Your Registry Blobs Belong to Me (RegHexDump)

So I was reading Trend's blog post Without a Trace: Fileless Malware Spotted in the Wild and although not totally new, it got me thinking a bit. I downloaded some of the MD5s they posted and started infecting my lab box. I noticed a couple different behaviors when infecting my lab machine with two different samples.

• As mentioned in the blog: Creations of Rc4Encoded32 and Rc4Encoded64 registry values in HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components{Bot GUID}
• A couple of the hashes created a Software entry: Software\ xsw\binaryImage32 and the data was an EXE.

How the malware uses these blobs of data is not the objective of this post. You can read the Trend blog for that information.

Both entries were binary blobs and were large relative to everything else I had in my test hives so I wondered how feasible it would be to recurse through a hive and return any entry larger than a user specified size.

I started writing some Python code and came up with: reghexdump (i'm terrible at coming up with script names). You can download the code here from my GitHub page.

Let's take a look at what I ended up with.

Help

python reghexdump.py -h

usage: reghexdump.py [-h] [--hive HIVE] [--size SIZE] [--write WRITE]
Parse Registry hive looking for malicious Binary data.
optional arguments:
  -h, --help     show this help message and exit
  --hive HIVE    Path to Hive.
  --size SIZE    Size in bytes.
  --write WRITE  Write the binary values out to a directory.

Output - No Write

You will see here we have Path, LastWrite MD5 along with VT lookups on the binary blobs of data. In one of the instances you can see it's hitting 35/57, and lastly I also included the data size and a hex preview.

You're able to change up the --size to any size you want to help reduce FPs.

python reghexdump.py --hive NTUSER.DAT.copy0 --size 20000

Path: CMI-CreateHive{6A1C4018-979D-4291-A7DC-7AED1C75B67C}\Software\ xsw\binaryImage32
LastWrite: 2015-04-21T14:17:17.642979Z
MD5: 5be923a9a323667dc6ae33fb2f4a80a6 - 35/57
Size: 223744
00000000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
00000010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
00000020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00000030   00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00    ................
00000040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
00000050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
00000060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
00000070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......

Path: CMI-CreateHive{6A1C4018-979D-4291-A7DC-7AED1C75B67C}\Software\Microsoft\Active Setup\Installed Components\{72507C54-3577-4830-815B-310007F6135A}\Rc4Encoded32
LastWrite: 2015-04-21T14:17:26.051649Z
MD5: 26ef08eb9dd49c53e0526bf148d23e3d - None
Size: 54669
00000000   87 87 3F 5C D1 25 67 7D C8 47 0F 5A 9C B7 D1 3E    ..?..%g}.G.Z...>
00000010   0B 34 AB 0E 9D 2E 59 D6 A2 51 C7 66 18 54 5A C2    .4....Y..Q.f.TZ.
00000020   1D 6B C0 B8 17 F6 23 C3 7D CA B2 2F E3 10 82 5A    .k....#.}../...Z
00000030   C8 99 9C 83 C9 4C 58 FB C7 FC 14 3E 15 9C B4 70    .....LX....>...p
00000040   82 3B 35 AF E3 B9 B2 E3 34 47 7F 50 46 74 01 B6    .;5.....4G.PFt..
00000050   F2 72 D1 76 44 71 B2 F5 82 21 F6 79 0F FE EE 68    .r.vDq...!.y...h
00000060   CE 04 8E 0F 51 2D C3 FE 70 BC 78 BC 2C 6E 94 1D    ....Q-..p.x.,n..
00000070   E9 0C 40 C5 98 DD 2F 09 2D 27 7E 14 B6 DA 28 3C    ..@.../.-'~...(<

Path: CMI-CreateHive{6A1C4018-979D-4291-A7DC-7AED1C75B67C}\Software\Microsoft\Active Setup\Installed Components\{72507C54-3577-4830-815B-310007F6135A}\Rc4Encoded64
LastWrite: 2015-04-21T14:17:26.051649Z
MD5: 233ec524cd7b88e18661298d8de549dd - None
Size: 68909
00000000   87 46 53 6F 96 A7 6B AA E8 65 C2 DA AE 96 4C 98    .FSo..k..e....L.
00000010   43 B5 8E E5 99 2E 59 9E 2B CD E3 66 1C 54 5A 8A    C.....Y.+..f.TZ.
00000020   C1 5E 01 31 FF EE 27 8B F4 F7 0B D7 1C EF 7D 9F    .^.1..'.......}.
00000030   F4 D1 43 64 32 C5 E5 42 B5 D1 51 B5 50 94 3D 0A    ..Cd2..B..Q.P.=.
00000040   B0 A6 AC 36 F8 A2 D8 F8 8E 95 7F 05 9F 70 01 B6    ...6.........p..
00000050   86 4F 04 2E 46 F8 A6 F1 4B 56 7F 79 4F 77 18 05    .O..F...KV.yOw..
00000060   76 F8 71 F0 6C 93 7F FE 70 CE 89 BC 2C 6E 94 1D    v.q.l...p...,n..
00000070   EB 0C 40 C5 98 9A E4 99 D2 E4 84 9D 6D 9B A9 94    ..@.........m...

Path: CMI-CreateHive{6A1C4018-979D-4291-A7DC-7AED1C75B67C}\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
LastWrite: 2015-04-21T12:53:08.684547Z
MD5: 630f44e2a9ae05d72f5aecb471d608e3 - None
Size: 74419
00000000   13 00 00 00 C3 53 5B 62 48 AB C1 4E BA 1F A1 EF    .....S[bH..N....
00000010   41 46 FC 19 00 80 00 00 00 7E 00 31 00 00 00 00    AF.......~.1....
00000020   00 69 42 79 3F 11 00 50 72 6F 67 72 61 6D 73 00    .iBy?..Programs.
00000030   00 66 00 08 00 04 00 EF BE 69 42 50 3F 69 42 79    .f.......iBP?iBy
00000040   3F 2A 00 00 00 3F 01 00 00 00 00 02 00 00 00 00    ?*...?..........
00000050   00 00 00 00 00 3C 00 00 00 00 00 50 00 72 00 6F    .....<.....P.r.o
00000060   00 67 00 72 00 61 00 6D 00 73 00 00 00 40 00 73    .g.r.a.m.s...@.s
00000070   00 68 00 65 00 6C 00 6C 00 33 00 32 00 2E 00 64    .h.e.l.l.3.2...d

Write

You also have the option to write out the binary blobs to disk. When using the --write arguement you will also have an additional message included. In this example it says, "Writing Data: binaryImage32 to out/"

reghexdump.py --hive NTUSER.DAT.copy0 --size 20000 --write out/

Writing Data: binaryImage32 to out/
Path: CMI-CreateHive{6A1C4018-979D-4291-A7DC-7AED1C75B67C}\Software\ xsw\binaryImage32
LastWrite: 2015-04-21T14:17:17.642979Z
MD5: 5be923a9a323667dc6ae33fb2f4a80a6 - 35/57
Size: 223744
00000000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
00000010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
00000020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00000030   00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00    ................
00000040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
00000050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
00000060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
00000070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......

List Output

If you use the --write option it will write out and of the "hits" into the directory specified as seen below.

ls out/

• ProgramsCache
• Rc4Encoded32
• Rc4Encoded64
• binaryImage32

file out/*

• out/ProgramsCache: Spectrum .TAP data BASIC program
• out/Rc4Encoded32: data
• out/Rc4Encoded64: data
• out/binaryImage32: MS-DOS executable

Summary

I hope this is useful. I'll add some additional features over the next few days. I'm short on time these days. Let me know if you would like to see any additional features/functionality. I don't know how practical it is yet, but saw the blog and wanted a quick script to detect it if I needed.

You can download the code here from my GitHub page.