Back to Course

Incident Response

0% Complete
0/71 Steps
  1. Incident Response
    Incident Reporting
  2. Incident Response Use Cases
    Lab Setup
  3. Role Playing - Shift Manager
  4. Demonstrating: Investigating and Escalating
  5. Report from Malware Analyst
  6. Exercise 1.1: Exploring Suspicious Executable Detected using SIEM
  7. Exercise 1.2: Investigating Multiple Failed Logins using SIEM
  8. Exercise 3: Mitigating Risk
  9. Exercise 4.1: Asking the Right Questions
  10. Scenario 4.1: Asking the Right Questions
  11. Scenario 4.2: Suspicious or Malicious?
  12. Exercise 4.2: Reviewing the Shift Log
  13. Exercise 4.3: Investigating an Unauthorized Login Attempt
  14. Exercise 4.4: Investigating Firewall Traffic
  15. Exercise 4.5: Reviewing the Security Operations Mailbox
  16. Exercise 5.1: Reviewing New Intelligence
  17. Exercise 5.2: Assessing Threat Severity
  18. Exercise 6: Recommending Remediation
  19. Exercise 7: Conducting a Post-Incident Review
  20. Exercise 8: Communicating with Operations and Senior Management
  21. Business Continuity
    Business Continuity Plan Development
    8 Topics
  22. BCP Invocation Process
    2 Topics
  23. Emergency Procedures
    7 Topics
  24. Crisis Management Team
    10 Topics
  25. BCP Seating Plan
  26. Overview
  27. Disaster Recovery
    Scope of Critical Services
  28. Network Services
  29. Application Hosting Service
  30. File Hosting Services
  31. Call Centre and Voice Recording Services
  32. Regulatory Links
  33. Thin Client Environment
  34. Voice System (Non-Service Desk)
  35. Printing Services
  36. Recovery Time Objective (RTO) & Recovery Point Objective
  37. Single Point of Failure
  38. Redundancy Requirements
  39. Alternate Locations
  40. Contact Protocol
    4 Topics
Lesson 5 of 40
In Progress

Report from Malware Analyst

File Name

build.exe

File type

Windows executable

MD5

ed67d056bdb2ac50e57228a03b7dfd9c

SHA-1

294540a60ca6d2cc4ca2fc6c93e18c887d8ee1d6

Systems Affected

Systems Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows Vista
  • Windows XP

Network Traffic

IP address 213.183.58.186 resolves the domain name radiolovers.ru.

Behavior

Creates file: C:\Documents and Settings\Administrator\Application Data\<random folder name>\soaw.exe.

  • Starts process soaw.exe.
  • Process soaw.exe writes to the virtual memory of process Explorer.exe. 
  • Explore.exe starts a command shell

Reference

Anubis analysis report on the stage 2 executable (build.exe) that the initial malware downloads by connecting to radiolovers.ru:

http://anubis.iseclab.org/?action=result&task_id=133fb13888796ef74b9ea

96be1538afff&format=html

Summary                               

The download of build.exe from http://roadiolovers.ru/sexy/files is an indicator of WORM_ZBOT.

  • Configuration information from the compromised machine is sent

to:

radiolovers.ru/sexy/files/file.php.

  • This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
  • This worm drops the following copies of itself into the affected system and executes them:

%Application Data%\{Random Folder 1}\{Random Filename}.exe

  • This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu rrentVersion\Run {Ranom} = “%Application Data%”\{Rdandom Folder 1}\{Random Filename}.exe

  • This worm creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser vices\SharedAccess\Parameters\FirewallPolicy\St andardProfile\AuthorizedApplications\ListWindow s%\explorer.exe =

%Windows%\explorer.exe:*:Enabled:Windows Explorer

Demonstration: Report from Malware Analyst