88b7 3ecc cd01 ah..>...ah..>...
0000330: 6168 88b7 3ecc cd01 0000 0000 0000 0000 ah..>...........
0000340: 0000 0000 0000 0000 2000 0000 0000 0000 ........ .......
0000350: 0503 6800 2e00 6f00 7500 7400 0000 0000 ..h...o.u.t.....
0000360: 8000 0000 2801 0000 0000 1800 0000 0100 ....(...........
0000370: 0c01 0000 1800 0000 616d 6972 733a 5045 ........amirs:PE
0000380: 5452 4f2d 4d41 524b 4554 3a46 3243 3645 TRO-MARKET:F2C6E
0000390: 4644 3337 4231 3034 4344 3731 4439 3141 FD37B104CD71D91A
00003a0: 3038 3144 3442 3337 3836 313a 3734 3444 081D4B37861:744D
00003b0: 3041 3632 3737 3737 3642 3436 4634 4242 0A6277776B46F4BB
00003c0: 3744 3044 3732 3343 3545 4444 0d0a 464c 7D0D723C5EDD..FL
00003d0: 442d 5341 5249 5941 4448 2d34 3324 3a50 D-SARIYADH-43$:P
00003e0: 4554 524f 2d4d 4152 4b45 543a 3030 3030 ETRO-MARKET:0000
00003f0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0000400: 3030 3030 3030 3030 3030 3030 3a44 3332 000000000000:D32
0000410: 3341 3043 4243 3532 3037 3330 4237 3446 3A0CBC520730B74F
0000420: 4331 3839 3544 3533 3346 4534 330d 0a73 C1895D533FE43..s
0000430: 7973 6261 636b 7570 3a63 7572 7265 6e74 ysbackup:current
0000440: 3a43 3241 3339 3135 4446 3245 4337 3945 :C2A3915DF2EC79E
0000450: 4537 3331 3038 4542 3438 3037 3341 4342 E73108EB48073ACB
0000460: 373a 4537 4136 4632 3730 4631 4241 3536 7:E7A6F270F1BA56
0000470: 3241 3930 4532 4331 3333 4139 3544 3230 2A90E2C133A95D20
0000480: 3537 0d0a 0000 0000 ffff ffff 8279 4711 57...........yG.

mft entry for system6.bat

00002f0: 0000 0000 0000 4649 4c45 3000 0300 09a3 ......FILE0.....

0000300: 5a05 0000 0000 0300 0100 3800 0100 e001 Z.........8.....

0000310: 0000 0004 0000 0000 0000 0000 0000 0300 ................

0000320: 0000 fa2e 0000 0500 0000 0000 0000 1000 ................

0000330: 0000 6000 0000 0000 0000 0000 0000 4800 ..`...........H.

0000340: 0000 1800 0000 add9 9741 38cc cd01 add9 .........A8.....

0000350: 9741 38cc cd01 add9 9741 38cc cd01 add9 .A8......A8.....

0000360: 9741 38cc cd01 2000 0000 0000 0000 0000 .A8... .........

0000370: 0000 0000 0000 0000 0000 1301 0000 0000 ................

0000380: 0000 0000 0000 0000 0000 0000 0000 3000 ..............0.

0000390: 0000 7000 0000 0000 0000 0000 0200 5800 ..p...........X.

00003a0: 0000 1800 0100 1c00 0000 0000 0100 add9 ................

00003b0: 9741 38cc cd01 add9 9741 38cc cd01 add9 .A8......A8.....

00003c0: 9741 38cc cd01 add9 9741 38cc cd01 0000 .A8......A8.....

00003d0: 0000 0000 0000 0000 0000 0000 0000 2000 .............. .

00003e0: 0000 0000 0000 0b03 7300 7900 7300 7400 ........s.y.s.t.

00003f0: 6500 6d00 3600 2e00 6200 6100 7400 8000 e.m.6...b.a.t...

0000400: 0000 d000 0000 0000 1800 0000 0100 b800 ................

0000410: 0000 1800 0000 4065 6368 6f20 6f66 660d ......@echo off.

0000420: 0a69 7063 6f6e 6669 6720 2f61 6c6c 203e .ipconfig /all >

0000430: 3e20 633a 5c77 696e 646f 7773 5c77 6562 > c:\windows\web

0000440: 7569 5c73 7973 7465 6d2e 646c 6c0d 0a6e ui\system.dll..n

0000450: 6574 2073 6861 7265 203e 3e20 633a 5c77 et share >> c:\w

0000460: 696e 646f 7773 5c77 6562 7569 5c73 7973 indows\webui\sys

0000470: 7465 6d2e 646c 6c0d 0a6e 6574 2073 7461 tem.dll..net sta

0000480: 7274 203e 3e20 633a 5c77 696e 646f 7773 rt >> c:\windows

0000490: 5c77 6562 7569 5c73 7973 7465 6d2e 646c \webui\system.dl

00004a0: 6c0d 0a6e 6574 2076 6965 7720 3e3e 2063 l..net view >> c

00004b0: 3a5c 7769 6e64 6f77 735c 7765 6275 695c :\windows\webui\

00004c0: 7379 7374 656d 2e64 6c6c 0d0a 0d0a ffff system.dll......

00004d0: ffff 8279 4711 0000 0000 0000 0000 0000 ...yG.

gsecdump command found

261942659 c:\windows\webui\gsecdump.exe -a >> c:\windows\webui\svchost.dll

Data collected from host script

365846531 Windows IP Configuration
365846561 Host Name . . . . . . . . . . . . : fld-sariyadh-43
365846623 Primary Dns Suffix . . . . . . . : petro-market.org
365846686 Node Type . . . . . . . . . . . . : Hybrid
365846739 IP Routing Enabled. . . . . . . . : No
365846788 WINS Proxy Enabled. . . . . . . . : No
365846837 DNS Suffix Search List. . . . . . : petro-market.org
365846903 Ethernet adapter Local Area Connection:
365846948 Connection-specific DNS Suffix . :
365846995 Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
365847079 Physical Address. . . . . . . . . : 00-0C-29-A7-7C-6E
365847143 Dhcp Enabled. . . . . . . . . . . : No
365847192 IP Address. . . . . . . . . . . . : 172.16.223.187
365847253 Subnet Mask . . . . . . . . . . . : 255.255.255.0
365847313 Default Gateway . . . . . . . . . : 172.16.223.8
365847372 DNS Servers . . . . . . . . . . . : 172.16.150.10
365847432 Primary WINS Server . . . . . . . : 172.16.223.47
365847492 Server Name Remark
365847525 -------------------------------------------------------------------------------
365847606 \\DC-USTXHOU
365847687 \\ENG-USTXHOU-148
365847768 \\FLD-SARIYADH-43
365847849 \\IIS-SARIYADH-03
365847930 The command completed successfully.
365847969 Alias name administrators
365848000 Comment Administrators have complete and unrestricted access to the computer/domain
365848094 Members
365848105 -------------------------------------------------------------------------------
365848186 Administrator
365848201 Amir
365848207 PETRO-MARKET\amirs
365848227 PETRO-MARKET\Domain Admins
365848255 sysbackup
365848266 The command completed successfully.
365848305 There are no entries in the list.
365848344 Share name Resource Remark
365848399 -------------------------------------------------------------------------------
365848480 ADMIN$ C:\WINDOWS Remote Admin
365848561 C$ C:\ Default share
365848642 IPC$ Remote IPC
365848723 The command completed successfully.
365848762 These Windows services are started:
365848801 Application Layer Gateway Service
365848839 Automatic Updates
365848861 COM+ Event System
365848883 Computer Browser
365848904 Cryptographic Services
365848931 DCOM Server Process Launcher
365848964 DHCP Client
365848980 Distributed Link Tracking Client
365849017 DNS Client
365849032 Error Reporting Service
365849060 Event Log

365849060 Event Log
365849074 Help and Support
365849095 IPSEC Services
365849114 Logical Disk Manager
365849139 Microsoft Device Manager
365849168 Net Logon
365849182 Network Connections
365849206 Network Location Awareness (NLA)
365849243 Plug and Play
365849261 Print Spooler
365849279 Protected Storage
365849301 Remote Access Connection Manager
365849338 Remote Procedure Call (RPC)
365849370 Remote Registry
365849390 Secondary Logon
365849410 Security Accounts Manager
365849440 Server
365849451 Shell Hardware Detection
365849480 SSDP Discovery Service
365849507 System Event Notification
365849537 System Restore Service
365849564 Task Scheduler
365849583 TCP/IP NetBIOS Helper
365849609 Telephony
365849623 Terminal Services
365849645 Themes
365849656 WebClient
365849670 Windows Audio
365849688 Windows Firewall/Internet Connection Sharing (ICS)
365849743 Windows Management Instrumentation
365849782 Windows Time
365849799 Wireless Zero Configuration
365849831 Workstation
365849849 The command completed successfully.
365849888 Scan of 254 IPs started at Tue Nov 27 03:22:59 2012
365849943 -------------------------------------------------------------------------------
365850024 172.16.223.8
365850038 Responded in 0 ms.
365850058 0 hops away
365850071 Responds with ICMP unreachable: No
365850107 TCP ports: 21 80
365850129 TCP 21:
365850138 [220 (vsFTPd 2.3.0)]
365850162 TCP 80:
365850171 [HTTP/1.1 200 OK Date: Tue, 27 Nov 2012 00:23:08 GMT Server: Apache/2.2.16 (Ubuntu) Last-Modified: Fri, 23 Nov 2012 15:06:45 GMT ETag: "2194f-b1-4cf2aee9810d2]
365850334 -------------------------------------------------------------------------------
365850415 172.16.223.47
365850430 Responded in 0 ms.
365850450 0 hops away
365850463 Responds with ICMP unreachable: No
365850499 TCP ports: 80 445
365850522 TCP 80:

365850531 [HTTP/1.1 200 OK Content-Length: 1433 Content-Type: text/html Content-Location: http://172.16

HandlerDiaries

Wednesday, December 5, 2012

dfir-challenge-FLD-SARIYADH-43

Timeline

Memory Analysis

No comments:

Post a Comment