search

spender-sandbox / community-modified

Modified edition of cuckoo community modules
50 stars 22 forks source link

pony_apis.py missing C2 in memdump #52

Closed eoinmiller-sfdc closed 8 years ago

eoinmiller-sfdc commented 8 years ago

@KillerInstinct

Output from the pony_apis.py memory module finds the following: C2: hxxp://kincoletca.ru/gate.php C2: hxxp://thenuldmirit.ru/gate.php

However if you look in the memory dump file, you can find another C2 and the locations of the 2nd stage loader that the pony_apis.py appears to look for:

$ strings 2044.dmp | grep gate.php | sort -u hxxp://hatthatrewlet.ru/gate.php hxxp://kincoletca.ru/gate.php hxxp://thenuldmirit.ru/gate.php

$ strings 2044.dmp | grep task1.exe | sort -u hxxp://basaritrading.com/wp-content/plugins/prism-highlight/task1.exe hxxp://dorothyhoffmanbergman.com/wp-content/plugins/prism-highlight/task1.exe hxxp://dukecollege.ca/wp-content/plugins/prism-highlight/task1.exe

One of the things I do find interesting is location of the strings of the C2 and second stage in the memory dump. When I was trying the older version of cuckoo (acuvant fork) it was only gathering the first 10mb of memory dumps from each process. The newer fork (spender-sandbox) is now getting full size memory dumps but I wonder if it is only processing the first 10mb of memory dumps still? The C2 not found along with the 2nd stage payloads and 3rd C2 URI are about 23mb into the 55mb memory dump. Below is some yara rule output showing the location and values of strings that should have triggered the pony_apis.py C2 output:

0x6f985d:$a: hxxp://kincoletca.ru/gate.php 0x730f4a:$a: hxxp://thenuldmirit.ru/gate.php 0x731445:$a: hxxp://thenuldmirit.ru/gate.php 0x731715:$a: hxxp://thenuldmirit.ru/gate.php 0x7319e5:$a: hxxp://thenuldmirit.ru/gate.php 0x731cb5:$a: hxxp://thenuldmirit.ru/gate.php 0x731f85:$a: hxxp://thenuldmirit.ru/gate.php 0x732255:$a: hxxp://thenuldmirit.ru/gate.php 0x732525:$a: hxxp://thenuldmirit.ru/gate.php 0x7327f5:$a: hxxp://thenuldmirit.ru/gate.php 0x732ac5:$a: hxxp://thenuldmirit.ru/gate.php 0x732d95:$a: hxxp://thenuldmirit.ru/gate.php 0x732fc0:$a: hxxp://kincoletca.ru/gate.php 0x73328c:$a: hxxp://kincoletca.ru/gate.php 0x733558:$a: hxxp://kincoletca.ru/gate.php 0x733824:$a: hxxp://kincoletca.ru/gate.php 0x733af0:$a: hxxp://kincoletca.ru/gate.php 0x17af69a:$a: hxxp://thenuldmirit.ru/gate.php 0x17af6ba:$a: hxxp://kincoletca.ru/gate.php 0x17af6d8:$a: hxxp://hatthatrewlet.ru/gate.php 0x17af6fa:$b: hxxp://dukecollege.ca/wp-content/plugins/prism-highlight/task1.exe 0x17af73d:$b: hxxp://basaritrading.com/wp-content/plugins/prism-highlight/task1.exe 0x17af783:$b: hxxp://dorothyhoffmanbergman.com/wp-content/plugins/prism-highlight/task1.exe

KillerInstinct commented 8 years ago

Got a file?

We use regex to parse out the aplib header, and then parse out URLs from the aplib header up until a known footer keyword. That may be the issue, but I need to have either the pony binary or a memdump to confirm.

eoinmiller-sfdc commented 8 years ago

Sure thing. The dump and sample are both attached to this post.

2044.dmp.zip

eoinmiller-sfdc commented 8 years ago

Trying that again for the sample, zipped with password of "infected" without quotes.

996e00699dfd0fa16be1eb34b14be21b53aa2e0864fb49a62b9acfb84613552b.bin.zip

KillerInstinct commented 8 years ago

I think you may have an issue with your process dumps -- mine extracted them all just fine. The reason yours didn't extract all the ones you listed is they are not in the APlib decompressed section of memory, which is specifically where I'm regex'ing from. Taking all URLs from the dump was too FP heavy.

Anyways, heres what mine displays: image

What is your VM timeout / how long did your analysis run for with the task that produced that dump?

Note: I haven't looked at the dump yet, going to check that out in a little bit.

KillerInstinct commented 8 years ago

OK, I looked at your dump just now and I'm not sure why it's not parsing out correctly.

Per: https://github.com/spender-sandbox/community-modified/blob/master/modules/signatures/pony_apis.py#L73

We regex 

r"aPLib .*PWDFILE"

And running your dump through strings, I'm able to find that segment: image

eoinmiller-sfdc commented 8 years ago

Hmm, yea something seems screwy with this. I have tried reprocessing a different sample a few times and the module output varies but the dumps have the same strings at the same memory locations. I'm going to rebuild everything from scratch and give this a shot again.

Reprocess the sample a fifth time: Module output: C2: hxxp://kincoletca.ru/gate.php C2: hxxp://thenuldmirit.ru/gate.php C2: hxxp://hatthatrewlet.ru/gate.php

Yara output from dump: 0x1f12c2:$a: hxxp://thenuldmirit.ru/gate.php 0x1f12e2:$a: hxxp://kincoletca.ru/gate.php 0x1f1300:$a: hxxp://hatthatrewlet.ru/gate.php 0x6179d5:$a: hxxp://kincoletca.ru/gate.php 0x7383b3:$a: hxxp://thenuldmirit.ru/gate.php 0x7388ae:$a: hxxp://thenuldmirit.ru/gate.php 0x738b7e:$a: hxxp://thenuldmirit.ru/gate.php 0x738e4e:$a: hxxp://thenuldmirit.ru/gate.php 0x73911e:$a: hxxp://thenuldmirit.ru/gate.php 0x7393ee:$a: hxxp://thenuldmirit.ru/gate.php 0x7396be:$a: hxxp://thenuldmirit.ru/gate.php 0x73998e:$a: hxxp://thenuldmirit.ru/gate.php 0x739c5e:$a: hxxp://thenuldmirit.ru/gate.php 0x739f2e:$a: hxxp://thenuldmirit.ru/gate.php 0x73a1fe:$a: hxxp://thenuldmirit.ru/gate.php 0x73a429:$a: hxxp://kincoletca.ru/gate.php 0x73a6f5:$a: hxxp://kincoletca.ru/gate.php 0x73a9c1:$a: hxxp://kincoletca.ru/gate.php 0x73ac8d:$a: hxxp://kincoletca.ru/gate.php 0x73af59:$a: hxxp://kincoletca.ru/gate.php 0x1f1322:$b: hxxp://dukecollege.ca/wp-content/plugins/prism-highlight/task1.exe 0x1f1365:$b: hxxp://basaritrading.com/wp-content/plugins/prism-highlight/task1.exe 0x1f13ab:$b: hxxp://dorothyhoffmanbergman.com/wp-content/plugins/prism-highlight/task1.exe

Reprocess the sample the 8th time: Module output C2: hxxp://kincoletca.ru/gate.php C2: hxxp://thenuldmirit.ru/gate.php

Yara output from dump: 0x1f12c2:$a: hxxp://thenuldmirit.ru/gate.php 0x1f12e2:$a: hxxp://kincoletca.ru/gate.php 0x1f1300:$a: hxxp://hatthatrewlet.ru/gate.php 0x6179d5:$a: hxxp://kincoletca.ru/gate.php 0x7383b3:$a: hxxp://thenuldmirit.ru/gate.php 0x7388ae:$a: hxxp://thenuldmirit.ru/gate.php 0x738b7e:$a: hxxp://thenuldmirit.ru/gate.php 0x738e4e:$a: hxxp://thenuldmirit.ru/gate.php 0x73911e:$a: hxxp://thenuldmirit.ru/gate.php 0x7393ee:$a: hxxp://thenuldmirit.ru/gate.php 0x7396be:$a: hxxp://thenuldmirit.ru/gate.php 0x73998e:$a: hxxp://thenuldmirit.ru/gate.php 0x739c5e:$a: hxxp://thenuldmirit.ru/gate.php 0x739f2e:$a: hxxp://thenuldmirit.ru/gate.php 0x73a1fe:$a: hxxp://thenuldmirit.ru/gate.php 0x73a429:$a: hxxp://kincoletca.ru/gate.php 0x73a6f5:$a: hxxp://kincoletca.ru/gate.php 0x73a9c1:$a: hxxp://kincoletca.ru/gate.php 0x73ac8d:$a: hxxp://kincoletca.ru/gate.php 0x73af59:$a: hxxp://kincoletca.ru/gate.php 0x1f1322:$b: hxxp://dukecollege.ca/wp-content/plugins/prism-highlight/task1.exe 0x1f1365:$b: hxxp://basaritrading.com/wp-content/plugins/prism-highlight/task1.exe 0x1f13ab:$b: hxxp://dorothyhoffmanbergman.com/wp-content/plugins/prism-highlight/task1.exe

KillerInstinct commented 8 years ago

I should note that if you have something wonky in place of the standard python re library, that may be causing issue. I had issues with re2 when extracting this stuff, which is why this signature explicitly uses re instead of try/except importing re2.

eoinmiller-sfdc commented 8 years ago

Well I rebuilt everything and I am still having this issue with Ubuntu LTS 14.04 which comes with Python 2.7.6 and re 2.2.1.

$ python Python 2.7.6 (default, Jun 22 2015, 17:58:13) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information.

import re re.version '2.2.1'

eoinmiller-sfdc commented 8 years ago

Tried with Ubuntu Server 15.10 which comes with Python 2.7.10 and re 2.2.1 as well, still the same behavior.

KillerInstinct commented 8 years ago

I also have version 2.2.1 -- I'd suggest modifying the file to see if you are getting any results from the re match at all. You are only getting two results because we collect C2s from two locations:

1) From C2s we see (via InternetCrackUrlA api in the evented processing stage) 2) From carving out the ApLib section and regexing out URL structures.

It seems you are only getting data from the 1st, but there may be an issue preventing something with the 2nd point.

I'd suggest adding a "print buf" between lines 75 and 76 in the sig. Other than that I'm really out of ideas because it's been working fine for me since I've made it.

eoinmiller-sfdc commented 8 years ago

@KillerInstinct I think I found the issue based on a hunch after you pointed those two things out. It appears it was never processing the memory dumps because my configuration has zip compression enabled on the memory. @spender-sandbox this may be of interest to you. Perhaps compression of the memory dumps should be performed after modules/reporting has been completed or modules should detect if the input type is gzip'd? I also wonder if this would affect volatilty analysis if enabled on the full system dumps.

In conf/processing.conf I had the following setup: [procmemory] enabled = yes strings = yes zipdump = yes zipstrings = yes

With those above settings, only the URL's actually requested by the detonated sample are included in the C2 output of the pony signature module. However if I update conf/processing.conf to the following:

[procmemory] enabled = yes strings = yes zipdump = no zipstrings = no

Now all the C2's are in the output like they should be.

spender-sandbox commented 8 years ago

Yep, I've already fixed this actually ;)

-Brad

eoinmiller-sfdc commented 8 years ago

@spender-sandbox Well s#!t, looks like I should just git clone again I assume.