When last we left our hero, he was trying to figure out how the BEAST got on a church computer. The BEAST being BEAST.exe on a Windows XP Home computer owned by a church. Since that time, I have spent time looking at the Master File Table, a Super Timeline created from the system and taken a look at prefetch files. I'd like to say after all that I had come to an "ah ha!" moment and I would know how the malicious file managed to get on the system. I would also like to say I was given a billion dollars, but that wouldn't be any more true than my saying I figured out where this file came from. But I digress...
As I said in the last post and above, I created my Super Timeline and started looking through it around the date and time this file appeared on the system (August 10, 2010 at 13:51:06). I noticed a flurry of activity all around that time, with the folders C:\DATA and C:\DATA\FILES, along with the files BEAST.exe and Desktop.ini being "born" then on the system. The two files were both placed in the C:\DATA\FILES folder. Also at the same time, more than 30 of the restore points on the system had new "ini" files added to them. All of those ini files were copies of the Desktop.ini mentioned above. Prior to that, a little unremarkable looking web browsing took place.
Next, I used the excellent AnalyzeMFT python script, created by my good friend, David Kovar, to parse the Master File Table. I wanted to compare the standard info file times to the filename info times, just to make sure no file times had been fiddled with. Nothing appeared out of line, so I moved on for the time being.
(Edited to fix something I didn't very clearly state at first)
Using X-Ways Forensics, I opened the drive image and looked at the Windows\Prefetch directory to see if there were any references to the BEAST. Sure enough, BEAST.EXE-3696224B had been there but was deleted. However, X-Ways was able to display it and tell me it had a total run count of 2 and last run date of 11/17/2010 08:42:55, which was quite awhile prior to my receipt of the machine.The MAC times were the same as the last run date/time. Because the file had been deleted, it did not show up in my timeline or MFT report.
So now what? Not to fear, there is always more to do when trying to figure these things out. While I still have no real idea beyond a basic theory how this thing got on the system, I will continue with part three after doing some more analysis, including executing the file on a stand-alone computer and doing a live capture, which will hopefully give me a better idea of what all was going on here. I have a computer similar to the actual victim system that I refurbished for just this purpose and plan to execute the malware on it. I will be capturing RAM and using RegShot along with a few other programs to see just what happens when the BEAST is executed. Sure, I could just submit the file to Joebox, Anubis or ThreatExpert and get a detailed report, but what fun would that be?
After making this post, I went back and looked at things I previously missed. I went back to the timeline and looked for the date and time of the above mentioned prefetch file. I found that a registry key had its "creation" time updated to the same date/time. That key is HKEY_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/StreamMRU. From the little bit of reading I've done about it, it seems that key is where Windows saves the size and location of a window when it is closed. Not too sure how this goes along with the malware yet, but I plan to find out!