Skip to main content

Persian Kitties Hiding Benign Executables

Posted on 2020-08-15 by Josiah Smith

Intro

A while back we had an interesting alert generated from one of the InQuest DFI sensors that were initially very suspicious, but proved to be entertaining and still questionable regarding the true purpose of the activity. My initial suspicion was driven to an event highlighting an Image with an Embedded executable. I wanted to share based on corresponding information that was derived, the humor of the images in question, and my resounding "WHY" did someone do this. The original image was sourced from hxxp://www.eastcoastpersians[.]com/

Domain Info

Doing some research on the domain, eastcoastpersians.com has been around for 3,881 days. Created on 2009-12-30 and set to expire on 2020-12-30. The domains respective IP is shared with 2,000+ other domains. There were also no indications of any nefarious involvement when scouring the InQuest Labs Reputation or IOC Databases.

  • IOCDB
  • REPDB
  • Site Crawl

    While the alert we saw was generated from one of the hosted images, it was reasonable to see if there were any other suspicious images hosted on this page. Doing a quick crawl and download all the files from that site.

    $ wget \
         --recursive \
         --no-clobber \
         --page-requisites \
         --html-extension \
         --convert-links \
         --restrict-file-names=windows \
         --domains eastcoastpersians.com \
         --no-parent \
         eastcoastpersians.com
    

    Running YARA with our default signature base leads us to something fishy going on here.

    $ y .
    MC_Image_with_Embedded_Executable ./IMR08106.JPG
    SC_Executable_Without_DOS_Header ./IMR08106.JPG
    MC_Image_with_Embedded_Executable ./IMR07509.JPG
    SC_Embedded_EXE_Cloaking ./IMR07509.JPG
    SC_Embedded_Exe_in_Image ./IMR07509.JPG
    SC_Executable_Without_DOS_Header ./IMR07509.JPG
    MC_Image_with_Embedded_Executable ./IMR08404.JPG
    SC_Executable_Without_DOS_Header ./IMR08404.JPG
    MC_Image_with_Embedded_Executable ./IMR07509/IMR07509.JPG
    SC_Embedded_EXE_Cloaking ./IMR07509/IMR07509.JPG
    SC_Embedded_Exe_in_Image ./IMR07509/IMR07509.JPG
    SC_Executable_Without_DOS_Header ./IMR07509/IMR07509.JPG
    MC_Image_with_Embedded_Executable ./IMR07509/output/jpg/00000679.jpg
    SC_Embedded_EXE_Cloaking ./IMR07509/output/jpg/00000679.jpg
    SC_Embedded_Exe_in_Image ./IMR07509/output/jpg/00000679.jpg
    SC_Executable_Without_DOS_Header ./IMR07509/output/jpg/00000679.jpg
    MC_Image_with_Embedded_Executable ./IMR08106/IMR08106.JPG
    SC_Executable_Without_DOS_Header ./IMR08106/IMR08106.JPG
    

    A quick clean up to isolate what files have that fishy inclusion. Looks like three of them generated alerts alluding to embedded executables. Of note, these three have naming conventions different than the majority of other images that start with IMG.

    $ y . | cut -d. -f2 | distribution
    Key|Ct (Pct)    Histogram
    /IMR07509|4 (44.44%) ----------------------------------------------------
    /IMR08404|2 (22.22%) --------------------------
    /IMR08106|2 (22.22%) --------------------------
    

    Next, we'd like to carve the executables out from the images for further inspection. There's a number of ways to "skin the cat" so to speak. A favorite tool of ours for carving files out of larger blobs is Foremost. Thanks AF OSI!

    IMR08106.jpg

    Here is the first kitty that we will be playing with.

    Fig 1. IMR08106.jpg


    Foremost started at Fri Aug 14 18:29:31 2020
    Invocation: foremost IMR08106.JPG
    Output directory: /home/josiah/kitty/www.eastcoastpersians.com/IMR08106/output
    Configuration file: /usr/local/etc/foremost.conf
    ------------------------------------------------------------------
    File: IMR08106.JPG
    Start: Fri Aug 14 18:29:31 2020
    Length: 552 KB (565248 bytes)
    
    Num      Name (bs=512)         Size      File Offset     Comment
    
    0:      00000000.jpg         125 KB               0
    1:      00001048.jpg           1 KB          536844
    2:      00000520.gif          27 KB          266240       (385 x 204)
    3:      00000400.exe          52 KB          204800      09/26/2007 17:49:08
    4:      00001088.dll           2 KB          557056      08/18/2008 09:53:09
    Finish: Fri Aug 14 18:29:31 2020
    
    5 FILES EXTRACTED
    
    jpg:= 2
    gif:= 1
    exe:= 2
    ------------------------------------------------------------------
    

    So we have found one .exe and one .dll embedded within that image. Doing a quick look to see if any of those files are in VirusTotal with their AV detection and the MD5 hash.

    $ find . -maxdepth 2 -type f | while read L; do echo $L && vt file-report `md5sum $L` | grep positives -A1; done
    ./exe/00000400.exe
                "positives": 0,
                "resource": "37737b3b387295d1c55e9b154f0c4100",
    ./gif/00000520.gif
    ./jpg/00001048.jpg
    ./jpg/00000000.jpg
    ./dll/00001088.dll
                "positives": 0,
                "resource": "49c8e4efab006abb6693859f96737195",
    
    37737b3b387295d1c55e9b154f0c4100

    The first file 00000400.exe looks to be commonly named ITMRT_TRACE.exe. A benign ececutable assoicated with eTrust PestPatrol Anti-Spyware and can be found here on VirusTotal

    49c8e4efab006abb6693859f96737195

    The second file '00001088.dll' looks to be commonly named hpqd_cul_s.dll is a HP dll for non-versioned MSI files found at VirusTotal. Both older, well-known, benign files that are embedded in the image... odd.

    IMR07509.jpg

    Our second hand-sized culprit.

    Fig 2. IMR07509.jpg


    First, carve out the embedded files.

    Foremost started at Fri Aug 14 17:59:13 2020
    Invocation: foremost IMR07509.JPG
    Output directory: /home/josiah/kitty/www.eastcoastpersians.com/IMR07509/output
    Configuration file: /usr/local/etc/foremost.conf
    ------------------------------------------------------------------
    File: IMR07509.JPG
    Start: Fri Aug 14 17:59:13 2020
    Length: 420 KB (430080 bytes)
    
    Num      Name (bs=512)         Size      File Offset     Comment
    ~
    23:     00000224.exe          76 KB          114688      06/05/2008 20:06:09
    24:     00000680.exe          79 KB          348160      12/04/2002 09:24:15
    

    And check to see if they exist on VirusTotal and their detection rate.

    $ ls | while read L; do echo $L && vt file-report \`md5sum $L` | grep positives -A1; done
    00000224.exe
                "positives": 0,
                "resource": "03e5567ad53e8afa43622cfbf45bab26",
    00000680.exe
                "positives": 0,
                "resource": "a27d713b51923e72e58fae4d5ca073d7",
    
    03e5567ad53e8afa43622cfbf45bab26

    The first executable 00000224.exe is found VirusTotal and looks to be xpicleanup.exe, which is part of XULRunner. A discontinued, packaged version of the Mozilla platform

    a27d713b51923e72e58fae4d5ca073d7

    The second one 00000680.exe is found here VirusTotal. Once again, a benign Microsoft executable looking to be associated with a fun arcade game from the 90's named Crazy Taxi.

    IMR08404

    Finishing up with this little fella

    Fig 3. IMR07509.jpg


    Running foremost on the image of this adorable kitten found 4 different DLLs!

    $ foremost IMR08404.JPG
    
    Foremost started at Fri Aug 14 19:51:46 2020
    Invocation: foremost IMR08404.JPG
    Output directory: /home/josiah/kitty/www.eastcoastpersians.com/IMR08404/output
    Configuration file: /usr/local/etc/foremost.conf
    ------------------------------------------------------------------
    File: IMR08404.JPG
    Start: Fri Aug 14 19:51:46 2020
    Length: 1 MB (1966080 bytes)
    
    Num      Name (bs=512)         Size      File Offset     Comment
    
    0:      00000000.jpg         153 KB               0
    1:      00000368.dll         194 KB          188416      07/06/2008 12:06:10
    2:      00001584.dll         253 KB          811008      04/14/2008 00:10:48
    3:      00002584.dll         132 KB         1323008      03/18/2010 08:42:51
    4:      00002864.dll         488 KB         1466368      03/19/2003 04:14:51
    Finish: Fri Aug 14 19:51:46 2020
    
    5 FILES EXTRACTED
    
    jpg:= 1
    exe:= 4
    ------------------------------------------------------------------
    

    All four of them are in VirusTotal, and do not have any AV detections.

    $ find . -maxdepth 2 -type f | while read L; do echo $L && vt file-report `md5sum $L` | grep positives -A1; done
    ./jpg/00000000.jpg
    ./dll/00002584.dll
                "positives": 0,
                "resource": "3e4573658de57508e6e57b39c4f1f937",
    ./dll/00002864.dll
                "positives": 0,
                "resource": "561fa2abb31dfa8fab762145f81667c2",
    ./dll/00001584.dll
                "positives": 0,
                "resource": "f17ce6ba781c726879a32ee90836395d",
    ./dll/00000368.dll
                "positives": 0,
                "resource": "663cc57dafd43f5994ecd9d710c56d6d",
    
    3e4573658de57508e6e57b39c4f1f937

    The first .dll there, found on VirusTotal, is another benign, Microsoft file originally found as Microsoft.Build.Conversion.v4.0.dll.

    561fa2abb31dfa8fab762145f81667c2

    This .dll is associated with Medieval II Total War for Steam. Also not malicous VirusTotal

    f17ce6ba781c726879a32ee90836395d

    Legitimate Windows Operating system .dll on VirusTotal The Perm3dd.dll file is a system file including functions needed by many software, games, and system tools.

    663cc57dafd43f5994ecd9d710c56d6d

    Finally, mxdwdui.dll is a module belonging to Microsoft XPS Document Writer from Microsoft Corporation.VirusTotal

    Conclusion

    We ended up identifying multiple, benign executables within the pictures of these kitties through the use of YARA, foremost, and a bit more FU. Potentially used for security control validation, I am still dying to know WHY, so please reach out if you have any speculations.

    Tags
    deep-file-inspection field-notes in-the-wild