NIDS - Network Intrusion Detection System.

Department of Managed Services
Active Defense Engagement Report
STRICTLY CONFIDENTIAL
Report ID/#
Report Date
Customer
Name
Matthew Anglin
Company
QinetiQ North America
Street
7918 Jones Branch Drive, Suite 250
City, State, Zip
McLean, VA 22102
Report Contact
Name
Phil Wallisch
Company
HBGary
Street
3604 Fair Oaks Blvd, Suite 250
City, State, Zip
Sacramento, CA 95864
Report ID/#
Report Date: Month DD, YYYY
Page 2 of 51
1.
OVERVIEW ................................................................................................................................................................................4
2.
SUMMARY ................................................................................................................................................................................4
3.
RECOMMENDATIONS ................................................................................................................................................................4
POLICY/PROCESS ........................................................................................................................................................................................ 4
AFFECTED HOSTS........................................................................................................................................................................................ 4
AFFECTED USERS ........................................................................................................................................................................................ 5
TECHNOLOGY............................................................................................................................................................................................. 5
4.
IMPLEMENTATION SUMMARY ..................................................................................................................................................5
5.
SCAN SUMMARY – AS OF MM/DD/YYYY ...................................................................................................................................6
6.
HOST DETECTION & EXAMINATION SUMMARY ........................................................................................................................8
7.
HOST EXAMINATION DETAILS ................................................................................................................................................. 12
7.1.
EXFILTRATION HOSTS ............................................................................................................................................................. 12
7.1.1.
JMONTAGNADT - 10.10.104.134 ................................................................................................................................... 12
7.1.2.
MLEPOREDT1 - 10.10.64.171 ......................................................................................................................................... 13
7.1.3.
ARSOAFS - 10.2.27.104 .................................................................................................................................................. 14
7.2.
MSPOISCON (ADS) .................................................................................................................................................................. 15
7.2.1.
AI-ENGINEER-3 - 10.27.64.34 ......................................................................................................................................... 15
7.2.2.
ATKCOOP2DT - 10.27.64.53 ........................................................................................................................................... 17
7.3.
APT – ATI.EXE .......................................................................................................................................................................... 19
7.3.1.
B1SRVAPPS02 - 10.10.1.13 ............................................................................................................................................ 19
7.3.2.
LTNFS01 - 10.26.251.21 ................................................................................................................................................. 22
7.3.3.
WAL4FS02 - 10.10.10.20 ................................................................................................................................................ 24
7.3.4.
WKWONGT2 - 10.10.88.145 .......................................................................................................................................... 25
7.4.
APT – RASAUTO, IPRINP .......................................................................................................................................................... 26
7.4.1.
MPPT-RSMITH - 10.32.192.23........................................................................................................................................ 26
7.4.2.
RFSMOBILE - 10.32.192.24 ............................................................................................................................................ 27
7.4.3.
WALVISAPP-VTPSI - 10.10.1.82 ...................................................................................................................................... 28
7.4.4.
PSIDATA - 192.168.7.155 ............................................................................................................................................... 29
7.5.
IISSTART .................................................................................................................................................................................. 30
7.5.1.
ARBORTEX - 10.2.27.41 .................................................................................................................................................. 30
7.5.2.
JSEAQUISTDT1 - 10.10.64.179 ....................................................................................................................................... 31
7.5.3.
WALSU01 - 10.10.1.80 ................................................................................................................................................... 32
7.5.4.
WALSU02 - 10.10.10.17 ................................................................................................................................................. 33
7.5.5.
WALVISAPP - 10.10.1.59 ................................................................................................................................................ 33
7.5.6.
WALXDS01 - 10.10.1.62 ................................................................................................................................................. 34
7.6.
UPDATE.EXE ............................................................................................................................................................................ 35
7.6.1.
BEL_HORTON - 10.34.16.36 ........................................................................................................................................... 35
7.6.2.
DSPELLMANDT - 10.27.64.73 ......................................................................................................................................... 36
7.6.3.
GRAY_VM - 10.2.37.115 ................................................................................................................................................ 37
7.6.4.
HEC_AVTEMP1 - 10.2.50.48 ........................................................................................................................................... 38
7.7.
SVCHOST.EXE .......................................................................................................................................................................... 39
7.7.1.
AI-ENGINEER-4 - 10.27.64.62 ......................................................................................................................................... 39
7.7.2.
AMARALDT - 10.10.72.167 ............................................................................................................................................ 40
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 3 of 51
7.7.3.
B1HVAC01 - 10.10.64.25 ................................................................................................................................................ 41
7.8.
CTFMON.EXE .......................................................................................................................................................................... 42
7.8.1.
JARMSTRONGLT - 10.10.96.152 ..................................................................................................................................... 42
7.9.
HOSTNAME1 .............................................................................................................................................................................. 43
8.
MEMORY AND MALWARE ANALYSIS DETAILS ......................................................................................................................... 44
8.1.
8.2.
9.
FILENAME1/DETECTION NAME1 .................................................................................................................................................... 44
FILENAME2/DETECTION NAME2 .................................................................................................................................................... 45
INDICATORS ............................................................................................................................................................................ 47
9.1.
9.2.
9.3.
9.4.
FILE NAME IOC’S ........................................................................................................................................................................ 47
FILE BINARY IOC’S....................................................................................................................................................................... 48
LIVE SYSTEM (MEMORY) IOC’S...................................................................................................................................................... 48
LIVE SYSTEM (REGISTRY) IOC’S ...................................................................................................................................................... 49
10.
MANAGED HOSTS LIST ........................................................................................................................................................ 50
11.
GLOSSARY OF TERMS .......................................................................................................................................................... 50
12.
END OF REPORT .................................................................................................................................................................. 51
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 4 of 51
1. Overview
HBGary, Inc conducted an in-depth analysis of data collected in association with suspicious activity detected at the
organization network site. Collection and analysis efforts have been focused primarily on host level data in an effort to
locate malware or remote access tools.
The goals during this engagement were to detect compromised systems, both known and unknown malware, and
evidence of hacking activity that may be associated with suspicious outbound traffic, external attacks, or malicious
scanning. The engagement covers xx host machines physically located at location of network(s).
2. Summary
During the course of the engagement covering the period of date to date, HBGary placed an Active Defense™ server on
the client network. HBGary also maintained remote access to the server from a secure operations center located in
Sacramento, CA, where the collection and analysis was managed.
Through use of Digital DNA™, analysis of host memory, and reverse engineering of select files, HBGary was able to
discover compromised hosts on the network and develop indicators of compromise (IOC's) to determine the extent of
compromise across the entire network. At this time, HBGary has located two seriously compromised hosts out of a total
network of 78 hosts analyzed (excluding 6 offline/unavailable hosts). This report details all findings to date.
HBGary has confirmed that the organization network has been compromised on at least two hosts. Specifically, the
hosts hostnames show evidence of compromise involving a remote access tool. The remote access tool is a full featured
backdoor and has a primary function to serve as a network traffic proxy. An attacker can route all network traffic
through the compromised hosts. This would account for unexplained suspicious traffic being generated from these two
hosts.
3. Recommendations
Policy/Process
-
-
Auditing Policy
o Enable Audit Process Tracking (Successful) in audit policy for all hosts. Set Security logs to 80MB (at
least)
Reimage Policy
o Make reimaging a standard procedure when malicious code successfully executes with positive
exposure time on a host (any time antivirus doesn’t catch the executable during the attempt).
o Make reimaging a standard procedure when a host changes owners.
Affected Hosts
-
Action is recommended on each host examined. In summary, all hosts found indicators of compromise (IOC) be
reimaged at a minimum. Other actions including forensic preservation, monitoring, and further IOC searching, are
also recommended. These recommendations are listed on each host examined below.
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 5 of 51
Affected Users
-
All users and operators of infected systems (at a minimum) should have passwords reset.
Technology
-
-
Web Proxy
o Allows for blocking of malicious/inappropriate websites (banner ads in particular)
o Allows for capturing and audit of HTTP/HTTPS traffic (identify and correlate C2 activity, malicious
domains, network forensics)
Active Defense with Digital DNA
o Troubleshoot/Deploy Active Defense to remainder of network hosts and scan for additional IOCs.
Host-Based IPS
o Can be configured to block lateral movement activities, such as psexec and at commands.
RSA (2-Factor) Authentication (For servers and domain admin accounts)
o Useful for restricting and securing domain admin accounts and server logins to personnel that are issued
hardware “tokens”.
4. Implementation Summary
Implementation Information
Active Defense Version
1.1.0.271 (Server)
2.0.0.736 (Agent)
Deployment Type
Deployment Location
IT Contact
A/D Implementation Date
Technician
Notes
Confidential Information
HBGary Provided Server (HBAD)
Report ID/#
Report Date: Month DD, YYYY
Page 6 of 51
5. Scan Summary – As of mm/dd/yyyy
Deployment Statistics
Deployment Statistics
Total Hosts Managed
Additional Hosts Pending
973
27
Total Hosts Managed
Total Hosts Pending
Scan Summary
Scan Summary
Verified
Infected/PuP
Suspicious/P
ending
Scanned
Clean
Offline/Pendi
ng Install
Scanned but
not Sorted
Malware infection or potentially
unwanted program
Deemed suspicious and need
further analysis
Scanned and determined to be
free of suspicious programs
Verified Infected/PuP
Suspicious/Pending
Scanned Clean
Still require DDNA to be installed
Scanned but remain to be
categorized into groups
Confidential Information
Offline/Pending Install
Scanned but not Sorted
Report ID/#
Report Date: Month DD, YYYY
Page 7 of 51
Pending Hosts Summary
Pending Hosts Summary
Pending/Offline
Pending/Technical Issues
Pending/Authentication Issues
Pending/Offline
20
5
2
Pending/Technical
Issues
Pending/Authenticati
on Issues
Scanned Hosts Summary
Scanned Hosts Summary
Total Hosts Scanned
Pending Scan
953
20
Hosts Scanned
Hosts Pending Scan
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 8 of 51
Detection Summary
Detection Summary
NTF/Clean
APT – ATI.EXE
APT – Rasauto, Iprinp
Unconfirmed - iisstart.htm
Unconfirmed – update.exe
APT
TDSS (RAT)
PuP
4
4
6
4
NTF/Clean
25
13
PuP
RAT
Trojan
etc
6. Host Detection & Examination Summary
**Yellow means files have not been collected (MFT, EVT, etc). Might not be 100% accurate but is close.
Host Examination Summary – APT Group 1
Hostname
IP
JMONTAGNADT
10.10.104.134
Exfiltration Point
NTF/Not Infected
MLEPOREDT1
10.10.64.171
Exfiltration Point
NTF/Not Infected
ARSOAFS
10.2.27.104
Exfiltration Point
NTF/Not Infected
B1SRVAPPS02
10.10.1.13
ati.exe (7A9AE5)
LTNFS01
10.26.251.21
ati.exe
WAL4FS02
10.10.10.20
ati.exe (B2E2FB)
WKWONGT2
10.10.88.145
ati.exe
Infected
ARBORTEX
10.2.27.41
iisstart[1].htm
Pending Further
Analysis
7/19/2010 3:19
Indicator of possible communication with C2
server
JSEAQUISTDT1
10.10.64.179
iisstart[1].htm
Pending Further
Indicator of possible communication with C2
Confidential Information
Alert/Detection
State
Infected
7/19/2010 1:31
Infected
7/22/2010 1:46
Infected
8/30/2010 5:00
Description
Nothing notable identified in MFT. Security logs
did not go back far enough/or contain data
Observed net.exe-pf and net1.exe-pf on 7/14 at
14:03 (UTC time). Did not see any other artifacts
from around the time. No other observable
activity from the file system or logs going back to
5/28/2010
Gap in file create times from 6/14/2010 to
8/17/2010. EVTX files created 8/17/2010, do not
contain data going back further than that.
C:\Documents And Settings\Default User\Local
Settings\Temp
C:\Documents And Settings\Default User\Local
Settings\Temp
C:\Documents And Settings\Default User\Local
Settings\Temp
DELETED BY CUSTOMER on 9/13/10 before HB
could collect
Report ID/#
Report Date: Month DD, YYYY
Page 9 of 51
Analysis
7/19/2010 14:43
WALSU01
10.10.1.80
iisstart[1].htm
Pending Further
Analysis
8/25/2010 18:33
WALSU02
10.10.10.17
iisstart[1].htm
Pending Further
Analysis
8/3/2010 7:29
WALVISAPP
10.10.1.59
iisstart[1].htm
Pending Further
Analysis
4/21/2009 7:26
WALXDS01
10.10.1.62
iisstart[1].htm
Pending Further
Analysis
1/21/2009 13:14
AI-ENGINEER-3
10.27.64.34
mspoiscon
Infected
ATKCOOP2DT
mspoiscon
Infected
MPPT-RSMITH
10.32.192.23
rasauto32.dll (FC63A3)
iprinp.dll (0D24E1)
RFSMOBILE
10.32.192.24
rasauto32.dll (250276)
WALVISAPPVTPSI
10.10.1.82
rasauto32.dll (250276)
ati.exe (759C5C)
iprinp.dll (6EA17F)
svchost.exe (A9425C)
BEL_HORTON
10.34.16.36
update.exe
Infected
DSPELLMANDT*
10.27.64.73
update.exe
Infected
GRAY_VM
10.2.37.115
update.exe
Infected
HEC_AVTEMP1
10.2.50.48
update.exe
Infected
PSIDATA
192.168.7.155
rasauto32.dll (250276)
111.exe (5E7EA7)
Infected
8/31/2010 7:35
8/31/2010 7:33
Confidential Information
Infected
2/9/2010 3:29:43
3/29/2010
23:21:30
Infected
5/24/2010
22:50:41
Infected
8/4/2004 5:00
8/30/2010 8:10
7/20/2010 2:41
7/20/2010 2:50
server
C:\Documents and
Settings\NetworkService\Local
Settings\Temporary Internet
Files\Content.IE5\PJGSPG0B\iisstart[1].htm
Indicator of possible communication with C2
server
C:\Documents and
Settings\neil.kuchman.hd\Local
Settings\Temporary Internet
Files\Content.IE5\3W4F1LDI\iisstart[1].htm
Indicator of possible communication with C2
server
C:\Documents and
Settings\MIKEHD~1.MOS\Local
Settings\Temporary Internet
Files\Content.IE5\5ANUZTCE\iisstart[1].htm
Indicator of possible communication with C2
server
C:\Documents and Settings\visual.admin\Local
Settings\Temporary Internet
Files\Content.IE5\U0E17C0E\
Indicator of possible communication with C2
server
C:\Documents and Settings\mmoss\Local
Settings\Temporary Internet
Files\Content.IE5\8TYZ4T6N\
Discovered by IOC registry scan – malware
embedded in ADS
Discovered by IOC registry scan – malware
embedded in ADS
\windows\system32
\windows\system32
\windows\system32
\windows\system32
\documents and settings\NetworkService\local
settings\temp
\windows\system32
\windows\temp
\windows\system32
\windows\system32
Report ID/#
Report Date: Month DD, YYYY
Page 10 of 51
AI-ENGINEER-4
10.27.64.62
svchost.exe (09B63F)
AMARALDT
10.10.72.167
svchost.exe (09B63F)
B1HVAC01
10.10.64.25
svchost.exe (09B63F)
JARMSTRONGLT
10.10.96.152
ctfmon.exe (0D6FBB)
Infected
9/9/2009 23:02
Infected
Fall/2009
Infected
9/8/2009 9:13:00
Infected
7/10/2010
8:40:00
\RECYCLER
\RECYCLER
\RECYCLER
\windows\system
Host Examination Summary – TDSS Group 1
Hostname
IP
Alert/Detection
State
Description
VCOMPARATOLT
10.10.64.17
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
TALONPARTS
10.10.96.27
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
SWILCOXDT
10.10.64.102
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
SKAUFMANLT
10.10.96.151
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
MSULLIVANDT2
10.10.72.147
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
DGOLICKDT
10.10.64.193
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
C4ISRLABDT116
10.10.64.125
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
ABATESDT
10.10.72.142
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
C4ISRLAB156LT
10.10.64.207
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
SAZARIANLT
10.10.64.39
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
RWIESMANDT
10.10.64.161
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
RSETLURDT
10.10.72.26
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
RBATISTADT2
10.10.72.138
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
MKASTANASDT2
10.10.80.16
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
KHELLERLT2
10.10.72.18
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
JVALENTINE
10.10.72.15
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
JMILLIKENDT
10.10.80.143
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
JDESCOTEAUXDT
10.10.64.104
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
BJOHNSONDT2
10.10.64.191
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
RPEMPSELLDT2
10.10.72.152
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
TKURTHDT
10.10.64.21
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 11 of 51
TALONTECHDT2
10.10.96.142
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
PIMSOL_CURTIS
10.2.50.47
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
FAIRCHILD3_HEC
10.2.30.21
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
UNDERWOOD1CB
M
10.2.40.158
Memory Mod – svchost.exe
Infected
TDSS Remote Access Trojan (RAT)
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 12 of 51
7. Host Examination Details
7.1.EXFILTRATION HOSTS
7.1.1. JMONTAGNADT - 10.10.104.134
Alert/Detection
Exfiltration Point
Detection Date
Detection Source
Customer Reported
Hostname
JMONTAGNADT
IP Address
10.10.104.134
Host Type
Workstation
Host OS
Microsoft Windows XP Professional
Service Pack 3 (build 2600)
Host State
NTF/Not Infected
Examination Date
9/14/2010
Root Cause (IPI)
Finding
Unable to Identify
Threat Classification
Direct/External
Occurrence (IPI)
Date
Remediation
Recommendations
Unable to Identify
Possible Forensic Analysis (Data undeletion and disk string searches)
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
Nothing notable identified in MFT. Security logs did not go back far enough/or contain data. Time key in registry was not found.
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 13 of 51
7.1.2. MLEPOREDT1 - 10.10.64.171
Alert/Detection
Exfiltration Point
Detection Date
Detection Source
Customer Reported
Hostname
MLEPOREDT1
IP Address
10.10.64.171
Host Type
Workstation
Host OS
Microsoft Windows XP Professional
Service Pack 3 (build 2600)
Host State
Not Infected – Suspicious Activity
Found
Examination Date
9/14/2010
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
Unable to Identify
Remediation
Recommendations
Possible Forensic Analysis (Data undeletion and disk string searches)
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Threat Classification
Direct/External
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
Observed net.exe-pf and net1.exe-pf on 7/14 at 14:03 (UTC time). Did not see any other artifacts from around the time. No other
observable activity from the file system or logs going back to 5/28/2010.
Notable registry activity:
software\Time last modified 8/27/2010 9:46:04 UTC
dwLowDateTime key set to [hex] 00B6AA7C
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 14 of 51
-
dwHighDateTime key set to [hex] E047CB01
The registry date decodes to 8/30/2010 01:13:00 (UTC). No notable activity on file system at that time.
No malware was identified in memory on this system.
7.1.3. ARSOAFS - 10.2.27.104
Alert/Detection
Exfiltration Point
Detection Date
Detection Source
Customer Reported
Hostname
ARSOAFS
IP Address
10.2.27.104
Host Type
Unknown
Host OS
Microsoft (build 7600)
Host State
NTF/Not Infected
Examination Date
9/14/2010
Root Cause (IPI)
Finding
Unable to Identify
Threat Classification
Direct/External
Occurrence (IPI)
Date
Remediation
Recommendations
Unable to Identify
Possible Forensic Analysis (Data undeletion and disk string searches)
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Examination Notes
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 15 of 51
Gap in file create times from 6/14/2010 to 8/17/2010. EVTX files created 8/17/2010, do not contain data going back further than
that.
No event logs, no ntuser.dat files, no prefetch files; possible bad pull but it did seem to run ok (pulled by registry hives from
system32)
7.2.MSPOISCON (ADS)
7.2.1. AI-ENGINEER-3 - 10.27.64.34
Alert/Detection
Mspoiscon (Embedded in Alternate Data Stream C:\Windows\System32:mspoiscon)
Detection Date
Hostname
AI-ENGINEER-3
Host Type
Detection Source
IOC Scan – Registry Service (rasauto)
IP Address
10.27.64.34
Host OS
Host State
Infected
Examination Date
9/16/2010
Root Cause (IPI)
Finding
Possible Browser Exploit
Occurrence (IPI)
Date
Suspected 9/21/2009
Direct/External
Remediation
Recommendations
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Threat Classification
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Examination Notes
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 16 of 51
File/Event
Date/Time
qmmad
9/21/09 12:29
Launch Internet Explorer Browser.lnk
9/21/09 12:29
brndlog.bak
9/21/09 12:29
Desktop.htt
9/21/09 12:29
brndlog.txt
9/21/09 12:29
security.config
9/21/09 12:29
security.config.cch
9/21/09 12:29
hh.dat
9/21/09 12:29
desktop.ini
9/21/09 12:29
foster-miller.asf
9/21/09 12:29
foster-miller.wmv
9/21/09 13:40
somrt.uid
9/21/09 13:40
foster-miller.hke
Application Popup/26;Info;IEXPLORE.EXE - DLL Initialization Failed - The application failed
to initialize because the window station is shutting down.
Application Popup/26;Info;IEXPLORE.EXE - DLL Initialization Failed - The application failed
to initialize because the window station is shutting down.
Application Popup/26;Info;IEXPLORE.EXE - DLL Initialization Failed - The application failed
to initialize because the window station is shutting down.
Application Popup/26;Info;IEXPLORE.EXE - DLL Initialization Failed - The application failed
to initialize because the window station is shutting down.
Application Popup/26;Info;IEXPLORE.EXE - DLL Initialization Failed - The application failed
to initialize because the window station is shutting down.
Application Popup/26;Info;IEXPLORE.EXE - DLL Initialization Failed - The application failed
to initialize because the window station is shutting down.
9/21/09 13:40
Mon Sep 21 2009 13:44:23
Mon Sep 21 2009 13:44:23
Mon Sep 21 2009 13:44:23
Mon Sep 21 2009 13:44:23
Mon Sep 21 2009 13:44:23
Mon Sep 21 2009 13:44:23
04192.dat
9/21/09 15:18
UT_1_~1.PNG
9/21/09 16:51
trans1x1[1].gif
9/21/09 16:52
install.bat
9/21/09 16:53
On.reg
9/21/09 16:53
Hookmsgina.dll
9/21/09 16:53
ctrl_ctxtmenu[1].htc
9/21/09 16:54
ctrl_ctxtmenu[1].js
9/21/09 16:54
flg-m-6[1].gif
9/21/09 16:54
flg-compl[1].gif
9/21/09 16:54
01600.dat
9/21/09 17:10
05308.dat
McLogEvent/258;Warn;The file C:/WINDOWS/SYSTEM32/FOSTER-MILLER.EXE contains
Generic BackDoor!bad Trojan. The file was successfully deleted.
McLogEvent/258;Warn;The file C:/WINDOWS/SYSTEM32/FOSTER-MILLER.EXE contains
Generic BackDoor!bad Trojan. The file was successfully deleted.
McLogEvent/258;Warn;The file C:/WINDOWS/system32/foster-miller.exe contains Generic
BackDoor!bad Trojan. The file was successfully deleted.
9/21/09 17:41
Confidential Information
Thu Oct 08 2009 14:55:05
Thu Oct 08 2009 14:55:05
Thu Oct 08 2009 14:55:05
Report ID/#
Report Date: Month DD, YYYY
Page 17 of 51
McLogEvent/258;Warn;The file C:/WINDOWS/system32/foster-miller.exe contains Generic
BackDoor!bad Trojan. The file was successfully deleted.
-
-
Thu Oct 08 2009 14:55:05
It is likely the foster-miller.exe that was quarantined on 10/8/2009 was originally dropped and executed
9/21/2009 as part of an attack using internet explorer and ASF (advanced streaming format).
It is not known if the victim (user qmmad) was targeted by a “spear-phish” email that directed him/her to the
malicious browser page, however based on the name of the executable some degree of social engineering was
involved. This indicates a direct/external threat agent at the source of the attack.
The event logs were not capturing process events. This is recommended to better identify and track malicious
process/program activity.
7.2.2. ATKCOOP2DT - 10.27.64.53
Alert/Detection
Mspoiscon (Embedded in Alternate Data Stream C:\Windows\System32:mspoiscon)
Detection Date
Detection Source
IOC Scan – Registry Service (rasauto)
Hostname
ATKCOOP2DT
IP Address
10.27.64.53
Host Type
Workstation
Host OS
Microsoft Windows XP Professional
Service Pack 3 (build 2600)
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
Direct/External
Remediation
Recommendations
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
File Path
C:\windows\system32: mspoiscon.exe
Threat Classification
Malicious File – system32:mspoiscon.exe
File Name
mspoiscon.exe
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – system32:msomsysdm.exe
File Name
msomsysdm.exe
File Size
Modified Date
Confidential Information
File Path
C:\windows\system32:msomsysdm.exe
File Hash
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 18 of 51
n/a
n/a
n/a
n/a
File Comment
Examination Notes
-
Identified malicious file and keylogger in an alternate data stream inside of the system32 folder. This was found
by running an IOC search for registry keys related to rasauto service.
-
The prefetch contains an entry for SYSTEM32, with create date 7/30/09 14:53 (UTC). This indicates an executable
was run from an alternate data stream inside of the system32 folder as far back as this date. Analysis of the
SYSTEM32 prefetch file yields the following:
SYSTEM32 - [SYSTEM32:MSOMSYSDM.EXE] was executed - run count [8]- full path: [<path not found in Layout.ini>] - DLLs
loaded: {WINDOWS/SYSTEM32/NTDLL.DLL - WINDOWS/SYSTEM32/KERNEL32.DLL - WINDOWS/SYSTEM32/USER32.DLL WINDOWS/SYSTEM32/GDI32.DLL - WINDOWS/SYSTEM32/IMM32.DLL - WINDOWS/SYSTEM32/ADVAPI32.DLL WINDOWS/SYSTEM32/RPCRT4.DLL - WINDOWS/SYSTEM32/SECUR32.DLL - WINDOWS/SYSTEM32/UXTHEME.DLL WINDOWS/SYSTEM32/MSVCRT.DLL - WINDOWS/SYSTEM32/VERSION.DLL - WINDOWS/SYSTEM32/OLE32.DLL WINDOWS/SYSTEM32/ADVPACK.DLL - WINDOWS/SYSTEM32/SETUPAPI.DLL - WINDOWS/SYSTEM32/SHLWAPI.DLL WINDOWS/SYSTEM32/MSCTF.DLL}
-
Evidence of two alternate data streams inside of SYSTEM32 were identified in the ntuser.dat file for several users;
particularly user account “pasay”:
MUICache
Software\Microsoft\Windows\ShellNoRoam\MUICache
LastWrite Time Wed Sep 1 14:43:53 2010 (UTC)
C:\WINDOWS\system32:msomsysdm.exe (msomsysdm)
C:\WINDOWS\system32:mspoiscon.exe (mspoiscon)
-
Winspy was observed as having been installed on the system back in 2009, as taken from the ntuser.dat file for
user “Administrator”:
MUICache
Software\Microsoft\Windows\ShellNoRoam\MUICache
LastWrite Time Thu Oct 15 19:07:44 2009 (UTC)
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\OLIB852J\wssetup[1].exe (Super Winspy Setup)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-J2N0H.tmp\wssetup[1].tmp (Setup/Uninstall)
C:\Program Files\Winspy\winspy.exe (winspy)
C:\Program Files\Winspy\unins000.exe (Setup/Uninstall)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_iu14D2N.tmp (Setup/Uninstall)
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\4LAR0PAZ\IndexDatSpy210[1].exe (Index Dat Spy Setup)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-783HA.tmp\IndexDatSpy210[1].exe.tmp (Setup/Uninstall)
C:\Program Files\Index Dat Spy\IndexDatSpy.exe (Index Dat Spy Application)
Timeline
Timestamp
7/30/2009 7:44
Type
File System
Confidential Information
Category
Created
File
C:\Documents and Settings\jjones\Application
Report ID/#
Report Date: Month DD, YYYY
Page 19 of 51
7/30/2009 7:44
File System
Last Write
7/30/2009 7:44
File System
Created
7/30/2009 7:45
7/30/2009 7:45
7/30/2009 7:46
7/30/2009 7:46
System Log
System Log
System Log
System Log
Logon/Logoff
Privilege Use
Object Access
Logon/Logoff
7/30/2009 7:49
File System
Last Access
7/30/2009 7:49
File System
Last Write
7/30/2009 7:53
7/30/2009 7:53
Prefetch Cache
File System
Created
Created
-
Data\Mozilla\Firefox\Crash Reports\InstallTime2009070611
C:\Documents and Settings\jjones\Application
Data\Mozilla\Firefox\Crash Reports\InstallTime2009070611
C:\Documents and Settings\jjones\Local
Settings\Temp\etilqs_2VM6fZOwY2Kkq3hT61Q8
Security
Security
Security
Security
C:\Documents and Settings\jjones\Local
Settings\Temp\etilqs_2VM6fZOwY2Kkq3hT61Q8
C:\Documents and Settings\jjones\Local
Settings\Temp\etilqs_2VM6fZOwY2Kkq3hT61Q8
C:\WINDOWS\Prefetch\SYSTEM32
C:\WINDOWS\Prefetch\SYSTEM32
Mspoiscon was caught and quarantined by Mcafee on 9/1:
McLogEvent/257;Info;The scan of C:/WINDOWS/system32:mspoiscon.exe has taken too
long to complete and is being canceled. Scan engine version used is 5400.1158 DAT
version 6091.0000.
McLogEvent/257;Info;The scan of C:/WINDOWS/system32:mspoiscon.exe has taken too
long to complete and is being canceled. Scan engine version used is 5400.1158 DAT
version 6091.0000.
McLogEvent/258;Warn;The file /SYSTEM32 contains Generic BackDoor!csa Trojan. The
file was successfully deleted.
McLogEvent/258;Warn;The file /SYSTEM32 contains Generic BackDoor!csa Trojan. The
file was successfully deleted.
McLogEvent/258;Warn;The file C:/WINDOWS/system32:mspoiscon.exe contains Generic
BackDoor!csa Trojan. The file was successfully deleted.
McLogEvent/258;Warn;The file C:/WINDOWS/system32:mspoiscon.exe contains Generic
BackDoor!csa Trojan. The file was successfully deleted.
Wed Sep 01 2010
07:39:45
Wed Sep 01 2010
07:39:45
Wed Sep 01 2010
07:39:45
Wed Sep 01 2010
07:39:45
Wed Sep 01 2010
07:39:45
Wed Sep 01 2010
07:39:45
Mspoiscon.exe was not recovered, however its keylog data was. Msomsysdm.exe was recovered, however.
7.3.APT – ATI.EXE
7.3.1. B1SRVAPPS02 - 10.10.1.13
Alert/Detection
ati.exe (7A9AE50EE0A4211EEED7D41658206234)
C:\Documents And Settings\Default User\Local Settings\Temp
Detection Date
Hostname
B1SRVAPPS02
Host Type
Confidential Information
Detection Source
IOC Scan – ATI.exe
IP Address
10.10.1.13
Host OS
Report ID/#
Report Date: Month DD, YYYY
Page 20 of 51
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
7/19/2010 1:31
Direct/External
Remediation
Recommendations
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Threat Classification
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
Data pulled and converted. Security events from 9/7/2010 to 9/10/2010 only.
7/19/2010 - Filesystem [Last Access] activity - net, net1, at, netmsg, iisstart, ipconfig, ati.exe
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
Confidential Information
[Last Write] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS Flags: Directory System
FileSize: 0
[Created] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\S-1-518 - Flags: Directory System
FileSize: 0
[Last Write] C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User - Flags: Directory
System
FileSize: 0
[Created] C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\64fd47b1-d5d9-42abb9fb-efb07d9d0a3d - Flags: Hidden System Archive
FileSize: 388
[Last Access] C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\64fd47b1-d5d9-42abb9fb-efb07d9d0a3d - Flags: Hidden System Archive
FileSize: 388
Report ID/#
Report Date: Month DD, YYYY
Page 21 of 51
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:31
File System
7/19/2010 1:35
File System
7/19/2010 1:35
File System
7/19/2010 1:35
File System
7/19/2010 1:36
File System
7/19/2010 1:37
File System
7/19/2010 1:38
File System
7/19/2010 1:38
File System
7/19/2010 1:38
File System
7/19/2010 1:39
File System
Confidential Information
[Last Write] C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\64fd47b1-d5d9-42abb9fb-efb07d9d0a3d - Flags: Hidden System Archive
FileSize: 388
[Last Access] C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred - Flags:
Hidden System Archive Compressed
FileSize: 24
[Last Write] C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred - Flags:
Hidden System Archive Compressed
FileSize: 24
[Last Write] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\S-15-18 - Flags: Directory System
FileSize: 0
[Created] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\S-1-518\6d14e4b1d8ca773bab785d1be032546e_b3e95e21-4755-48dc-92d6-fa3fb36f0964 - Flags:
System Archive
FileSize: 47
[Last Access] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\S1-5-18\6d14e4b1d8ca773bab785d1be032546e_b3e95e21-4755-48dc-92d6-fa3fb36f0964 Flags: System Archive
FileSize: 47
[Last Write] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\S-15-18\6d14e4b1d8ca773bab785d1be032546e_b3e95e21-4755-48dc-92d6-fa3fb36f0964 Flags: System Archive
FileSize: 47
[Created] C:\Documents and Settings\Default User\Local Settings\Temp\ati.exe - Flags: Archive
FileSize: 388096
[Last Access] C:\Documents and Settings\Default User\Local Settings\Temp\ati.exe - Flags:
Archive
FileSize: 388096
[Last Write] C:\Documents and Settings\Default User\Local Settings\Temp\ati.exe - Flags:
Archive
FileSize: 388096
[Last Access] C:\WINDOWS\system32\ipconfig.exe - Flags: Archive Compressed
FileSize: 63488
[Last Access] C:\WINDOWS\system32\drivers\etc\hosts - Flags: Archive
FileSize: 734
[Last Access] C:\WINDOWS\system32\lsasrv.dll - Flags: Archive
FileSize: 824320
[Last Access] C:\WINDOWS\system32\samsrv.dll - Flags: Archive
FileSize: 461312
[Last Access] C:\WINDOWS\system32\net1.exe - Flags: Archive
FileSize: 127488
[Last Access] C:\WINDOWS\system32\at.exe - Flags: Archive Compressed
FileSize: 25088
[Last Write] C:\DMI - Flags: Directory
FileSize: 0
[Last Access] C:\WINDOWS\system32\net.exe - Flags: Archive
FileSize: 42496
[Last Access] C:\WINDOWS\system32\netmsg.dll - Flags: Archive
FileSize: 182272
[Last Write] C:\Documents and Settings\Default User\Local Settings\Temp - Flags: Directory
FileSize: 0
Report ID/#
Report Date: Month DD, YYYY
Page 22 of 51
7.3.2. LTNFS01 - 10.26.251.21
Alert/Detection
ati.exe
C:\Documents And Settings\Default User\Local Settings\Temp
Detection Date
Hostname
LTNFS01
Host Type
Detection Source
IOC Scan – ATI.exe
IP Address
10.26.251.21
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
7/22/2010 1:46:00 AM
Direct/External
Remediation
Recommendations
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Threat Classification
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
Security events from 8/26/2010 to 9/10/2010 only. Gap in events from April 2010 to August 2010
7/22/2010 suspicious activity on filesystem, 1:44 to 1:46 (UTC) - reg32.exe, ati.exe, net.hlp, ipconfig.exe. The following times are in
UTC -700:
7/21/2010 18:44
File System
7/21/2010 18:44
File System
Confidential Information
[Created] C:\WINDOWS\system32\reg32.exe - Flags: Archive
FileSize: 599040
[Last Access] C:\WINDOWS\system32\reg32.exe - Flags: Archive
FileSize: 599040
Report ID/#
Report Date: Month DD, YYYY
Page 23 of 51
7/21/2010 18:45
System Log
[2] [System] [W32Time] -
7/21/2010 18:46
File System
[Last Write] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS Flags: Directory System
FileSize: 0
7/21/2010 18:46
File System
[Created] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\S-1-518 - Flags: Directory System
FileSize: 0
7/21/2010 18:46
File System
[Last Write] C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User - Flags: Directory System
FileSize: 0
7/21/2010 18:46
File System
[Created] C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\279696c1-1c64-44fb-9735c7691609bc94 - Flags: Hidden System Archive
FileSize: 388
7/21/2010 18:46
File System
[Last Access] C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\279696c1-1c64-44fb9735-c7691609bc94 - Flags: Hidden System Archive
FileSize: 388
7/21/2010 18:46
File System
[Last Write] C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\279696c1-1c64-44fb9735-c7691609bc94 - Flags: Hidden System Archive
FileSize: 388
7/21/2010 18:46
File System
[Last Write] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\S-1-518 - Flags: Directory System
FileSize: 0
File System
[Created] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\S-1-518\6d14e4b1d8ca773bab785d1be032546e_78cfe365-a203-42de-8d4d-72921b7e7a7e - Flags:
System Archive
FileSize: 47
File System
[Last Access] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\S-15-18\6d14e4b1d8ca773bab785d1be032546e_78cfe365-a203-42de-8d4d-72921b7e7a7e - Flags:
System Archive
FileSize: 47
7/21/2010 18:46
File System
[Last Write] C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\S-1-518\6d14e4b1d8ca773bab785d1be032546e_78cfe365-a203-42de-8d4d-72921b7e7a7e - Flags:
System Archive
FileSize: 47
7/21/2010 18:46
File System
[Last Write] C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred - Flags: Hidden
System Archive
FileSize: 24
7/21/2010 18:46
File System
[Last Write] C:\Documents and Settings\ASPNET\Local Settings\Temp - Flags: Directory
FileSize: 0
7/21/2010 18:46
File System
[Created] C:\Documents and Settings\Default User\Local Settings\Temp\ati.exe - Flags: Archive
FileSize: 389120
7/21/2010 18:46
File System
[Last Write] C:\Documents and Settings\ASPNET\Local Settings\Temp\ati.exe - Flags: Archive
FileSize: 389120
7/21/2010 18:46
File System
[Last Write] C:\Documents and Settings\Default User\Local Settings\Temp\ati.exe - Flags:
Archive
FileSize: 389120
7/21/2010 18:48
File System
[Last Write] C:\WINDOWS\Tasks - Flags: Directory System
FileSize: 0
7/21/2010 18:51
File System
[Last Access] C:\WINDOWS\system32\net.hlp - Flags: Archive
FileSize: 102434
7/21/2010 18:46
7/21/2010 18:46
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 24 of 51
7/21/2010 18:57
File System
[Last Access] C:\WINDOWS\system32\ipconfig.exe - Flags: Archive
FileSize: 63488
7/21/2010 18:58
File System
[Last Write] C:\Documents and Settings\Default User\Local Settings\Temp - Flags: Directory
FileSize: 0
7.3.3. WAL4FS02 - 10.10.10.20
Alert/Detection
ati.exe (B2E2FBD14E7DBA1F0F7097742D4AAA02)
C:\Documents And Settings\Default User\Local Settings\Temp
Detection Date
Hostname
WAL4FS02
Host Type
Detection Source
IOC Scan – ATI.exe
IP Address
10.10.10.20
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
8/30/2010 5:00:00 AM
Direct/External
Remediation
Recommendations
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Threat Classification
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Examination Notes
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 25 of 51
7.3.4. WKWONGT2 - 10.10.88.145
Alert/Detection
ati.exe (DELETED BY CUSTOMER on 9/13/10 before HB could collect)
Detection Date
Hostname
Detection Source
WKWONGT2
Host Type
IP Address
10.10.88.145
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
Unable to Determine
Direct/External
Remediation
Recommendations
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Threat Classification
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Examination Notes
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 26 of 51
System taken offline before evidence could be collected/analyzed
7.4.APT – RASAUTO, IPRINP
7.4.1. MPPT-RSMITH - 10.32.192.23
Alert/Detection
rasauto32.dll (FC63A35A36B84B11470D025A1D885A6B) - \windows\system32
iprinp.dll (0D24E1B5814439460E030617890A17FE) - \windows\system32
Detection Date
Hostname
Detection Source
MPPT-RSMITH
Host Type
IP Address
10.32.192.23
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
Threat Classification
Direct/External
Remediation
Recommendations
(rasauto32.dll) 2/9/2010 3:29:43 AM
(iprinp.dll) 3/29/2010 11:21:30 PM
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Examination Notes
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 27 of 51
7.4.2. RFSMOBILE - 10.32.192.24
Alert/Detection
rasauto32.dll (2502766AF38E3AFEBB10D16EA52800FD) - \windows\system32
Detection Date
Hostname
Detection Source
RFSMOBILE
Host Type
IP Address
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
Direct/External
Remediation
Recommendations
Threat Classification
10.32.192.24
5/24/2010 10:50:41 PM
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Examination Notes
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 28 of 51
7.4.3. WALVISAPP-VTPSI - 10.10.1.82
Alert/Detection
rasauto32.dll (2502766AF38E3AFEBB10D16EA52800FD) - \windows\system32
ati.exe (759C5C77A203B02A8B6DEB9A6FBEC3E3) - \documents and settings\NetworkService\local
settings\temp
iprinp.dll (6EA17F3848EBEED671FC7217B3AE4071) - \windows\system32
svchost.exe A9425CF91E9F35EDE110B04FA2B63748) - \windows\temp
Detection Date
Hostname
Detection Source
WALVISAPP-VTPSI
Host Type
Host State
IP Address
10.10.1.82
Host OS
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
Threat Classification
Direct/External
Remediation
Recommendations
(rasauto32.dll) 8/4/2004 5:00
(ati.exe) 8/30/2010 8:10
(iprinp.dll) 7/20/2010 2:41
(svchost.exe) 7/20/2010 2:50
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 29 of 51
Examination Notes
7.4.4. PSIDATA - 192.168.7.155
Alert/Detection
rasauto32.dll (2502766AF38E3AFEBB10D16EA52800FD) - \windows\system32
111.exe (5E7EA7264E5FC7F447FC3BEC44145ABD) - \windows\system32
Detection Date
Hostname
Detection Source
PSIDATA
Host Type
IP Address
192.168.7.155
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
Threat Classification
Direct/External
Remediation
Recommendations
(rasauto32.dll) 8/31/2010 7:35
(111.exe) 8/31/2010 7:33
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Examination Notes
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 30 of 51
7.5.IISSTART
7.5.1. ARBORTEX - 10.2.27.41
Alert/Detection
iisstart[1].htm - Indicator of possible communication with C2 server
Detection Date
Hostname
ARBORTEX
Host Type
Detection Source
IOC Scan - iisstart
IP Address
10.2.27.41
Host OS
Host State
Pending Analysis
Root Cause (IPI)
Finding
Not Yet Determined
Threat Classification
Not Yet Determined
Examination Date
Occurrence (IPI)
Date
Remediation
Recommendations
7/19/2010 3:19:00 AM
Pending Further Analysis
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Examination Notes
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 31 of 51
7.5.2. JSEAQUISTDT1 - 10.10.64.179
Alert/Detection
iisstart[1].htm - Indicator of possible communication with C2 server
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet
Files\Content.IE5\PJGSPG0B\iisstart[1].htm
Detection Date
Hostname
JSEAQUISTDT1
Host Type
Detection Source
IOC Scan - iisstart
IP Address
10.10.64.179
Host OS
Host State
Pending Analysis
Root Cause (IPI)
Finding
Not Yet Determined
Threat Classification
Not Yet Determined
Examination Date
Occurrence (IPI)
Date
Remediation
Recommendations
7/19/2010 2:43:00 PM
Pending Further Analysis
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Examination Notes
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 32 of 51
7.5.3. WALSU01 - 10.10.1.80
Alert/Detection
iisstart[1].htm - Indicator of possible communication with C2 server
C:\Documents and Settings\neil.kuchman.hd\Local Settings\Temporary Internet
Files\Content.IE5\3W4F1LDI\iisstart[1].htm
Detection Date
Hostname
WALSU01
Host Type
Detection Source
IOC Scan - iisstart
IP Address
10.10.1.80
Host OS
Host State
Pending Analysis
Root Cause (IPI)
Finding
Not Yet Determined
Threat Classification
Not Yet Determined
Examination Date
Occurrence (IPI)
Date
Remediation
Recommendations
8/25/2010 6:33:00 PM
Pending Further Analysis
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Examination Notes
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 33 of 51
7.5.4. WALSU02 - 10.10.10.17
Alert/Detection
iisstart[1].htm - Indicator of possible communication with C2 server
C:\Documents and Settings\MIKEHD~1.MOS\Local Settings\Temporary Internet
Files\Content.IE5\5ANUZTCE\iisstart[1].htm
Detection Date
Hostname
WALSU02
Host Type
Detection Source
IOC Scan - iisstart
IP Address
10.10.10.17
Host OS
Host State
Pending Analysis
Root Cause (IPI)
Finding
Not Yet Determined
Threat Classification
Not Yet Determined
Examination Date
Occurrence (IPI)
Date
Remediation
Recommendations
8/3/2010 7:29:00 AM
Pending Further Analysis
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
7.5.5. WALVISAPP - 10.10.1.59
Alert/Detection
iisstart[1].htm - Indicator of possible communication with C2 server
C:\Documents and Settings\visual.admin\Local Settings\Temporary Internet Files\Content.IE5\U0E17C0E\
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 34 of 51
Detection Date
Hostname
WALVISAPP
Host Type
Detection Source
IOC Scan - iisstart
IP Address
10.10.1.59
Host OS
Host State
Pending Analysis
Root Cause (IPI)
Finding
Not Yet Determined
Threat Classification
Not Yet Determined
Examination Date
Occurrence (IPI)
Date
Remediation
Recommendations
4/21/2009 7:26:00 AM
Pending Further Analysis
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
7.5.6. WALXDS01 - 10.10.1.62
Alert/Detection
iisstart[1].htm - Indicator of possible communication with C2 server
C:\Documents and Settings\mmoss\Local Settings\Temporary Internet Files\Content.IE5\8TYZ4T6N\
Detection Date
Detection Source
IOC Scan - iisstart
IP Address
10.10.1.62
Hostname
WALXDS01
Host Type
Confidential Information
Host OS
Report ID/#
Report Date: Month DD, YYYY
Page 35 of 51
Host State
Pending Analysis
Root Cause (IPI)
Finding
Not Yet Determined
Threat Classification
Not Yet Determined
Examination Date
Occurrence (IPI)
Date
Remediation
Recommendations
1/21/2009 1:14:00 PM
Pending Further Analysis
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
7.6.UPDATE.EXE
7.6.1. BEL_HORTON - 10.34.16.36
Alert/Detection
update.exe
Detection Date
Hostname
Detection Source
BEL_HORTON
Host Type
IP Address
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Unable to Identify
Occurrence (IPI)
Confidential Information
10.34.16.36
Report ID/#
Report Date: Month DD, YYYY
Page 36 of 51
Finding
Date
Threat Classification
Remediation
Recommendations
Direct/External
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
7.6.2. DSPELLMANDT - 10.27.64.73
Alert/Detection
update.exe
Detection Date
Hostname
Detection Source
DSPELLMANDT
Host Type
IP Address
10.27.64.73
Host OS
Host State
Infected
Root Cause (IPI)
Finding
Unable to Identify
Threat Classification
Direct/External
Confidential Information
Examination Date
Occurrence (IPI)
Date
Remediation
Recommendations
Backup/Preserve/Image
Wipe/Reimage
Report ID/#
Report Date: Month DD, YYYY
Page 37 of 51
Monitor
IOC Create/Search Remainder of Network
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
7.6.3. GRAY_VM - 10.2.37.115
Alert/Detection
update.exe
Detection Date
Hostname
Detection Source
GRAY_VM
Host Type
IP Address
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
Direct/External
Remediation
Recommendations
Threat Classification
10.2.37.115
Malicious File – filename.ext
Confidential Information
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Report ID/#
Report Date: Month DD, YYYY
Page 38 of 51
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
7.6.4. HEC_AVTEMP1 - 10.2.50.48
Alert/Detection
update.exe
Detection Date
Hostname
Detection Source
HEC_AVTEMP1
Host Type
IP Address
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
Direct/External
Remediation
Recommendations
Threat Classification
10.2.50.48
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Confidential Information
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Report ID/#
Report Date: Month DD, YYYY
Page 39 of 51
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
7.7.SVCHOST.EXE
7.7.1. AI-ENGINEER-4 - 10.27.64.62
Alert/Detection
svchost.exe (09B63FA595E13DAC5D0F0186AD483CDD) - \RECYCLER
Detection Date
Hostname
Detection Source
AI-ENGINEER-4
Host Type
IP Address
10.27.64.62
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
9/9/2009 11:02:00 PM
Direct/External
Remediation
Recommendations
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Threat Classification
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 40 of 51
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
7.7.2. AMARALDT - 10.10.72.167
Alert/Detection
svchost.exe (09B63FA595E13DAC5D0F0186AD483CDD) - \RECYCLER
Detection Date
Hostname
Detection Source
AMARALDT
Host Type
IP Address
10.10.72.167
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
Fall/2009
Direct/External
Remediation
Recommendations
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Threat Classification
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 41 of 51
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
7.7.3. B1HVAC01 - 10.10.64.25
Alert/Detection
svchost.exe (09B63FA595E13DAC5D0F0186AD483CDD)
Detection Date
Hostname
Detection Source
B1HVAC01
Host Type
IP Address
10.10.64.25
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
9/8/2009 9:13:00 AM
Direct/External
Remediation
Recommendations
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Threat Classification
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 42 of 51
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
7.8.CTFMON.EXE
7.8.1. JARMSTRONGLT - 10.10.96.152
Alert/Detection
ctfmon.exe (0D6FBBEB9E2A750F7BA5E06406CC8582) - \windows\system
Detection Date
Hostname
Detection Source
JARMSTRONGLT
Host Type
IP Address
10.10.96.152
Host OS
Host State
Infected
Examination Date
Root Cause (IPI)
Finding
Unable to Identify
Occurrence (IPI)
Date
7/10/2010 8:40:00 AM
Direct/External
Remediation
Recommendations
Backup/Preserve/Image
Wipe/Reimage
Monitor
IOC Create/Search Remainder of Network
Threat Classification
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
File Comment
Confidential Information
Accessed Date
Create Date
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 43 of 51
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
7.9.Hostname1
Alert/Detection
Detection Date
Detection Source
Hostname
IP Address
Host Type
Host OS
Host State
Root Cause (IPI)
Finding
Threat Classification
Infected
Not Infected
Pending Analysis
Internet/Drive-By
Email/Spear-Phish
Removable Media
Software/Embedded Malware
Unable to Identify
Direct/External
Direct/Internal
Indirect/External
Indirect/Internal
False Positive/Normal
Examination Date
Occurrence (IPI)
Date
Remediation
Recommendations
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Confidential Information
Preserve/Image
Clean/Rescan
Wipe/Reimage
Monitor
IOC Create/Search
Whitelist
No Action Needed
Report ID/#
Report Date: Month DD, YYYY
Page 44 of 51
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Malicious File – filename.ext
File Name
File Path
File Size
File Hash
Modified Date
Accessed Date
Create Date
Entry Modified Date
File Comment
Examination Notes
8. Memory and Malware Analysis Details
8.1.Filename1/Detection Name1
Description
File Type
File Size
File Location/Path
File Hash
Compile Date
Attribution Data
Modified Date
Accessed Date
Create Date
Found on Host(s)
IPI Date
Note
Confidential Information
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 45 of 51
C2 Host(s)
Note
Malware Domains
Note
File Behavior/Other Information
8.2.Filename2/Detection Name2
Description
File Type
File Size
File Location/Path
File Hash
Compile Date
Attribution Data
Modified Date
Accessed Date
Create Date
Found on Host(s)
IPI Date
Note
Confidential Information
Entry Modified Date
Report ID/#
Report Date: Month DD, YYYY
Page 46 of 51
C2 Host(s)
File Behavior/Other Information
Confidential Information
Note
Report ID/#
Report Date: Month DD, YYYY
Page 47 of 51
9. Indicators
9.1. File Name IOC’s
Description of what this is.
Value
Malware
Notes
\rasauto32.dll
rasauto32.dll
\windows\system\ctfmon.exe
rasauto32.dll
\ati.exe
rasauto32.dll
\reg32.exe
\111.exe
rasauto32.dll
rasauto32.dll
\iisstart[1].htm
rasauto.dll
\iprinp.dll
\windows\ntshrui.dll
Iprinp.dll
ntshrui.dll
\windows\system32\update.exe
update.exe
\erroinfo.sy
update.exe
\a.bat
update.exe
mspoiscon
mspoiscon
\r.exe
rar.exe
\p.exe
pwdump
\gethash.exe
pwdump
\w.exe
PTH Toolkit
\remcomsvc.exe
RemCom
Svchost.exe
Anomalous
svchost.exe
The name rasauto32.dll is not legitimate. Look for any
instance.
Ctfmon.exe is a renamed version of rasauto32.dll. The
exact path must be used. There is a valid ctfmon.exe in the
\windows\system32 directory.
Ati.exe is a subcomponent of rasauto32.dll. Look for any
instance.
Reg32.exe is a renamed version of rasauto32.dll.
111.exe is the dropper for rasauto32.dll. It can exist in any
directory.
This internet history artifact can indicate a system
attempted to communicate to a command and control
server.
The name iprinp.dll is not legitimate. Look for any instance.
The exact path to ntshrui.dll must be used. The path
provides the persistence mechanism.
The exact path for update.exe must be used. There are
numerous valid update.exe files.
This indicator also covers erroinfo.sys. Both files are
artifacts created by update.exe.
The a.bat file is a batch file that executes update.exe. It can
exist in any directory.
Search for any file name containing mspoiscon. Limited
success is expected due to mspoiscon’s use of alternate
data streams to hide its presence.
R.exe was a renamed version of rar.exe. It can exist in any
directory.
P.exe was a renamed pwdump tool. It can exist in any
directory.
Gethash.exe was a renamed pwdump tool. It can exist in
any directory.
W.exe was a renamed portion of the PTH Toolkit. It can
exist in any directory.
Remcomsvc.exe is an artifact left on a system after the
execution of the RemCom.exe software. This artifact will
be present on a system even if the remcom.exe had been
renamed.
Discover any svchost.exe not in a standard path.
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 48 of 51
9.2. File Binary IOC’s
Description of what this is.
Value
Malware
Notes
macrosoft corp.
iprinp.dll
SvcHost.DLL.log
process-%d-stoped!
(PRI) Comment:
iprinp.dll
iprinp.dll
iprinp.dll
%s\%05d.dat
[email protected]
[email protected]
2j3c1k
72.167.34.54
iprinp.dll
iprinp.dll
iprinp.dll
iprinp.dll
rasauto32.dll
superhard corp.
rasauto32.dll
Installed RAM: %ldMB
Various
lsremora64.dll
72.167.33.182
67.152.57.55
66.228.132.129
66.228.132.130
66.228.132.
65.54.165.179
Pwdump
Unknown
Unknown
unknown
unknown
unknown
Unknown
216.246.75.123
mspoiscon
32.16.195.129
mspoiscon
119.167.225.48
happy.7766.org
123.183.210.26
mspoiscon
mspoiscon
msomsysdm
xyrn998754.2288.org
msomsysdm
nodns3.qipian.org
msomsysdm
208.73.210.85
msomsysdm
Some iprinp.dll variants create a patched system shell
with this unique string embedded.
This unique string is found in many iprinp.dll variants.
This unique string is found in many iprinp.dll variants.
This string appears in output from an iprinp.dll network
scan.
This unique string is found in many iprinp.dll variants.
Hard-coded credentials for the iprinp.dll MSN variant.
Hard-coded credentials for the iprinp.dll MSN variant.
Hard-coded credentials for the iprinp.dll MSN variant.
This IP address was hard-coded into many rasauto32.dll
variants.
Some rasauto32.dll variants create a patched system shell
with this unique string embedded.
String found in code from WinVNC and various APT
malware.
This string is found in pwdump variants.
QNAO reported malicious IP address.
QNAO reported malicious IP address.
QNAO reported exfiltration destination IP address.
QNAO reported exfiltration destination IP address.
QNAO reported netblock related to APT activity.
This IP address is possibly related to APT malware that
was using Neil certificate.
This IP was found in the memory of a system infected with
mspoiscon malware.
This IP was found in the memory of a system infected with
mspoiscon malware.
Command and control server for the mspoiscon malware.
Command and control server for the mspoiscon malware.
Command and control server for the msomsysdm
malware.
Command and control server for the msomsysdm
malware.
Command and control server for the msomsysdm
malware.
Command and control server for the msomsysdm
malware.
9.3. Live System (Memory) IOC’s
Description of what this is.
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 49 of 51
Value
Malware
Notes
macrosoft corp.
iprinp.dll
SvcHost.DLL.log
process-%d-stoped!
(PRI) Comment:
iprinp.dll
iprinp.dll
iprinp.dll
%s\%05d.dat
[email protected]
[email protected]
2j3c1k
72.167.34.54
iprinp.dll
iprinp.dll
iprinp.dll
iprinp.dll
rasauto32.dll
superhard corp.
rasauto32.dll
Installed RAM: %ldMB
Various
lsremora64.dll
72.167.33.182
67.152.57.55
66.228.132.129
66.228.132.130
66.228.132.
65.54.165.179
Pwdump
Unknown
Unknown
unknown
unknown
unknown
Unknown
216.246.75.123
mspoiscon
32.16.195.129
mspoiscon
119.167.225.48
happy.7766.org
123.183.210.26
mspoiscon
mspoiscon
msomsysdm
xyrn998754.2288.org
msomsysdm
208.73.210.85
msomsysdm
nodns3.qipian.org
msomsysdm
Some iprinp.dll variants create a patched system shell
with this unique string embedded.
This unique string is found in many iprinp.dll variants.
This unique string is found in many iprinp.dll variants.
This string appears in output from an iprinp.dll network
scan.
This unique string is found in many iprinp.dll variants.
Hard-coded credentials for the iprinp.dll MSN variant.
Hard-coded credentials for the iprinp.dll MSN variant.
Hard-coded credentials for the iprinp.dll MSN variant.
This IP address was hard-coded into many rasauto32.dll
variants.
Some rasauto32.dll variants create a patched system shell
with this unique string embedded.
String found in code from WinVNC and various APT
malware.
This string is found in pwdump variants.
QNAO reported malicious IP address.
QNAO reported malicious IP address.
QNAO reported exfiltration destination IP address.
QNAO reported exfiltration destination IP address.
QNAO reported netblock related to APT activity.
This IP address is possibly related to APT malware that
was using Neil certificate.
This IP was found in the memory of a system infected with
mspoiscon malware.
This IP was found in the memory of a system infected with
mspoiscon malware.
Command and control server for the mspoiscon malware.
Command and control server for the mspoiscon malware.
Command and control server for the msomsysdm
malware.
Command and control server for the msomsysdm
malware.
Command and control server for the msomsysdm
malware.
Command and control server for the msomsysdm
malware.
9.4. Live System (Registry) IOC’s
Description of what this is.
Value
Malware
Notes
Data Value = iprinp.dll
Data Value = rasauto32.dll
iprinp.dll
Rasauto32.dll
Any registry value containing this string.
Any registry value containing this string.
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 50 of 51
Key Path contains AA8341AE87E5-0728-00B2-65B59DDD7BF7
10.
Managed Hosts List
11.
Glossary of Terms
mspoiscon,
msomsysdm
TTP - Tools, Techniques, and Procedures. These are the methods used by an attacker to compromise and
remain persistent within a network. TTP is a broad term and covers all behavioral characteristics of an attacker,
including methods used to lateral movement, exfiltration of data, scanning the network, preferences for tools,
etc.
APT - Advanced Persistent Threat. This is a catch-all term for any targeted attack that involves one or more
human attackers interacting with compromised hosts. In other words, APT and Hacker are synonomous. The
term APT is not used when malware is the result of large scale autonomous infection and there is no evidence of
interaction with a host (that is, there is no human at the other end of the keyboard).
RAT - Remote Access Tool. These are malware programs designed to allow a remote attacker to execute
programs and move files to and from a compromised host. These programs typically connect outbound to a
server to get commands.
C2 - Command and Control. This refers to the mechanism used by a RAT to communication with an external
host and get commands. The C2 host is usually a compromised host that functions as a cut-out between the
compromised network and the attacker. C2 servers are typically moved on a regular basis to overcome
perimeter security such as NIDS or DNS blackholes.
FUD - Fully Undetectable. This term applies to malware that has been tested against a large set of known
security products and has been verified as undetectable. Most APT attackers use tools that are FUD. FUD
typically refers to AV products, but is sometimes used to refer to browser-sandbox technology (sandboxie, etc)
as well. For example, a FUD malware would score zero hits on a scan performed by virustotal.com.
AV - Anti Virus. Refers to anti-virus products and host-based firewalls.
NIDS - Network Intrusion Detection System.
DDNA - Digital DNA. This is HBGary's system to detect suspicious code based on behaviors.
IPI - Initial Point of Infection. This refers to how the machine was initially compromised by an attacker. This can
be a autonomous malware infection, such as that caused by visiting a malicious website, or a targeted attack
such as those caused by spear-phising. IPI can also refer to lateral movement.
Confidential Information
Report ID/#
Report Date: Month DD, YYYY
Page 51 of 51
Lateral Movement. This refers to an attacker who has already compromised the network in one location, but is
attempting to gain access to additional machines. Typically this is done using stolen account credentials.
Exfil / Exfiltration. This term refers to the removal of data from the network, typically using some form of
covert communications designed to bypass filtering at the perimeter.
Packer / Cryptor. This term refers to a technology that can create many different variants of the same malware
in an automated way, easily bypassing MD5 checksum scans and many forms of AV scanning.
Speader. This refers to a function within a malware that allows it to spread across the network in an automated
way - for example by infecting USB keys or connecting over Windows network shares.
Downloader / Dropper / Sleeper. This refers to how a machine is initially exploited. The dropper is a small
program that executes first and downloads a larger program (the payload) and executes the second program.
Some downloaders can be configured with a sleep time and will not connect out for weeks or months. In this
case, the downloader may be called a 'sleeper agent'.
PUP - Potentially Unwanted Program. These are programs that are suspicious by nature but are not actually
malware. Examples are unsanctioned VPN bypass (LogMeIn, etc), invasive toolbar technology (Google Toolbar,
etc), and security tools that are not tied to an attack (packet sniffers, etc). PUP's are typically whitelisted during
an investigation, but are still reported to the customer for informational purposes.
12.
End of Report
Confidential Information

Download Report

NIDS - Network Intrusion Detection System.

Paperzz.com

Your Paperzz