CSIS gennemgang af Forensics

1. REST ASSURED
Banker Trojans from a forensics perspective
ATEA ERFA, MARTS 2017
www.csis.dk

2. Glossary Banker Trojan
C2, CnC, C&C, C2C server
Drop server
Drive-by website
Exploit kit
Configuration file
Web inject
Dropper
Sinkhole
DGA
Money Mule
Rogue DNS
Sandbox
Cryptor
Payload
Hybrid attacks
PPI
Banker Trojans from a forensics perspective

3. 08080808
*******
08080808
*******
1234
How does a banker Trojan work?

4. REST ASSURED
www.csis.dk

5. REST ASSURED
www.csis.dk

6. Agenda 1.00 What?
2.00 How?
3.00 When?
4.00 Tools (free)
5.00 Case example: Carbanak & Dridex
6.00 CIRK (Commercial tool)
7.00 Real life examples
Banker Trojans from a forensics perspective

7. 1.00
What? – Let’s find the malware, it is most likely persistent
Banker Trojans from a forensics perspective

8. 8
What?
• Service creation
• Binary replacement
• Scheduled task
• Auto-start Registry keys
• Startup folders
• DLL search order hijacking
• Trojaned legitimate system libraries
• More advanced – local group policy, MS office
add-in, or BIOS flashing
Most malware has some kind of persistency

9. 9
What?
• Service creation
• Binary replacement
• Scheduled task
• Auto-start Registry keys
• Startup folders
• DLL search order hijacking
• Trojaned legitimate system libraries
• More advanced – local group policy, MS office
add-in, or BIOS flashing
Most malware has some kind of persistency
Malware: Carbanak

10. 10
What?
• Service creation
• Binary replacement
• Scheduled task
• Auto-start Registry keys
• Startup folders
• DLL search order hijacking
• Trojaned legitimate system libraries
• More advanced – local group policy, MS office
add-in, or BIOS flashing
Most malware has some kind of persistency
Malware: Sality

11. 11
What?
• Service creation
• Binary replacement
• Scheduled task
• Auto-start Registry keys
• Startup folders
• DLL search order hijacking
• Trojaned legitimate system libraries
• More advanced – local group policy, MS office
add-in, or BIOS flashing
Most malware has some kind of persistency
Malware: Rovnix (Gozi2)

12. 12
What?
• Service creation
• Binary replacement
• Scheduled task
• Auto-start Registry keys
• Startup folders
• DLL search order hijacking
• Trojaned legitimate system libraries
• More advanced – local group policy, MS office
add-in, or BIOS flashing
Most malware has some kind of persistency
Malware: Carbanak

13. Title of the presentation
2.00
How? – Let’s see how the malware was installed
Banker Trojans from a forensics perspective

14. 14
How?
Drive-by:
• Temp files (jar, swf, exe, dll, tmp, etc.)
• Browser history
Spear phishing e-mail:
• Known e-mail extensions (msg, eml, etc.)
• Known e-mail attachments (pdf, js, src, zip, etc.)
• Known e-mail file path (Content.Outlook)
Let’s go find that malware dropper
Malware: APT

15. 15
How?
Drive-by:
• Temp files (jar, swf, exe, dll, tmp, etc.)
• Browser history
Spear phishing e-mail:
• Known e-mail extensions (msg, eml, etc.)
• Known e-mail attachments (pdf, js, src, zip, etc.)
• Known e-mail file path (Content.Outlook)
Let’s go find that malware dropper
Malware: CryptoWall 3.0

16. 16
How?
Drive-by:
• Temp files (jar, swf, exe, dll, tmp, etc.)
• Browser history
Spear phishing e-mail:
• Known e-mail extensions (msg, eml, etc.)
• Known e-mail attachments (pdf, js, src, zip, etc.)
• Known e-mail file path (Content.Outlook)
Let’s go find that malware dropper
Malware: Dyreza

17. 17
How?
Drive-by:
• Temp files (jar, swf, exe, dll, tmp, etc.)
• Browser history
Spear phishing e-mail:
• Known e-mail extensions (msg, eml, etc.)
• Known e-mail attachments (pdf, js, src, zip, etc.)
• Known e-mail file path (Content.Outlook)
Let’s go find that malware dropper
Malware: Dridex

18. 18
How?
Drive-by:
• Temp files (jar, swf, exe, dll, tmp, etc.)
• Browser history
Spear phishing e-mail:
• Known e-mail extensions (msg, eml, etc.)
• Known e-mail attachments (pdf, js, src, zip, etc.)
• Known e-mail file path (Content.Outlook)
Let’s go find that malware dropper
Malware: Dridex

19. 3.00
When? – Let’s see when the malware was installed
Banker Trojans from a forensics perspective

20. 20
When?
Create a master timeline:
• Files
• Registry
• Browser history
• Event log
• Scheduled task
• PF files
• Etc.
File timestamps are easily manipulated, but registry entries seldom
Malware: Carbanak
Timestamp Artifact source Data
2015-08-
26T13:05:48
+00:00
FILE Mactime Bodyfile C:/ProgramData/Mozilla/sv
chost.exe (deleted)

21. 21
When?
Create a master timeline:
• Files
• Registry
• Browser history
• Event log
• Scheduled task
• PF files
• Etc.
File timestamps are easily manipulated, but registry entries seldom
Malware: Dridex
Timestamp Artifact source Data
2015-08-25
T14:00:08.39
6076+00:00
Registry hive
[HKEY_CURRENT_USERSoftwareMicros
oftOffice15.0WordReading
LocationsDocument 6]
C:UsersmoragAppData
LocalMicrosoftWindows
Temporary Internet
FilesContent.OutlookZOZ
N2DEXInv_26949_from_I
__SPI_Ltd_7888.doc

22. 4.00
Tools (free)
Banker Trojans from a forensics perspective

23. 23
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
CIRK collector GUI

24. 24
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
CIRK collector command line with silent switches

25. 25
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
Log2timeline
// Create plaso DB = structured DB
#> log2timeline.py -z [TZ] db.plaso [ FOLDER | IMAGE | FILE ]
// Sort and output timeline in a TEXT file
#> psort.py -z [TZ] db.plaso "select datetime,timestamp_desc,message" -w master.timeline
// Look for last 1024 executed files
#> grep AppCompatCache master.timeline | grep svchost | cut -d " " -f 1,10
2009-07-14T01:14:41.954000+00:00,File ??C:Windowssystem32svchost.exe
2009-07-14T01:14:41.954000+00:00,File ??C:WindowsSysWOW64svchost.exe
2009-07-14T01:14:41.954000+00:00,File ??C:WindowsSysWOW64svchost.exe
2009-07-14T01:14:41.954000+00:00,File ??C:Windowssystem32svchost.exe
2009-07-14T01:39:46.503000+00:00,File ??C:WindowsSystem32svchost.exe
2009-07-14T01:39:46.503000+00:00,File ??C:WindowsSystem32svchost.exe
2015-08-26T14:30:10.977531+00:00,File ??C:ProgramDataMozillasvchost.exe
2015-08-26T14:30:10.977531+00:00,File ??C:ProgramDataMozillasvchost.exe
//Look for malware droppers
#> grep UserAssist master.timeline

26. 26
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
rip.pl
// Extract ”interesting keys” from registry
#> rip.pl –r [REG_HIVE] –f [TEMPLATE]
// Example
#> rip.pl –r ntuser.dat –f ntuser > ntuser_interesting_keys.txt
// Look out for ”suspicious” autorun keys
SoftwareMicrosoftWindowsCurrentVersionRun
LastWrite Time Thu May 7 10:31:18 2015 (UTC)
Sidebar: C:Program FilesWindows Sidebarsidebar.exe /autoRun
aaaaaaaa: C:Usersallisonraaaaaaaa.exe
RESTART_STICKY_NOTES: C:WindowsSystem32StikyNot.exe

27. 27
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
regdump.pl
// Dump registry
#> regdump.pl [REG_HIVE] –v [KEY]
// Example
#> regdump.pl morag_ntuser.bin SoftwareMicrosoftWindowsCurrentVersion
ExplorerCLSID{49A4A2C4-5E41-262E-A4E5-BF116F5A3FF4}
ShellFolder morag_ntuser.bin –v | hexdump -C

28. 28
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
regdump.pl
// Dump registry
#> regdump.pl [REG_HIVE] –v [KEY]
// Example
#> regdump.pl morag_ntuser.bin SoftwareMicrosoftWindowsCurrentVersion
ExplorerCLSID{49A4A2C4-5E41-262E-A4E5-BF116F5A3FF4}
ShellFolder morag_ntuser.bin –v | hexdump -C

29. 29
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
regdump.pl
// Dump registry
#> regdump.pl [REG_HIVE] –v [KEY]
// Example
#> regdump.pl morag_ntuser.bin SoftwareMicrosoftWindowsCurrentVersion
ExplorerCLSID{49A4A2C4-5E41-262E-A4E5-BF116F5A3FF4}
ShellFolder morag_ntuser.bin –v | hexdump -C

30. 30
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
Maltego
// Lots of possibility, it depends on the transforms.
// Example #1: toLocationCountry

31. 31
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
Maltego
// Lots of possibility, it depends on the transforms.
// Example #1: CSISCampaignNameFromIP

32. 32
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
Maltego
// Lots of possibility, it depends on the transforms.
// Example #1: CSISCampaignNameFromPhrase

33. 33
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
Virustotal
// Check hashes and/or URLs
// Example: Revoked certificate (hash: 682f39be218a29818b27a4a7753fffa9)

34. 34
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
Google
// Google knows everything
// Example: ”Inv_26949_from_I__SPI_Ltd_7888.doc”

35. 5.00
Case: Carbanak & Dridex (4235432-20150828-GVZ66)
Banker Trojans from a forensics perspective

36. 6.00
CIRK (Commercial tool)
Banker Trojans from a forensics perspective

37. 37
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Collector (GUI / CLI) – Standalone executable

38. 38
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Collector (GUI / CLI) – Silent switches / remote execution

39. 39
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Known Bad Hashes

40. 40
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Possible Malware Droppers

41. 41
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Suspicious Files

42. 42
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Remote Administration Tools

43. 43
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
AutoRun keys

44. 44
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
NetStat Connections

45. 45
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Quality assurance (OPTIONAL)

46. 46
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Reporting

47. 47
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Reporting

48. 48
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Reporting (Open IOC standard)

49. 49
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Reporting (Open IOC standard)

50. 50
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Data sharing LE (J-CAT)

51. 51
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Data sharing LE (J-CAT)

52. 52
CIRK
• Collector
• Backend analysis
• Quality assurance (QA)
• Reporting
• Data sharing (J-CAT)
• Dashboard
CSIS Incident Response Kit
Dashboard

53. 7.00
Examples:
Case: Smokebot & Mimikatz (2242474-20170120-0T5SX)
Case: Trickbot & Pony (2242474-20161104-P22DA)
Case: Ramnit (4235827-20170106-PMMNZ)
Case: Cryptolocker (4235918-20170119-PCWEB)
Banker Trojans from a forensics perspective

54. 54
CIRK
Benefits
Find out
• What happened?
• When did it happen?
• How did it happen?
Unique forensic tool
• Works with both: “Malicious employees” - & malware forensic
• Collect & analyze evidence fast and secure
• Comply with legal authorities & regulations
• J-CAT integration
Managed cloud service
• Managed by specialists
• Analysis performed out-of-band
• Remote execution & no installation required
• SaaS: No hardware & software costs

55. 55
Learn more?
CSIS Academy: Fraud Analyst
Module 1: Threat assessment & landscape
• Full Circle Crime Model
• PC Malware
• Mobile Malware
• Introduction to Linux
Module 2: Fraud techniques & attacks
• Gathering intelligence
• “Lie to me”
• Hands-on exercises
Module 3: Fraud detection & prevention
• Spoofing techniques
• Fraud detection
• Forensics analysis
• Hands-on exercises
• Fraud prevention

56. Thank you
For more information, please contact
jka@csis.dk
www.csis.dk
REST ASSURED