So I was reading Trend's blog post Without a Trace: Fileless Malware Spotted in the Wild and although not totally new, it got me thinking a bit. I downloaded some of the MD5s they posted and started infecting my lab box. I noticed a couple different behaviors when infecting my lab machine with two different samples.
- As mentioned in the blog: Creations of Rc4Encoded32 and Rc4Encoded64 registry values in HKEYCURRENTUSER\Software\Microsoft\Active Setup\Installed Components{Bot GUID}
- A couple of the hashes created a Software entry: Software\ xsw\binaryImage32 and the data was an EXE.
How the malware uses these blobs of data is not the objective of this post. You can read the Trend blog for that information.
Both entries were binary blobs and were large relative to everything else I had in my test hives so I wondered how feasible it would be to recurse through a hive and return any entry larger than a user specified size.
I started writing some Python code and came up with: reghexdump (i'm terrible at coming up with script names). You can download the code here from my GitHub page.
Let's take a look at what I ended up with.
Help
python reghexdump.py -h
usage: reghexdump.py [-h] [--hive HIVE] [--size SIZE] [--write WRITE]
Parse Registry hive looking for malicious Binary data.
optional arguments:
-h, --help show this help message and exit
--hive HIVE Path to Hive.
--size SIZE Size in bytes.
--write WRITE Write the binary values out to a directory.
Output - No Write
You will see here we have Path, LastWrite MD5 along with VT lookups on the binary blobs of data. In one of the instances you can see it's hitting 35/57, and lastly I also included the data size and a hex preview.
You're able to change up the --size to any size you want to help reduce FPs.
python reghexdump.py --hive NTUSER.DAT.copy0 --size 20000
Path: CMI-CreateHive{6A1C4018-979D-4291-A7DC-7AED1C75B67C}\Software\ xsw\binaryImage32
LastWrite: 2015-04-21T14:17:17.642979Z
MD5: 5be923a9a323667dc6ae33fb2f4a80a6 - 35/57
Size: 223744
00000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
00000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 ................
00000040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
00000050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
00000060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
00000070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
Path: CMI-CreateHive{6A1C4018-979D-4291-A7DC-7AED1C75B67C}\Software\Microsoft\Active Setup\Installed Components\{72507C54-3577-4830-815B-310007F6135A}\Rc4Encoded32
LastWrite: 2015-04-21T14:17:26.051649Z
MD5: 26ef08eb9dd49c53e0526bf148d23e3d - None
Size: 54669
00000000 87 87 3F 5C D1 25 67 7D C8 47 0F 5A 9C B7 D1 3E ..?..%g}.G.Z...>
00000010 0B 34 AB 0E 9D 2E 59 D6 A2 51 C7 66 18 54 5A C2 .4....Y..Q.f.TZ.
00000020 1D 6B C0 B8 17 F6 23 C3 7D CA B2 2F E3 10 82 5A .k....#.}../...Z
00000030 C8 99 9C 83 C9 4C 58 FB C7 FC 14 3E 15 9C B4 70 .....LX....>...p
00000040 82 3B 35 AF E3 B9 B2 E3 34 47 7F 50 46 74 01 B6 .;5.....4G.PFt..
00000050 F2 72 D1 76 44 71 B2 F5 82 21 F6 79 0F FE EE 68 .r.vDq...!.y...h
00000060 CE 04 8E 0F 51 2D C3 FE 70 BC 78 BC 2C 6E 94 1D ....Q-..p.x.,n..
00000070 E9 0C 40 C5 98 DD 2F 09 2D 27 7E 14 B6 DA 28 3C ..@.../.-'~...(<
Path: CMI-CreateHive{6A1C4018-979D-4291-A7DC-7AED1C75B67C}\Software\Microsoft\Active Setup\Installed Components\{72507C54-3577-4830-815B-310007F6135A}\Rc4Encoded64
LastWrite: 2015-04-21T14:17:26.051649Z
MD5: 233ec524cd7b88e18661298d8de549dd - None
Size: 68909
00000000 87 46 53 6F 96 A7 6B AA E8 65 C2 DA AE 96 4C 98 .FSo..k..e....L.
00000010 43 B5 8E E5 99 2E 59 9E 2B CD E3 66 1C 54 5A 8A C.....Y.+..f.TZ.
00000020 C1 5E 01 31 FF EE 27 8B F4 F7 0B D7 1C EF 7D 9F .^.1..'.......}.
00000030 F4 D1 43 64 32 C5 E5 42 B5 D1 51 B5 50 94 3D 0A ..Cd2..B..Q.P.=.
00000040 B0 A6 AC 36 F8 A2 D8 F8 8E 95 7F 05 9F 70 01 B6 ...6.........p..
00000050 86 4F 04 2E 46 F8 A6 F1 4B 56 7F 79 4F 77 18 05 .O..F...KV.yOw..
00000060 76 F8 71 F0 6C 93 7F FE 70 CE 89 BC 2C 6E 94 1D v.q.l...p...,n..
00000070 EB 0C 40 C5 98 9A E4 99 D2 E4 84 9D 6D 9B A9 94 ..@.........m...
Path: CMI-CreateHive{6A1C4018-979D-4291-A7DC-7AED1C75B67C}\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
LastWrite: 2015-04-21T12:53:08.684547Z
MD5: 630f44e2a9ae05d72f5aecb471d608e3 - None
Size: 74419
00000000 13 00 00 00 C3 53 5B 62 48 AB C1 4E BA 1F A1 EF .....S[bH..N....
00000010 41 46 FC 19 00 80 00 00 00 7E 00 31 00 00 00 00 AF.......~.1....
00000020 00 69 42 79 3F 11 00 50 72 6F 67 72 61 6D 73 00 .iBy?..Programs.
00000030 00 66 00 08 00 04 00 EF BE 69 42 50 3F 69 42 79 .f.......iBP?iBy
00000040 3F 2A 00 00 00 3F 01 00 00 00 00 02 00 00 00 00 ?*...?..........
00000050 00 00 00 00 00 3C 00 00 00 00 00 50 00 72 00 6F .....<.....P.r.o
00000060 00 67 00 72 00 61 00 6D 00 73 00 00 00 40 00 73 .g.r.a.m.s...@.s
00000070 00 68 00 65 00 6C 00 6C 00 33 00 32 00 2E 00 64 .h.e.l.l.3.2...d
Write
You also have the option to write out the binary blobs to disk. When using the --write arguement you will also have an additional message included. In this example it says, "Writing Data: binaryImage32 to out/"
reghexdump.py --hive NTUSER.DAT.copy0 --size 20000 --write out/
Writing Data: binaryImage32 to out/
Path: CMI-CreateHive{6A1C4018-979D-4291-A7DC-7AED1C75B67C}\Software\ xsw\binaryImage32
LastWrite: 2015-04-21T14:17:17.642979Z
MD5: 5be923a9a323667dc6ae33fb2f4a80a6 - 35/57
Size: 223744
00000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
00000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 ................
00000040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
00000050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
00000060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
00000070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
List Output
If you use the --write option it will write out and of the "hits" into the directory specified as seen below.
ls out/
- ProgramsCache
- Rc4Encoded32
- Rc4Encoded64
- binaryImage32
file out/*
- out/ProgramsCache: Spectrum .TAP data BASIC program
- out/Rc4Encoded32: data
- out/Rc4Encoded64: data
- out/binaryImage32: MS-DOS executable
Summary
I hope this is useful. I'll add some additional features over the next few days. I'm short on time these days. Let me know if you would like to see any additional features/functionality. I don't know how practical it is yet, but saw the blog and wanted a quick script to detect it if I needed.
You can download the code here from my GitHub page.