Persian Kitties Hiding Benign Executables

Posted on 2020-08-15 by Josiah Smith

Intro

A while back we had an interesting alert generated from one of the InQuest DFI sensors that were initially very suspicious, but proved to be entertaining and still questionable regarding the true purpose of the activity. My initial suspicion was driven to an event highlighting an Image with an Embedded executable. I wanted to share based on corresponding information that was derived, the humor of the images in question, and my resounding "WHY" did someone do this. The original image was sourced from hxxp://www.eastcoastpersians[.]com/

Domain Info

Doing some research on the domain, eastcoastpersians.com has been around for 3,881 days. Created on 2009-12-30 and set to expire on 2020-12-30. The domains respective IP is shared with 2,000+ other domains. There were also no indications of any nefarious involvement when scouring the [InQuest Labs](https://labs.inquest.net/) Reputation or IOC Databases.

  • [IOCDB](https://labs.inquest.net/iocdb/search/eastcoastpersians.com)
  • [REPDB](https://labs.inquest.net/repdb/search/eastcoastpersians.com)
  • Site Crawl

    While the alert we saw was generated from one of the hosted images, it was reasonable to see if there were any other suspicious images hosted on this page. Doing a quick crawl and download all the files from that site.

    ```iq-bash
    $ wget \
    --recursive \
    --no-clobber \
    --page-requisites \
    --html-extension \
    --convert-links \
    --restrict-file-names=windows \
    --domains eastcoastpersians.com \
    --no-parent \
    eastcoastpersians.com
    ```

    Running YARA with our default signature base leads us to something fishy going on here.

    ```iq-bash
    $ y .
    MC_Image_with_Embedded_Executable ./IMR08106.JPG
    SC_Executable_Without_DOS_Header ./IMR08106.JPG
    MC_Image_with_Embedded_Executable ./IMR07509.JPG
    SC_Embedded_EXE_Cloaking ./IMR07509.JPG
    SC_Embedded_Exe_in_Image ./IMR07509.JPG
    SC_Executable_Without_DOS_Header ./IMR07509.JPG
    MC_Image_with_Embedded_Executable ./IMR08404.JPG
    SC_Executable_Without_DOS_Header ./IMR08404.JPG
    MC_Image_with_Embedded_Executable ./IMR07509/IMR07509.JPG
    SC_Embedded_EXE_Cloaking ./IMR07509/IMR07509.JPG
    SC_Embedded_Exe_in_Image ./IMR07509/IMR07509.JPG
    SC_Executable_Without_DOS_Header ./IMR07509/IMR07509.JPG
    MC_Image_with_Embedded_Executable ./IMR07509/output/jpg/00000679.jpg
    SC_Embedded_EXE_Cloaking ./IMR07509/output/jpg/00000679.jpg
    SC_Embedded_Exe_in_Image ./IMR07509/output/jpg/00000679.jpg
    SC_Executable_Without_DOS_Header ./IMR07509/output/jpg/00000679.jpg
    MC_Image_with_Embedded_Executable ./IMR08106/IMR08106.JPG
    SC_Executable_Without_DOS_Header ./IMR08106/IMR08106.JPG
    ```

    A quick clean up to isolate what files have that fishy inclusion. Looks like three of them generated alerts alluding to embedded executables. Of note, these three have naming conventions different than the majority of other images that start with IMG.

    ```iq-bash
    $ y . | cut -d. -f2 | distribution
    Key|Ct (Pct) Histogram
    /IMR07509|4 (44.44%) ----------------------------------------------------
    /IMR08404|2 (22.22%) --------------------------
    /IMR08106|2 (22.22%) --------------------------
    ```

    Next, we'd like to carve the executables out from the images for further inspection. There's a number of ways to "skin the cat" so to speak. A favorite tool of ours for carving files out of larger blobs is foremost.sourceforge.net. Thanks AF OSI!

    IMR08106.jpg

    Here is the first kitty that we will be playing with.

    Fig 1. IMR08106.jpg

    ```iq-bash
    Foremost started at Fri Aug 14 18:29:31 2020
    Invocation: foremost IMR08106.JPG
    Output directory: /home/josiah/kitty/www.eastcoastpersians.com/IMR08106/output
    Configuration file: /usr/local/etc/foremost.conf
    ------------------------------------------------------------------
    File: IMR08106.JPG
    Start: Fri Aug 14 18:29:31 2020
    Length: 552 KB (565248 bytes)

    Num Name (bs=512) Size File Offset Comment

    0: 00000000.jpg 125 KB 0
    1: 00001048.jpg 1 KB 536844
    2: 00000520.gif 27 KB 266240 (385 x 204)
    3: 00000400.exe 52 KB 204800 09/26/2007 17:49:08
    4: 00001088.dll 2 KB 557056 08/18/2008 09:53:09
    Finish: Fri Aug 14 18:29:31 2020

    5 FILES EXTRACTED

    jpg:= 2
    gif:= 1
    exe:= 2
    ------------------------------------------------------------------
    ```

    So we have found one .exe and one .dll embedded within that image. Doing a quick look to see if any of those files are in VirusTotal with their AV detection and the MD5 hash.

    ```iq-bash
    $ find . -maxdepth 2 -type f | while read L; do echo $L && vt file-report `md5sum $L` | grep positives -A1; done
    ./exe/00000400.exe
    "positives": 0,
    "resource": "37737b3b387295d1c55e9b154f0c4100",
    ./gif/00000520.gif
    ./jpg/00001048.jpg
    ./jpg/00000000.jpg
    ./dll/00001088.dll
    "positives": 0,
    "resource": "49c8e4efab006abb6693859f96737195",
    ```

    37737b3b387295d1c55e9b154f0c4100

    The first file 00000400.exe looks to be commonly named ITMRT_TRACE.exe. A benign ececutable assoicated with eTrust PestPatrol Anti-Spyware and can be found here on [VirusTotal](https://www.virustotal.com/gui/file/c681b9371f745ae6be39a28e8dfbd567e9aa97b31dbf0c4ee8fcde7ca14d5b59/detection)

    49c8e4efab006abb6693859f96737195

    The second file '00001088.dll' looks to be commonly named hpqd\_cul_s.dll is a HP dll for non-versioned MSI files found at [VirusTotal](https://www.virustotal.com/gui/file/62202e741e0d915d7b1945f4aef8d7314683b85ad76b0290303a29a19ef576ec/submissions).
    Both older, well-known, benign files that are embedded in the image... odd.

    IMR07509.jpg

    Our second hand-sized culprit.

    Fig 2. IMR07509.jpg

    First, carve out the embedded files.

    ```iq-bash
    Foremost started at Fri Aug 14 17:59:13 2020
    Invocation: foremost IMR07509.JPG
    Output directory: /home/josiah/kitty/www.eastcoastpersians.com/IMR07509/output
    Configuration file: /usr/local/etc/foremost.conf
    ------------------------------------------------------------------
    File: IMR07509.JPG
    Start: Fri Aug 14 17:59:13 2020
    Length: 420 KB (430080 bytes)

    Num Name (bs=512) Size File Offset Comment
    ~
    23: 00000224.exe 76 KB 114688 06/05/2008 20:06:09
    24: 00000680.exe 79 KB 348160 12/04/2002 09:24:15
    ```

    And check to see if they exist on VirusTotal and their detection rate.

    ```iq-bash
    $ ls | while read L; do echo $L && vt file-report \`md5sum $L` | grep positives -A1; done
    00000224.exe
    "positives": 0,
    "resource": "03e5567ad53e8afa43622cfbf45bab26",
    00000680.exe
    "positives": 0,
    "resource": "a27d713b51923e72e58fae4d5ca073d7",
    ```

    03e5567ad53e8afa43622cfbf45bab26

    The first executable 00000224.exe is found [VirusTotal](https://www.virustotal.com/gui/file/e85f25c7004304e3ae459e26723ba1d786455fa639e4334cd1025c7dc8e194c0/detection) and looks to be xpicleanup.exe, which is part of XULRunner. A discontinued, packaged version of the Mozilla platform

    a27d713b51923e72e58fae4d5ca073d7

    The second one 00000680.exe is found here [VirusTotal](https://www.virustotal.com/gui/file/e874d60d3514f29fafc59bef7e7954b686c7d850366565f514109ded24bb16b7/details). Once again, a benign Microsoft executable looking to be associated with a fun arcade game from the 90's named Crazy Taxi.

    IMR08404

    Finishing up with this little fella

    Fig 3. IMR07509.jpg

    Running foremost on the image of this adorable kitten found 4 different DLLs!

    ```iq-bash
    $ foremost IMR08404.JPG

    Foremost started at Fri Aug 14 19:51:46 2020
    Invocation: foremost IMR08404.JPG
    Output directory: /home/josiah/kitty/www.eastcoastpersians.com/IMR08404/output
    Configuration file: /usr/local/etc/foremost.conf
    ------------------------------------------------------------------
    File: IMR08404.JPG
    Start: Fri Aug 14 19:51:46 2020
    Length: 1 MB (1966080 bytes)

    Num Name (bs=512) Size File Offset Comment

    0: 00000000.jpg 153 KB 0
    1: 00000368.dll 194 KB 188416 07/06/2008 12:06:10
    2: 00001584.dll 253 KB 811008 04/14/2008 00:10:48
    3: 00002584.dll 132 KB 1323008 03/18/2010 08:42:51
    4: 00002864.dll 488 KB 1466368 03/19/2003 04:14:51
    Finish: Fri Aug 14 19:51:46 2020

    5 FILES EXTRACTED

    jpg:= 1
    exe:= 4
    ------------------------------------------------------------------
    ```
    All four of them are in VirusTotal, and do not have any AV detections.

    ```iq-bash
    $ find . -maxdepth 2 -type f | while read L; do echo $L && vt file-report `md5sum $L` | grep positives -A1; done
    ./jpg/00000000.jpg
    ./dll/00002584.dll
    "positives": 0,
    "resource": "3e4573658de57508e6e57b39c4f1f937",
    ./dll/00002864.dll
    "positives": 0,
    "resource": "561fa2abb31dfa8fab762145f81667c2",
    ./dll/00001584.dll
    "positives": 0,
    "resource": "f17ce6ba781c726879a32ee90836395d",
    ./dll/00000368.dll
    "positives": 0,
    "resource": "663cc57dafd43f5994ecd9d710c56d6d",
    ```

    3e4573658de57508e6e57b39c4f1f937

    The first .dll there, found on [VirusTotal](https://www.virustotal.com/gui/file/966f37c0b24257cfd956f8fbbe533e8c4914788f6bfbac40fa1cc9fc5fcf5073/details), is another benign, Microsoft file originally found as Microsoft.Build.Conversion.v4.0.dll.

    561fa2abb31dfa8fab762145f81667c2

    This .dll is associated with Medieval II Total War for Steam. Also not malicous [VirusTotal](https://www.virustotal.com/gui/file/df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b/community)

    f17ce6ba781c726879a32ee90836395d

    Legitimate Windows Operating system .dll on [VirusTotal](https://www.virustotal.com/gui/file/152d5a8248b5ba21209b96f4a2b83508ad730f97c83157bc8487a4a637a30eea/details) The Perm3dd.dll file is a system file including functions needed by many software, games, and system tools.

    663cc57dafd43f5994ecd9d710c56d6d

    Finally, mxdwdui.dll is a module belonging to Microsoft XPS Document Writer from Microsoft Corporation.[VirusTotal](https://www.virustotal.com/gui/file/7ed523aabf63e06b4fef710216b64c3f6b26b3b908ef082c41b1e38fca112e66/detection)

    Conclusion

    We ended up identifying multiple, benign executables within the pictures of these kitties through the use of YARA, foremost, and a bit more FU. Potentially used for security control validation, I am still dying to know WHY, so please reach out if you have any speculations.


    Tags
    deep-file-inspection field-notes in-the-wild

    Get The InQuest Insider

    Find us on Twitter for frequent updates, follow our Blog for bi-weekly technical write-ups, or subscribe here to receive our monthly newsletter, The InQuest Insider. We curate and provide you with the latest news stories, field notes about innovative malware, novel research / analysis / threat hunting tools, security tips and more.