I wanted to share a few interesting artifacts from two ZAccess/Sirefef.P compromises I recently had to deal with. In both infections, malicious files were written to hidden sub directories located in the User and System accounts $Recycle.Bin's. Much like other variants of this Trojan, these files were injected into legitimate processes including explorer.exe and services.exe. At first I thought the infection had mucked with the permissions of the hidden sub directories within the Recycle.Bin but then noticed the S-1-5-18 SID, indicating the use of the SYSTEM account.
The first compromise went a step further and overwrote the Wdf01000.sys driver under
\SystemRoot\System32\Drivers. I would have missed this if I had not dumped the
NTFS Master File Table and used the $SI Entry Date when creating my timeline. By overwriting the existing file, it would appear the other NTFS timestamps were preserved due to File System Tunneling (ref:
KB172190 and
WIR Blog). A very interesting artifact indeed.
The first variant loaded some typical Fake Antivirus into the C:\ProgramData folder. Nothing new there but with the second variant, I noted the creation of a lot of Internet cache files under
\SystemRoot\System32\Config\Systemprofile\AppData in what appeared to be the presence of click fraud.
Overall, a couple of interesting variants that I enjoyed playing with. Here's the hashes for reference.
[root]\$Recycle.Bin\S-1-5-18\$a032773db1be215125d280696ec7b357\n
MD5: 3aaac8a9352dde4e2073a7814514bd9d
SHA1: 321132983c3fc25448e19ae63e65cb127f28c5b7
[root]\$Recycle.Bin\S-1-5-18\$f58c247e192203c97063e19c12229833\n
MD5: cfaddbb43ba973f8d15d7d2e50c63476
SHA1: 34206a971fe3cbb1acf2ce8bb9f145bfd78e256e
Happy Hunting!
No comments:
Post a Comment