Threat Intelligence

I have been working on a malware investigation for a few weeks. A compromised system was suspected of participating in an attack on another system on the internet. Having identified the suspect machine through firewall, wireless system, and other logs, I notified the end user and it was surrendered for a forensic examination.

Using the Live Response Collection tools found on BriMorLabs’ website, I was able to make short order of evidence collection, including disk and memory images. The collection of tools produces a file called netstat_anb_results.txt. This file lists the processes (executables) running on the system and any network connections they are making.

I found two executables of interest that were making numerous connections to unknown IP addresses:

I was able to find both of these executables on disk using Autopsy. The interesting thing is that they both evaded Windows 10 builtin antivirus as well as another AV scanner. I was able to identify the infection using two other scanners which flagged a number of other artifacts. Below is a hash list of the malicious files identified by the scanners.

I believe these executables allow an attacker to leverage the victim machine to do whatever the attacker wants. In this case, I believe these machines were used for a credential stuffing attack based on other indicators that I cannot release.

These executables were connecting to over 100 IP addresses. I have de-duped the list of IPs and I am including them here. It should be noted that it is unknown if these IPs are malicious or not, but given what I have found on the compromised systems, I believe they are suspect and worthy of blocking in your environment. These IPs all made a TCP connection from the compromised system usually on port 443, however, there were a few connections on TCP 80. However, I did notice some odd connections using other ports in the 400 range.

I am attaching an Autopsy Known File database file that you can load into autopsy and identify files listed above by MD5 hash. Please note, the file hashes above are SHA256 hashes.

suspected_malware.kdb (Right click, save as.  The file is in SQL LITE format)

MD5: 9536a2b9adc7dae8cf3216c916799cd5

SHA256: 8e497f33b85896f7a8bfc0bf465beb8ca80459ece9f53d30fe5712e97408a487

Print Friendly, PDF & Email