Skip to content

Latest commit

 

History

History

filesystem-audit

README.md

Filesystem Audit

⚠️ The process described here involves running malware. Do not follow these steps unless you know exactly what you are doing. Use extreme caution and do not run malware outside of a sandbox environment. ⚠️

Setup audit

Audit rules must be set up prior to running any malware to record its activities.

Audit rules

Open Properties for the filesystem to be audited (e.g. the C: drive). Go to Security > Advanced > Auditing > Add

  • For Principal write Everyone.
  • For Type select All.
  • For Applies to select This folder, subfolders, and files.
  • For Basic permissions: select Modify, Read & execute, List folder contents, Read, and Write.

Apply the settings and select Continue for any errors.

Event log filters

Go to Event Viewer, right-click Custom Views and select Create Custom View....

  • For Logged select a range appropriate for your situation.
  • For Event level select Informational.
  • Select By log and for Event logs select Windows Logs > Security.
  • For Includes/Excludes Event IDs write 4660, 4663.

Apply the settings.

Parse audit data

Some parsed data has been provided in the following files:

For the provided files, the user's home path was C:\Users\exper\.

Using the provided script

For convenience, the parse-filesystem-audit.py script has been included for filtering audit data.

Uncomment one of the following presets:

#list_all()
#list_OwOGame_Accesses()
#list_OwOGame_Reads()
#list_OwOGame_Writes()

or write your own script for parsing the audit data:

# List all items
def list_all():
    for item in items:
        for key in item:
            print(key, ':', item[key])
        print()

Summary

As expected of an nexe program, some dependencies (i.e. win-dpapi and sqlite3) are written to %homedrive%%homepath%.nexe_natives\.

The program also requests write access to the following browser cookies.db and passwords.db files:

C:\Users\exper\AppData\Local\Microsoft\Edge\User Data\Default\Network\cookies.db
C:\Users\exper\AppData\Local\Microsoft\Edge\User Data\Default\passwords.db
C:\Users\exper\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\cookies.db
C:\Users\exper\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\passwords.db
C:\Users\exper\AppData\Roaming\Opera Software\Opera Stable\cookies.db
C:\Users\exper\AppData\Roaming\Opera Software\Opera Stable\passwords.db
C:\Users\exper\AppData\Local\Google\Chrome\User Data\Default\Network\cookies.db
C:\Users\exper\AppData\Local\Google\Chrome\User Data\Default\passwords.db

This list is NOT exhaustive, as it was limited to the browsers that were installed.

The program also has write access to C:\Users\exper\Desktop\temp.ps1, which was not present before running it, nor was it present when it had finished. Here, it is creating a temporary PowerShell script, executes it, then deletes it.

Some other accesses are needed to write to files such as the following:

C:\Users\exper\AppData\Local\Temp\4m5jmuss.out
C:\Users\exper\AppData\Local\Temp\4m5jmuss.cmdline
C:\Users\exper\AppData\Local\Temp\4m5jmuss.0.cs
C:\Users\exper\Desktop\PS_Transcripts\20220210\PowerShell_transcript.DESKTOP-BRHHOGM.pVjcl9WP.20220210044001.txt

It is likely possible to recover the PowerShell script and its output from such files. However, the script can also be recovered through static analysis of the malicious code.

What the program does with these accesses is clear in the deobfuscation section.