First, we know from where Java was run:
\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE6\BIN\JAVA.EXE
There's also another EXE listed in the output:
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CMD.EXE
That's interesting. Maybe an interesting analysis technique to add via the tools is to parse the module paths, and find not just the path to the EXE that was created, but also any other EXE paths listed, and flag on those with more than one. Flagging on those Prefetch files that include more than one EXE path may not find anything in most cases, but hey, it's automated and documented, only takes a quick second to run, and the time that it does find something will be a real winner.
Okay, now back to our regularly scheduled program, already in progress...
Then I found these paths:
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\D3D9.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\D3D8THK.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VMX_FB.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\D3D9CAPS.DAT
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\D3D9CAPS.TMP
I wasn't too interested in those (I had no idea what they are) until I found this one later on:
\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\TEST\LOCAL SETTINGS\APPLICATION DATA\D3D9CAPS.TMP
I still have no idea what any of this is...remember, I only have the single Prefetch file...but this might be something worth investigating.
Here's a path to one of the logs that Corey mentioned in his post:
\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\DEPLOYMENT.PROPERTIES
We see something similar later in the output, for the Test user:
\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\TEST\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\DEPLOYMENT.PROPERTIES
Here's the path to another log file that Corey mentioned in his blog:
\DEVICE\HARDDISKVOLUME1\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\JAVA_INSTALL_REG.LOG
And here's the same thing, but for the Test user account (again):
\DEVICE\HARDDISKVOLUME1\DOCUME~1\TEST\LOCALS~1\TEMP\JAVA_INSTALL_REG.LOG
Remember that Corey was using MetaSploit, per his blog post:
\DEVICE\HARDDISKVOLUME1\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\~SPAWN7448022680969506475.TMP.DIR\METASPLOIT.DAT
\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\~SPAWN5710426834330887364.TMP.DIR\METASPLOIT\PAYLOAD.CLASS
\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\~SPAWN5710426834330887364.TMP.DIR\METASPLOIT.DAT
All in all, some pretty interesting data. Some of the new additions to the tools will make some of the automated collection and correlation of this information automated, but the analysis will still be up to...well, the analyst.
I'd like to thank Corey for not only doing the "heavy lifting" of compromising a system with MetaSploit, but also providing the Prefetch file, from which the script I wrote was able to extract the above module paths.
5 comments:
Awesome information and thank you for revisiting Prefetch files. Between your last two posts I learned alot about data inside a Prefetch file that I wasn't looking at.
I still have all my images from exploit artifacts so I plan on updating my exploit posts to reflect this new information. I even have a few images from purposely infected systems and am curious about the prefetch files for malware. Again, thanks for the info and asking for the Prefetch file. Without you asking for it I may not have went back and looked at them.
You need to check out pfdump enscript for Encase. it decodes entire contents of prefetch to include all open file handles within the first 10 seconds. Very useful -Diocyde
@Diocyde...
WHY do I need to check out the EnScript? I don't use EnCase, and as you can clearly see, the script that used does the same thing...and more. For example, consider my previous post on the subject...with this script, I can do all sorts of analysis, including LFO analysis of the loaded modules.
Given this, why would I need to check out the EnScript?
Thanks.
@Corey,
It's all about teamwork and sharing, my friend!
All of the D3Dxxx.dll files are part of the Direct 3D components of DirectX, which you'll probably recognize. They are likely to be related to gaming, but I'm sure they are used for more than that. The next digit(s) refer to the version, so D3D9 is Direct 3D v9
Post a Comment