Linkz for Tools & Tips

Wednesday, May 15, 2013 Posted by Corey Harrell
In this edition of Linkz I’m talking about tools I came across in the past week. There are tool updates, new tools, and some tips about existing tools. Without further ado ….

New RegRipper Version

RegRipper has been a frequent topic on my blog lately. The tool rocks and it has saved me so much time over the years. A new version of RegRipper (v2.8) was released as well as a new plug-in archive. Harlan said what the updates were in his post RegRipper Updates. I tested out the new Alert functionality for its malware detection capabilities and wanted to share some results about my tests.

I ran every auto-runs RegRipper plug-in across the registry hives infected with MD5 0db4749ae2ec96c4612183e85b48cbb9. My keyword search for Alert found the following entries pointing to the malware (alert was generated since those registry values were present).

ALERT: winlogon: Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon Shell value not explorer.exe: Explorer.exe, C:\Windows\System32\1055\svchost.exe

ALERT: winlogon: Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit value has multiple entries: C:\Windows\System32\userinit.exe, C:\Windows\System32\1055\svchost.exe

ALERT: winlogon: Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon System value found: C:\Windows\System32\1055\svchost.exe

I then ran every auto-runs RegRipper plug-in across the registry hives infected with MD5 04b687a43618272aa88b83efc1cce8a7. My keyword search for Alert found the following entries pointing to the malware (alert was generated based on the registry value).

ALERT: cmd_shell: Clients\StartMenuInternet\IExplore.exe\shell\open\command warning: "C:\Users\lab\AppData\Local\yyr.exe"

The last test I’m mentioning was I ran every auto-runs RegRipper plug-in across the registry hives infected with MD5 78c9d2949c81984414e6e1f5974905e1. My keyword search for Alert found numerous entries and two of them were (alert was generated based file path and file extension).

ALERT: user_run: Temp Path found: Software\Microsoft\Windows\CurrentVersion\Run : User Agent -> C:\Users\lab\AppData\Local\Temp\

ALERT: user_run: Path ends in .com/.bat: Software\Microsoft\Windows\CurrentVersion\Run : User Agent -> C:\Users\lab\AppData\Local\Temp\

RegRipper Auto-runs Plug-ins

Speaking about RegRipper auto-runs plug-ins. Back in March I wrote up the post Tracking Down Persistence Mechanisms outlining the research I did to track down the most common auto-run locations leveraged by malware. I even did a post about the updates made to the RegRipper to account for all the Run keys. Harlan did a post as well but about the Winlogon key. The RegRipper archive has been updated to account for all the commonly used auto-run locations. The ASEPs RegRipper Wiki page outlines all the auto-run plug-ins and the locations they check.

Parsing the $LogFile

I picked up on the next set of links from Joakim Schicht’s post over at a ForensicFocus forum. I should have known about his tools before now; at least now I’m informed and passing along a gem. Joakim’s post was about his new tool LogFileParser which parses the NTFS $LogFile. There are not that many tools available to parse this artifact so seeing one released (along with its source code) is awesome. I can’t do justice explaining the tool’s capabilities so just read the link to the LogFileParser’s Wiki page. It looks like Joakim wasn’t done since he released another tool (UsnJrnl2Csv) to parse the $UsnJrnl artifact. LogFileParser is able to parse the $UsnJrnl file as well but UsnJrnl2Csv is a standalone tool. Checking out his available downloads there are a slew of other tools from parsing the $MFT (mft2csv) to extracting NTFS artifacts from images and VSCs (NTFS_File_Extractor). Definitely take the time to check out Joakim’s site and try out his tools. I know my toolkit is getting updated.

Not sure why I’m excited about tools to parse NTFS artifacts. Check out these links to see why: Re-Introducing $UsnJrnl, Layering Data, and a bunch of posts on David Cowen’s blog.

Strawberry Perl and Log2timeline 0.65

I recently was rebuilding my laptop and I encountered pretty significant issue. On Windows I always used ActiveState Perl since I keep older versions of the program and never had problems installing modules. However, ActiveState made a change involving older versions of their software. You are no longer able to install modules in older ActiveState Perl programs (5.12 and older) without a business license. This means if you want to run 5.12 then you need to pony up some dough to buy the business license. This is where my issue arose. Log2timeline 0.65 does not work with ActiveState Perl 5.14 and 5.16; you need version 5.12. There is no way I’m going without Log2timeline on Windows so I reached out to Twitter for Perl alternatives. A few people pointed me to Strawberry Perl. I looked into it and tried it out. Final verdict is ActiveState Perl will never touch my systems again. If my endorsement isn’t enough check out the quote on the website from Larry Wall.

The next item was to get Log2timeline working on Windows with Strawberry Perl. Matt Presser has a nice tutorial walking you through the process in his post Timeline Analysis. His instructions worked like a charm and now I’m back in business with Log2timeline on my Windows box (RegRipper works fine with Strawberry too).

Thugging with REMnux

Maybe it’s just me but whenever I think about the Thug honeyclient all I can think about is 90s gangster rap. Westsideeee!!!!!! I first became aware about Thug when Kyle Maxwell mentioned it on his blog. Thug is pretty slick since it enumerates vulnerable clientside applications and captures exploits and malware served up in drive-bys. A new version has been released which you can grab from their GitHub site.

REMnux is a distro put together by Lenny Zelster to perform malware analysis. There are not only tools for performing malware analysis but there are also tools to analyze clientside exploits such as PDFs and office documents. Lenny released REMNux 4 which you can grab from here.

REMnux provides a wealth of tools to analyze clientside exploits while Thug provides the ability to capture these exploits. Needless to say, I wanted to get Thug up and running inside REMnux since it’s not installed by default. I Goggled around for installing Thug on Ubuntu and found a tutorial on how to do it. My attempts weren’t successful since the installation failed due to a missing dependency. I was stuck until David Kovar gave me the command to use which resolved my dependency issue. If you want to get Thug up and running on REMnux do the following:

First run the command below

apt-get install libboost-dev libboost-python-dev libboost-thread-dev libboost-system-dev python-pip python-dev python-pydot

Run the command a second time to make sure everything installed properly.

Then follow the steps outlined in the article How to install Thug Python client honeypot. I’ve had Thug up and running for about a week now and so far it doesn’t seem like anymore dependencies are missing.
  1. dude great blog post as usual!

  2. Corey,

    Thanks for the mention and I'm glad you found the alerting functionality to be useful. Personally, I find it to be incredibly valuable.

  3. I was thoroughly impressed with the output of the RegRipper CLI yesterday and have already been brainstorming ways in which I could use the tool on audits and pen tests.

    As you know, Corey, I'm neither an IResponder nor a forensics guy. I can fully throw my support behind the tool and the plugins from a security testing perspective. Major props to you and Harlan.

  4. @Randy

    Thanks man. It went over well at the Tr3Secure meet-up. What was really cool is that people with no background or training in forensics were finding malware by solely looking at registry hives. You are right there are more uses for it on the audit and pen testing side. If it works out for you let me know.

    Harlan did all the heavy lifting; all I did was write some plugins and an automation script.

Post a Comment