Notes from the Girl
Well it’s been a bit of a long haul these past couple of months. After the recent round of layoffs at my employer, I’m currently acting as Director of application ops for our corporate systems (accounting and HR) rather than doing IR. If this continues long term, my skills will get seriously rusty. I am starting to see accounting ledger sheets in my sleep.
In any event, on the more personal side of things, I’ve gone back to Blonde hair rather than the darker color I had switched to in March (the darker shown in the picture). My wife, Reg (short for Regina), has made it clear that the color was too dark for me. I’m just happy that she expressed an opinion. We’re still rocking and rolling. It’s always awesome to see love take a front seat to fear. Speaking of which, what’s up with these bathroom laws people? I just wanna pee. Like a woman. I don’t want to be in the men’s room. This crap is silly. Well, I hope the good people of North Carolina and Mississippi (as of this writing) are prepared to have men like Buck Angel in the women’s restroom. If you don’t know who Buck Angel is, google it.
If “peeping Tom’s” are your concern, make it a crime to peek at someone in the restroom. Oh, wait, that’s already a crime in both North Carolina and Mississippi (GSNC § 14-202, MSC § 97-29-61). If rape is your concern, I have to tell you, any transwoman who has been on HRT for more than a month hasn’t a hope in hell of being able to rape anyone. Wait, rape is illegal too, in North Carolina and Mississippi even. So what were these bathroom bills supposed to prevent? Nothing that wasn’t already illegal. The reality is that they are designed to make transition as uncomfortable as possible for transwomen. Not for transmen mind you. Again, go look at Buck Angel. Who is going to challenge him in the men’s room?
All in all, the last two months have been a little depressing. But, I am surviving. As my mother and step-mother have both told me many times, this, too, shall pass.
Oh, one other thing, my Faerie Lanterns turned out great. My daughter stole them for her room. Grrr. . . .
On with this week’s discussion. Interpreting ProcDot, RegShot, and Wireshark data from our behavioral capture.
Looking at ProcDot, RegShot, and Wireshark Data
Last week, we launched brbbot.exe in order to get some data. Unfortunately, this didn’t result in any real information on the network, but we did see some behaviors associated in our Process Monitor capture that showed up in ProcDot when we analyzed the results. Part of this information showed some registry changes, new files, and a few other things. Unfortunately, we didn’t do a careful registry capture that would allow us to see the changes clearly. However, not to worry, this week, we’re going to make that happen. So, go ahead, if you haven’t already, revert your Windows Reverse Engineering VM to the known good state. Next, you’ll want to change your network properties as follows (I’m using Argon Network Switcher for convenience, but you can set these values in the control panel just as easily).
Now, start your Remnux installation as well and make sure it’s reverted to the most recent known good snapshot. Now, in Remnux, open a terminal window and type myip. You should see something like the screenshot below.
If you don’t have 192.168.244.129 as your IP on your remnux workstation, then make sure you change it. You can do so with the following command:
sudo ifconfig eth0 192.168.244.129 netmask 255.255.255.0
Right, now, like last time (Day 4), go back to your windows reversing workstation and start process hacker, wireshark. Your screen should look something like this:
Now fire up regshot and click 1st shot and select Shot. Regshot creates a lot of noise in procmon and the number of entries will likely crash procmon on our VM given our limited resources.
Now, start your wireshark capture and procmon like we did last time and right click brbbot.exe and click Run As Administrator. We’ll let that run for about 3 minutes and then we’ll kill it by right clicking in Process Hacker and selecting Terminate.
Now, let’s stop our captures and save our procmon and wireshark data. Don’t forget to save the procmon data as a csv and not PML. Close Procmon and Wireshark. Once you’ve verified that brbbot.exe is no longer executing, close Process Hacker. Now, in RegShot, click 2nd shot. Then click copare. This will open up notepad and give you a listing of changed registry keys since the 1st shot. Minimize this and keep it handy, we’ll be referring to it soon. Go ahead and load up your brbbot captures in procdot and we’ll see what we get. You should see something like what is below.
You’ll notice a few things. Indicated in the upper right corner of our procdot screen, right after it started, BRBBot created a new file in C:\Windows\System32 called brbbot.exe. This is actually a copy of the program itself to be used for later purposes. This is good to know as it can be used as an IOC (Indicator of Compromise).
Also, it added itself to the HKLM\Microsoft\Widnows\CurrentVersion\Run registry key. This gives it an autostart. It also created C:\Windows\System32\config\SOFTWARE.LOG2. This is an indication of the modifications to the software hive. The registry system creates backups when the registry is modified.
We can also see that it created brbconfig.tmp and modified several other registry entries. We’ll come back to brbconfig.tmp, but let’s look at the registry changes. Lucky for us, we actually have registry captures to see the changes.
As you can see the below registry key was created:
This is to survive reboot.
There were several other keys touched. Go through each one in your registry and your regshot data and see if you can find out what was changed on each one, if anything. Also, at the end of the regshot data is a listing of files that were modified or created. A couple of things to note, brbbot.exe looks at the ProxyEnable and the ProxyBypass settings. It’s probably a good bet that it will set a bypass if ProxyEnable is set to 1. That’s just hypothetical, but if you want to find out, restore your initial known good snapshot, set an internet proxy in your internet options and re-run the same test. Let me know how it turns out.
Okay, so you can also look at brbconfig.tmp. Unfortunately, opening it in notepad or in Notepad++ yields very little value. Looks like it may be encrypted. You may want to save that file on a thumb drive or something because we’ll be coming back to it in a later adventure.
Next time, we’ll look at gathering network data that actually means something and how to use our REMnux tools to “feed” malware what it thinks is good network traffic.