As part of my analysis, I parsed the AppCompatCache value and found one of my indicators:
SYSVOL\downloads\malware.exe Wed Oct 19 15:35:23 2016 Z
I was able to find a copy of the malware file in the file system, so I computed the MD5 hash, and pulled the PE compile time and interesting strings out of the file. The compile time was 9 Jul 2016, 11:19:37 UTC.
I then parsed the AmCache.hve file and searched for the indicator, and found:
File Reference : 28000017b6a
LastWrite : Wed Oct 19 06:07:02 2016 Z
Path : C:\downloads\malware.exe
SHA-1 : 0000
Last Mod Time2: Wed Aug 3 13:36:53 2016 Z
File Reference : 3300001e39f
LastWrite : Wed Oct 19 15:36:07 2016 Z
Path : C:\downloads\malware.exe
SHA-1 : 0000
Last Mod Time2: Wed Oct 19 15:35:23 2016 Z
File Reference : 2d000017b6a
LastWrite : Wed Oct 19 06:14:30 2016 Z
Path : C:\Users\
SHA-1 : 0000
Last Mod Time : Wed Aug 3 13:36:54 2016 Z
Last Mod Time2: Wed Aug 3 13:36:53 2016 Z
Create Time : Wed Oct 19 06:14:20 2016 Z
Compile Time : Sat Jul 9 11:19:37 2016 Z
All of the SHA-1 hashes were identical across the three entries. Do not ask for the hashes...I'm not going to provide them, as this is not the purpose of this post.
What this illustrates is the value of what what can be derived from the AmCache.hve file. Had I not been able to retrieve a copy of the malware file from the file system, I would still have a great deal of information about the file, including (but not limited to) the fact that the same file was on the file system in three different locations. In addition, I would also have the compile time of the executable file.
8 comments:
Looks like two locations, not three, unless I am missing something?
Anonymous,
I didn't say "three locations"...I said three entries. If you look at the AmCache.hve information, there are three different file reference numbers, and two paths. Of the two paths that point to the Downloads folder, the entries have different times associated with them, and different file references.
It''s a great article. Thanks Harlan. Do you have analyzed the shimcache ?
Teck0,
"s part of my analysis, I parsed the AppCompatCache value and found one of my indicators..."
hi Harlan,
What tool did you use to parse the amcache.hve file?
It's a RegRipper plugin...
hey harlan,
how were you able to extract the amcache.hve file from registry? i understand you can't parse the amcache file on a live machine. what software or technique was used?
The AmCache.hve file is NOT part of the Registry, it's a separate file. I extracted it from the image using FTK Imager.
Again, I'm using the RegRipper amcache.pl plugin to parse it.
Post a Comment