[ Sharing ] Analysing and retrieving the Statistics from shortened URLs

I’m going to talk about how you can view or check whether someone else clicked on the same shortened url as you.
This is also pretty useful if you want to know whether you are a target of a scam or being targetted to a drive-by.

The url which i’m going to test today is this:
http://www.dailychanges.com/

Let’s go through some of the URL shorteners and how we can get more info from these shortened URLs.
Bit.do
======
The original shortened link is http://bit.do/bKoMw
But if you append a “-” without the double quotes like this http://bit.do/bKoMw-
You will get to the statistics page for this shortened url.
It gave some important information about Referer sites, Referer pages and even visitors IP.
Probably dangerous if users are being targetted.

Next we will talk about Is.gd
Is.gd
======
The original shortened link is http://is.gd/MyG7K6
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://is.gd/stats.php?url=MyG7K6

Next we will talk about
Goo.gl
======
The original shortened link is http://goo.gl/z8w84
But if you append a “.” without the double quotes or “info” like this http://goo.gl/z8w84+ or http://goo.gl/z8w84.info
Once you go to the statistics pages, you will be redirected to something like this below.
https://goo.gl/#analytics/goo.gl/z8w84/all_time

Next we will talk about
Bit.ly
======
The original shortened link is https://bit.ly/1LsiFyY
But if you append a “.” without the double quotes like this https://bit.ly/1LsiFyY+
Using the statistics page, you can also check which other user are also sharing the exact same url as you did.
Please note that if the other user(s) used Google analytics in the url, you might not be able to see them in your statistics page.

Next we will talk about
crop.is
=======
The original shortened link is http://crop.is/NV8
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://crop.is/NV8+

tiny.ph
=======
The original shortened link is http://tiny.ph/2mCe
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.ph/2mCe+

tny.im
=======
The original shortened link is http://tny.im/3Bm
In order to access the statistics, they can simply change the url to something like the one below.
http://tny.im/3Bm+

tiny.cc
=======
The original shortened link is http://tiny.cc/xtad8x
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.cc/xtad8x~

Then again, if there isn’t any means to check the stats of the shortened URL.
Always make sure to use online services like http://longurl.org/ to make sure the shortened url is not redirecting to some malicious url.

I hope that readers will find all the information written here useful.

Have Phun
Jacob Soo

[ Technical Teardown: Malware Targetting Singapore Banks ]

[ Background ]
Originally i wanted to let one of the local student to write about it but he was busy with school, internship and solving challenges.
It’s also been a very long time since we written any “Technical Teardown” on malware/exploits here.

I got hold of this particular malware sample just days after these 2 reports.
http://www.abs.org.sg/pdfs/Newsroom/PressReleases/2015/MediaRelease_20151201.pdf
http://www.channelnewsasia.com/news/singapore/50-smartphone-users-in/2308976.html

The Association of Banks in Singapore (ABS) released an advisory to alert consumers on malware targeting mobile banking customers in Singapore.
We hope this technical teardown might be interesting to some of you.

[ Sample used in the analysis ]
MD5: 76745CE873B151CFD7260E182CBFD404
SHA1: 0F7C012466157891C1D12ADDDD4DFA0B8291DD75
Malware Sample: 76745ce873b151cfd7260e182cbfd404
Password is “infected29A”

Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

As we can see from the AndroidManifest.xml, it ask for quite a lot of permissions and it’s probably obfuscated.

Looking at the strings.xml and styles.xml, we can see that customised themes had been created for various banking applications.
This malware targets a number of banks by trying to mimic the authentic one and phishes for important banking information from the infected user as shown below.
0x0003
Figure 1 – Customised Themes

[ Junk Codes as Anti-Analysis? ]
It took me 20-30mins to realise that this author uses lots of junk code. Possibly with the purpose of deterring people like me from reversing the malware.
Import metadata such as strings and function names are also obfuscated as shown in the image below.
0x0001

Figure 2 – Junk Code with no useful functionality

Since the malware sample is heavily obfuscated, some of the things that i usually look out for is commands like Base64.decode or loadDataWithBaseURL or sendTextMessage

[ Revealing of Hidden Configuration Strings ]
So i did a quick grep and found out that it did use “Base64.decode” as shown below.
0x0002
Figure 3 – Base64 encoded string

The following is the base64 string which i extracted from the malware.

After doing a base64 decoding on it, i got back the following strings.

As we can see, the decoded strings contained IP addresses and other interesting strings. We also can safely assume that the malware author uses “@” as a delimiter.
For better illustration, i replaced all the “@” with newline.

[ Assessment of Malware ]
We can see that the IP addresses are the C&C servers communicating on port 34580.
http://37.235.48.177:34580/
http://46.108.39.12:34580/

Within the malware sample, we also found out that it is targeting victims with the following bank accounts.
Austria
=======

Dexia Kommunalkredit Bank
Bank Austria
Erste Bank und Sparkassen (Thanks to Alex Inführ for pointing my mistake.)
RGB (Raiffeisen Banking Group)
George (https://mygeorge.at/)
DK (Deutsche Kreditbank AG)
Bawag (BAWAG P.S.K)

Australia
=========

Westpac
St George
Gomoney
National Australia Bank
Commbank

New Zealand
===========

Westpac
Bank of New Zealand
ANZ Bank New Zealand

Singapore
=========

DBS
OCBC
POSB

Hong Kong
=========

Citibank
Bank Of China
Hang Seng Bank
Breeze

I’ll update this post later on how we can reverse such malware much more easily.
In the meantime, i do hope you enjoy reading it.

Happy Reversing,
Jacob Soo

[ Walkthrough : SANS 2015 CDI DFIR Challenge ]

Sorry that we haven’t been able to write anything interesting for the last few months.

I thought of publishing this first thing right after the competition had ended but Real Life gets the better of most of us. I totally forgotten about this as i was busy helping NUSGreyhats with their CTF and with my own personal stuff. It was lying on the draft folder collecting virtual dust just like my entry for SANS HolidayHackChallenge. 🙁
I don’t remember whether did i submit my answers for this challenge. 🙁

Below is my walkthrough for SANSCDI Forensic Challenge and i hope the process of solving the questions might be useful to someone out there. The entire challenge consists of 3 parts.

[ NTUSER.DAT CHALLENGE ]
In Part 1, we were given a link, http://dfir.to/EVIDENCE1 to download the data.
I have attached the file here incase the link is gone. Vibranium-NTUSER
On the page, we were asked the following questions.

1. What was the most recent keyword that the user vibranium searched using Windows Search for on the nromanoff system?
2. How many times did the vibranium account run excel.exe on the nromanoff system?
3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)

On Windows XP, there is actually the ACMru key located in the following registry key:
ntuser.dat\Software\Microsoft\Search Assistant\ACMru
This key stores the search terms that have been typed into a Windows search dialog box.
The following subkeys define where the search term was used:
5001 – List of terms used for the Internet Search Assistant
5603 – List of terms used for the Windows XP files and folders search
5604 – List of terms used in the “word or phrase in a file” search
5647 – List of terms used in the “for computers or people” search

Unfortunately on Windows Vista, it did not include a registry key for user searches.
However on Windows 7, the history of search terms using Windows Search can be found in the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
The WordWheelQuery subkey records information about user searches.

There are many great registry tools out there. But for this particular challenge, i will be using Windows Registry Recovery.

Challenge.0x0001

As we can see from the above image, the very first entry in the MRUListEx is “01 00 00 00.”
This simply means that the entry “1” is the most recently searched item.

In this particular case, we can see that the value for the first entry is “alloy” and that’s our answer.
Challenge.0x0002

Moving on to the 2nd question, 2. How many times did the vibranium account run excel.exe on the nromanoff system?
For this particular question, we are required to check the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Challenge.0x0003

As we can see, the entries are all encoded using Rot13, the value we should be looking at is:
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
After decoding, the value will be:
{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office14\EXCEL.EXE

The number of times EXCEL.EXE was executed can be found at offset 0x04 in the UserAssist entry.
In this instance, the value is 4, which means that EXCEL.EXE was executed four times and that is our answer. 😀

Next we are asked, 3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)
For this particular question, we need to check the following registry key.
NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs

Challenge.0x0004

As we can see from the image above, the most recent typed url is “http://199.73.28.114:53/” and that is the answer.

[ SYSTEM and SOFTWARE CHALLENGE ]
In Part 2, we were given a link, http://dfir.to/EVIDENCE2 to download the data.
I have attached the file here incase the link is gone. SOFTWARE-SYSTEM-HIVES.zip
On the page, we were asked the following questions.

1. The Windows Registry shows evidence of one USB device connecting to the nromanoff system. What is the serial number for this device?
2. What was the volume letter assigned to this USB device? (Enter just the letter for the volume.)
3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)

For the 1st question, there are many different methods to find out the answer. So i will go through 2 of the common methods.
The first method that i will be using is to check the following registry:
SYSTEM\ControlSet001\Enum\USBSTOR

As we can see from the image below, the serial number of the usb device is “AA951D0000007252”
Challenge.0x0001

For the 2nd method, we can check the following registry:
SYSTEM\MountedDevices

As you can see from the below image, we found out usb device and also the volume letter, “E” assigned to it. We have found the answer to question #2 too.
Challenge.0x0002

Moving to question #3, 3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)
We need to check the following registry key:
SOFTWARE\Microsoft\Windows Portable Devices\Devices

Challenge.0x0003

Once again, we found out the volume name for the usb device, “SECRETPLANS”

[ MEMORY ANALYSIS CHALLENGE ]
In Part 3, we were given a link, http://dfir.to/EVIDENCE3 to download the data.
I have attached the file here incase the link is gone. memory-raw.zip
On the page, we were asked the following questions.

1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

For this particular challenge, we were given a memory dump file. The best way to solve this is to use Volatility
As i am unsure of the profile to use, i used the imageinfo option to see what profiles should i use.
volatility-2.5.standalone.exe -f memory-raw.img imageinfo

As we can see from the image below, we can use the following profile. Win7SP0x86, Win7SP1x86
Challenge.0x0001

The first question, 1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
The option that we should be using is “netscan” and the command is
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img netscan

The returned results should look like the following image.
Challenge.0x0002

However, we are suppose to look for the remote IP address that spinlock.exe connected to.
We can see that spinlock.exe (PID 1328) is connected to “199.73.28.114” and that is our answer.
Challenge.0x0003

For the 2nd question, 2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
We should check the following registry key in order to know the name of the user who is logged into Romanoff.
HKEY_CURRENT_USER\Volatile Environment

The option that we will be using for volatility is “printkey -K ‘Volatile Environment'”
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img printkey -K “Volatile Environment”

As we can in the image below, the username is “vibranium”
Challenge.0x0004

Hooray, we are moving to the last question of this challenge.
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

This is fairly straight forward, according to https://technet.microsoft.com/en-us/library/bb457123.aspx.
“ntoskrnl.exe” is the first to load, we know that the process”System” will be process we should be checking

Using “pslist” option,
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img pslist

As we can see in the image below, the time for “System” is 2012-04-04 11:47:29 UTC+0000 and that is our answer to the last question.
Challenge.0x0005

I hope that the entire walkthrough is simple enough to follow and do on your own.

Happy Reversing
Jacob Soo