Hero Image
PHP Backdoor Deobfuscation

Part of my role involves threat hunting on client servers. During one of these hunts I found a PHP backdoor called shell20210526.php. It was obfuscated - challenge accepted! There are a few PHP deobfuscation tools available. Individually they didn’t get the result, but in combination (along with some manual intervention) I was able to get a good result. Contents Tools The .php Stage 1: UnPHP Stage 2: Manual Editing Stage 3: Run the Function Stage 4: PHP Deobfuscator Base64 Variables HTML Front-end Investigation Comments Tools UnPHP - The Online PHP Decoder

Sunday, July 4, 2021 | 92 minutes Read
Hero Image
SANS June 2021 Forensic Contest

Update The answers have been released and are available here: https://isc.sans.edu/forums/diary/June+2021+Forensic+Contest+Answers+and+Analysis/27582/ They said it was hard, and it was. I’m proud of what I found! Reflecting back: For some reason, I thought they meant not all the machines are infected. It turns out all three were! So I skipped over .93 entirely. Similarly, I was thinking each infected machine only had one piece of malware. Wrong again! Because I was looking for the answers and not thinking as if it was a real investigation, I stopped looking too early. I think I would have figured .93 out if I’d looked, although I would have probably missed Hancitor. Talking of… I didn’t know Google Feedproxy could be part of a(n) (Hancitor) infection - I thought this traffic was all legit. I’m not upset that I missed it though - this will come with experience. The more I see, the more I learn, and the more I will recognise potentially malicious activity. The zip couldn’t be unzipped because the pcap was incomplete (packet loss). Glad I didn’t waste too much time trying to figure that out! Although I could have used URLhaus to download the .xlsx malware sample separately. Never thought of that before. Original Post https://isc.sans.edu/forums/diary/June+2021+Forensic+Contest/27532/

Tuesday, June 29, 2021 | 10 minutes Read
Hero Image
SANS April 2021 Forensic Quiz

https://isc.sans.edu/forums/diary/April+2021+Forensic+Quiz/27266/ Introduction Artifacts Excel-related Executables and DLLs Scheduled Task Pcaps Export objects Traffic Summary SHAs Introduction We’re provided with a .pcap and a bunch of artifacts (files). The AD, we’re told, is as follows: LAN segment range: 192.168.5.0/24 (192.168.5.0 through 192.168.5.255) Domain: clockwater.net Domain Controller: 192.168.5.5 - Clockwater-DC LAN segment gateway: 192.168.5.1 LAN segment broadcast address: 192.168.5.255 Artifacts First, let’s inspect the artifacts. $ find . -type f -exec ls -l -- {} + 242176 Mar 29 23:22 ./ProgramData/huqvg/huqvg.exe 49152 Mar 29 23:18 ./Users/Public/4123.do1 65545 Mar 29 23:22 ./Users/Public/4123.xlsb 65545 Mar 29 23:21 ./Users/Public/4123.xsg 299520 Mar 29 23:58 ./Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll 181413 Mar 29 23:17 ./Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb 4326 Mar 31 18:19 './Windows/System32/Tasks/Sun SvcRestartTask#32640' 251904 Mar 30 00:07 ./Windows/Temp/adf/anchorAsjuster_x64.exe 347648 Mar 30 00:08 ./Windows/Temp/adf/anchorDNS_x64.exe 347648 Mar 30 03:31 ./Windows/Temp/adf/anchor_x64.exe $ find . -type f -exec file -- {} + ./Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb: Microsoft Excel 2007+ ./Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll: PE32+ executable (DLL) (GUI) x86-64, for MS Windows ./Users/Public/4123.xsg: ASCII text, with very long lines, with CRLF line terminators ./Users/Public/4123.xlsb: ASCII text, with very long lines, with CRLF line terminators ./Users/Public/4123.do1: PE32 executable (DLL) (GUI) Intel 80386, for MS Wins ./Windows/System32/Tasks/Sun SvcRestartTask#32640: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators ./Windows/Temp/adf/anchorDNS_x64.exe: PE32+ executable (GUI) x86-64, for MS Windows ./Windows/Temp/adf/anchorAsjuster_x64.exe: PE32+ executable (console) x86-64, for MS Windows ./Windows/Temp/adf/anchor_x64.exe: PE32+ executable (GUI) x86-64, for MS Windows ./ProgramData/huqvg/huqvg.exe: PE32+ executable (GUI) x86-64, for MS Windows $ find . -type f -exec sha256sum -- {} + ae6dbc08e0e21b217352175f916cfd5269c4fd8d5de6bff2d0a93a366f78e8d1 ./Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb cc74f7e82eb33a14ffdea343a8975d8a81be151ffcb753cb3f3be10242c8a252 ./Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll 92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d ./Users/Public/4123.xsg 92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d ./Users/Public/4123.xlsb 93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e ./Users/Public/4123.do1 6b7de7ab79ef0f15d7c03536ad6403e317ae5712898957e0ae2ba6f41bf89828 ./Windows/System32/Tasks/Sun SvcRestartTask#32640 9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513 ./Windows/Temp/adf/anchorDNS_x64.exe 3ab8a1ee10bd1b720e1c8a8795e78cdc09fec73a6bb91526c0ccd2dc2cfbc28d ./Windows/Temp/adf/anchorAsjuster_x64.exe a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634 ./Windows/Temp/adf/anchor_x64.exe 291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b ./ProgramData/huqvg/huqvg.exe It looks like we have some executables, some Excel-related files, a .dll, and a scheduled task in XML format.

Thursday, April 22, 2021 | 9 minutes Read