Carbanak IOC Scan Failure
502 views
Skip to first unread message
Wesley Spencer
Feb 23, 2015, 2:38:02 PM2/23/15
to ope...@googlegroups.com
Hi everyone,
Been spending a few days on this problem and thought this group might be able to give some help. We're trying to run a scan from the Carbanak IOC and analyze through Redline. The custom IOC Search Collector creates the scripts just fine.
When we run the scripts that were generated from Redline, UAC properly elevates the process and begins to run. However, for some reason, the process cannot access the computer itself. It either gets access denied errors or context="open" errors.
I'm attaching inline some of the lines that are generated to give you an idea of what is going on. I've tried to troubleshoot this from multiple computers within the domain, all have the same problem. Is it possible that the script isn't getting elevated privileges?
Also, other Search Collectors that only look for running processes or folder directories run just fine. This is the only IOC I've had trouble with.
Thanks!
--Wes
Ensuring the proper working directory
.\x64\mAgent.exe -o "D:\Carbanak\\Sessions\AnalysisSession2\Audits" -script "..\MemoryzeAuditScript.xml" -encoding none
Loading log config file D:\Carbanak\x64\sfAgent.loglite.config.xml
The LogLite settings file 'D:\Carbanak\x64\sfAgent.loglite.config.xml' has been loaded.
Using settings file D:\Carbanak\x64\conf.xml
Agent compiled May 5 2014 20:01:40; command line: .\x64\mAgent.exe -o D:\Carbanak\\Sessions\AnalysisSession2\Audits -script ..\MemoryzeAuditScript.xml -encoding none
Stopping driver service "mrt".
Successfully stopped driver service "mrt".
Uninstalling driver service "mrt".
Successfully uninstalled driver service "mrt".
Installing driver service "mrt".
Successfully installed filter driver service "mrt".
Successfully set registry values for filter driver service "mrt". Installation complete.
Starting filter driver service "mrt".
Successfully started filter driver service "mrt".
Loading the script from '..\MemoryzeAuditScript.xml'.
Beginning local audit.
Audit started 02-23-2015 12:46:41
Resolving command w32apifiles in external modules.
Resolving command w32network-dns in external modules.
Resolving command w32ports in external modules.
Script resolved.
Checking if 'D:\Carbanak\Sessions\AnalysisSession2\Audits\<REMOVED>\20150223184641' exists...
Successfully created output folder D:\Carbanak\Sessions\AnalysisSession2\Audits\<REMOVED>\20150223184641\
Executing command w32apifiles, 1.4.36.0
Pre-execution diagnostics for command w32apifiles
PageFaultCount: 4456 PeakWorkingSetSize: 12533760 WorkingSetSize: 12406784 QuotaPeakPagedPoolUsage: 198368 QuotaPagedPoolUsage: 198240 QuotaPeakNonPagedPoolUsage: 11120 QuotaN
onPagedPoolUsage: 10848 PagefileUsage: 4722688 PeakPagefileUsage: 5693440
CommitTotal: 1403275 CommitLimit: 2400530 CommitPeak: 1545745 PhysicalTotal: 2072850 SystemCache: 1129557 KernelTotal: 168389 KernelPaged: 97877 KernelNonpaged: 70512 PageSize
: 4096 HandleCount: 59875 ProcessCount: 114 ThreadCount: 1650
<Issue number="0" level="Warning" summary="Failed to open file: C:\Documents and Settings Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Documents and Settings\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\hiberfil.sys Error: 32" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\pagefile.sys Error: 32" context="open"/>
<Issue number="0" level="Warning" summary="Failed to read dwJumpTargetRVA" ref="uuid:7E98E826-F6AE-4137-966E-E23D28B50DA6" context="scanJump"/>
<Issue number="0" level="Warning" summary="Failed to read dwJumpTargetRVA" ref="uuid:93B1E689-F942-4E51-8659-2824336A4A80" context="scanJump"/>
<Issue number="0" level="Warning" summary="Failed to read dwJumpTargetRVA" ref="uuid:31942198-3CF0-40E8-A216-377C7CB4EB4D" context="scanJump"/>
<Issue number="0" level="Warning" summary="Failed to read dwJumpTargetRVA" ref="uuid:94C3C6E7-72E3-4EA9-BBAE-A8BD2B7C8883" context="scanJump"/>
<Issue number="0" level="Warning" summary="Failed to read dwJumpTargetRVA" ref="uuid:F9757E3D-666E-454F-9750-BDD34AEFD943" context="scanJump"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Application Data Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\ProgramData\Application Data\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Desktop Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\ProgramData\Desktop\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Documents Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\ProgramData\Documents\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Bases\klava\strg8394 Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Bases\klava\strg8395 Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Bases\klava\strg8397 Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Bases\klava\strg8398 Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Data\iswift.dat Error: 32" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Data\sfdb.dat Error: 32" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Data\vartscan.dat Error: 32" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DF99AB8BF7C706BE73.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DFA83F390EE8222F9E.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DFD975DACFAF8DE769.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DFEF7679B3F98E8816.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DFF6BDCFEC0A0BC9D7.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DFF787DCA2FBC55612.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temporary Internet Files Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\AppData\Local\Temporary Internet Files\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\<REMOVED>\Application Data Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\Application Data\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\<REMOVED>\Cookies Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\Cookies\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\<REMOVED>\Documents\My Music Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\Documents\My Music\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\<REMOVED>\Documents\My Pictures Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\Documents\My Pictures\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\<REMOVED>\Documents\My Videos Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\Documents\My Videos\*"/>
Been spending a few days on this problem and thought this group might be able to give some help. We're trying to run a scan from the Carbanak IOC and analyze through Redline. The custom IOC Search Collector creates the scripts just fine.
When we run the scripts that were generated from Redline, UAC properly elevates the process and begins to run. However, for some reason, the process cannot access the computer itself. It either gets access denied errors or context="open" errors.
I'm attaching inline some of the lines that are generated to give you an idea of what is going on. I've tried to troubleshoot this from multiple computers within the domain, all have the same problem. Is it possible that the script isn't getting elevated privileges?
Also, other Search Collectors that only look for running processes or folder directories run just fine. This is the only IOC I've had trouble with.
Thanks!
--Wes
Ensuring the proper working directory
.\x64\mAgent.exe -o "D:\Carbanak\\Sessions\AnalysisSession2\Audits" -script "..\MemoryzeAuditScript.xml" -encoding none
Loading log config file D:\Carbanak\x64\sfAgent.loglite.config.xml
The LogLite settings file 'D:\Carbanak\x64\sfAgent.loglite.config.xml' has been loaded.
Using settings file D:\Carbanak\x64\conf.xml
Agent compiled May 5 2014 20:01:40; command line: .\x64\mAgent.exe -o D:\Carbanak\\Sessions\AnalysisSession2\Audits -script ..\MemoryzeAuditScript.xml -encoding none
Stopping driver service "mrt".
Successfully stopped driver service "mrt".
Uninstalling driver service "mrt".
Successfully uninstalled driver service "mrt".
Installing driver service "mrt".
Successfully installed filter driver service "mrt".
Successfully set registry values for filter driver service "mrt". Installation complete.
Starting filter driver service "mrt".
Successfully started filter driver service "mrt".
Loading the script from '..\MemoryzeAuditScript.xml'.
Beginning local audit.
Audit started 02-23-2015 12:46:41
Resolving command w32apifiles in external modules.
Resolving command w32network-dns in external modules.
Resolving command w32ports in external modules.
Script resolved.
Checking if 'D:\Carbanak\Sessions\AnalysisSession2\Audits\<REMOVED>\20150223184641' exists...
Successfully created output folder D:\Carbanak\Sessions\AnalysisSession2\Audits\<REMOVED>\20150223184641\
Executing command w32apifiles, 1.4.36.0
Pre-execution diagnostics for command w32apifiles
PageFaultCount: 4456 PeakWorkingSetSize: 12533760 WorkingSetSize: 12406784 QuotaPeakPagedPoolUsage: 198368 QuotaPagedPoolUsage: 198240 QuotaPeakNonPagedPoolUsage: 11120 QuotaN
onPagedPoolUsage: 10848 PagefileUsage: 4722688 PeakPagefileUsage: 5693440
CommitTotal: 1403275 CommitLimit: 2400530 CommitPeak: 1545745 PhysicalTotal: 2072850 SystemCache: 1129557 KernelTotal: 168389 KernelPaged: 97877 KernelNonpaged: 70512 PageSize
: 4096 HandleCount: 59875 ProcessCount: 114 ThreadCount: 1650
<Issue number="0" level="Warning" summary="Failed to open file: C:\Documents and Settings Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Documents and Settings\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\hiberfil.sys Error: 32" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\pagefile.sys Error: 32" context="open"/>
<Issue number="0" level="Warning" summary="Failed to read dwJumpTargetRVA" ref="uuid:7E98E826-F6AE-4137-966E-E23D28B50DA6" context="scanJump"/>
<Issue number="0" level="Warning" summary="Failed to read dwJumpTargetRVA" ref="uuid:93B1E689-F942-4E51-8659-2824336A4A80" context="scanJump"/>
<Issue number="0" level="Warning" summary="Failed to read dwJumpTargetRVA" ref="uuid:31942198-3CF0-40E8-A216-377C7CB4EB4D" context="scanJump"/>
<Issue number="0" level="Warning" summary="Failed to read dwJumpTargetRVA" ref="uuid:94C3C6E7-72E3-4EA9-BBAE-A8BD2B7C8883" context="scanJump"/>
<Issue number="0" level="Warning" summary="Failed to read dwJumpTargetRVA" ref="uuid:F9757E3D-666E-454F-9750-BDD34AEFD943" context="scanJump"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Application Data Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\ProgramData\Application Data\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Desktop Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\ProgramData\Desktop\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Documents Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\ProgramData\Documents\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Bases\klava\strg8394 Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Bases\klava\strg8395 Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Bases\klava\strg8397 Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Bases\klava\strg8398 Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Data\iswift.dat Error: 32" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Data\sfdb.dat Error: 32" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\ProgramData\Kaspersky Lab\KES10\Data\vartscan.dat Error: 32" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DF99AB8BF7C706BE73.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DFA83F390EE8222F9E.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DFD975DACFAF8DE769.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DFEF7679B3F98E8816.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DFF6BDCFEC0A0BC9D7.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temp\~DFF787DCA2FBC55612.TMP Error: 5" context="open"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\Wes\AppData\Local\Temporary Internet Files Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\AppData\Local\Temporary Internet Files\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\<REMOVED>\Application Data Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\Application Data\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\<REMOVED>\Cookies Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\Cookies\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\<REMOVED>\Documents\My Music Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\Documents\My Music\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\<REMOVED>\Documents\My Pictures Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\Documents\My Pictures\*"/>
<Issue number="0" level="Warning" summary="Failed to open file: C:\Users\<REMOVED>\Documents\My Videos Error: 5" context="open"/>
<Issue number="5" level="Warning" summary="Access Denied" context="Access was denied to the following path: C:\Users\<REMOVED>\Documents\My Videos\*"/>
Reply all
Reply to author
Forward
0 new messages