Tuesday, January 4, 2011

Taming the Wild Beast--Part Two

When last we left our hero, he was trying to figure out how the BEAST got on a church computer.  The BEAST being BEAST.exe on a Windows XP Home computer owned by a church.  Since that time, I have spent time looking at the Master File Table, a Super Timeline created from the system and taken a look at prefetch files.  I'd like to say after all that I had come to an "ah ha!" moment and I would know how the malicious file managed to get on the system.  I would also like to say I was given a billion dollars, but that wouldn't be any more true than my saying I figured out where this file came from.  But I digress...

As I said in the last post and above, I created my Super Timeline and started looking through it around the date and time this file appeared on the system (August 10, 2010 at 13:51:06).   I noticed a flurry of activity all around that time, with the folders C:\DATA and C:\DATA\FILES, along with the files BEAST.exe and Desktop.ini  being "born" then on the system.  The two files were both placed in the C:\DATA\FILES folder.  Also at the same time, more than 30 of the restore points on the system had new "ini" files added to them.  All of those ini files were copies of the Desktop.ini mentioned above.  Prior to that, a little unremarkable looking web browsing took place.

Next, I used the excellent AnalyzeMFT python script, created by my good friend, David Kovar, to parse the Master File Table.  I wanted to compare the standard info file times to the filename info times, just to make sure no file times had been fiddled with.  Nothing appeared out of line, so I moved on for the time being.

(Edited to fix something I didn't very clearly state at first)
Using X-Ways Forensics, I opened the drive image and looked at the Windows\Prefetch directory to see if there were any references to the BEAST.  Sure enough, BEAST.EXE-3696224B had been there but was deleted.  However, X-Ways was able to display it and tell me it had a total run count of 2 and last run date of 11/17/2010  08:42:55, which was quite awhile prior to my receipt of the machine.The MAC times were the same as the last run date/time.  Because the file had been deleted, it did not show up in my timeline or MFT report.

So now what?  Not to fear, there is always more to do when trying to figure these things out.  While I still have no real idea beyond a basic theory how this thing got on the system, I will continue with part three after doing some more analysis, including executing the file on a stand-alone computer and doing a live capture, which will hopefully give me a better idea of what all was going on here.  I have a computer similar to the actual victim system that I refurbished for just this purpose and plan to execute the malware on it.  I will be capturing RAM and using RegShot along with a few other programs to see just what happens when the BEAST is executed.  Sure, I could just submit the file to Joebox, Anubis or ThreatExpert and get a detailed report, but what fun would that be?


After making this post, I went back and looked at things I previously missed.  I went back to the timeline and looked for the date and time of the above mentioned prefetch file.  I found that a registry key had its "creation" time updated to the same date/time.  That key is HKEY_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/StreamMRU.  From the little bit of reading I've done about it, it seems that key is where Windows saves the size and location of a window when it is closed.  Not too sure how this goes along with the malware yet, but I plan to find out!


  1. What fun indeed and you'd learn little from submitting the sample. So are you satisfied that the Prefetch time stamps are indicative of the time of the infection?

    Thanks for the post.

  2. Actually, that's one thing I can't correlate with anything else. As near as I can tell, actual infection took place on August 10. I failed to mention the prefetch file had been deleted, but was still recoverable. All of its time stamps go along with the November 17 date. I also failed to mention that it did not appear in the AnalyzeMFT output or the timeline, which makes sense since it had been deleted prior to my getting ahold of it.

    I'm hoping I will get a better idea of things after running it on a live system and see if anything funny happens with the time stamps.

  3. New info added to the bottom of the post!