Intro
A while back we had an interesting alert generated from one of the InQuest® DFI® sensors that were initially very suspicious, but proved to be entertaining and still questionable regarding the true purpose of the activity. My initial suspicion was driven to an event highlighting an Image with an Embedded executable. I wanted to share based on corresponding information that was derived, the humor of the images in question, and my resounding “WHY” did someone do this. The original image was sourced from hxxp://www.eastcoastpersians[.]com/
Domain Info
Doing some research on the domain, eastcoastpersians.com has been around for 3,881 days. Created on 2009-12-30 and set to expire on 2020-12-30. The domains respective IP is shared with 2,000+ other domains. There were also no indications of any nefarious involvement when scouring the InQuest® Labs Reputation or IOC Databases.
Site Crawl
While the alert we saw was generated from one of the hosted images, it was reasonable to see if there were any other suspicious images hosted on this page. Doing a quick crawl and download all the files from that site.
iq-bash<br>
$ wget \<br>
--recursive \<br>
--no-clobber \<br>
--page-requisites \<br>
--html-extension \<br>
--convert-links \<br>
--restrict-file-names=windows \<br>
--domains eastcoastpersians.com \<br>
--no-parent \<br>
eastcoastpersians.com<br>
Running YARA with our default signature base leads us to something fishy going on here.
iq-bash<br>
$ y .<br>
MC_Image_with_Embedded_Executable ./IMR08106.JPG<br>
SC_Executable_Without_DOS_Header ./IMR08106.JPG<br>
MC_Image_with_Embedded_Executable ./IMR07509.JPG<br>
SC_Embedded_EXE_Cloaking ./IMR07509.JPG<br>
SC_Embedded_Exe_in_Image ./IMR07509.JPG<br>
SC_Executable_Without_DOS_Header ./IMR07509.JPG<br>
MC_Image_with_Embedded_Executable ./IMR08404.JPG<br>
SC_Executable_Without_DOS_Header ./IMR08404.JPG<br>
MC_Image_with_Embedded_Executable ./IMR07509/IMR07509.JPG<br>
SC_Embedded_EXE_Cloaking ./IMR07509/IMR07509.JPG<br>
SC_Embedded_Exe_in_Image ./IMR07509/IMR07509.JPG<br>
SC_Executable_Without_DOS_Header ./IMR07509/IMR07509.JPG<br>
MC_Image_with_Embedded_Executable ./IMR07509/output/jpg/00000679.jpg<br>
SC_Embedded_EXE_Cloaking ./IMR07509/output/jpg/00000679.jpg<br>
SC_Embedded_Exe_in_Image ./IMR07509/output/jpg/00000679.jpg<br>
SC_Executable_Without_DOS_Header ./IMR07509/output/jpg/00000679.jpg<br>
MC_Image_with_Embedded_Executable ./IMR08106/IMR08106.JPG<br>
SC_Executable_Without_DOS_Header ./IMR08106/IMR08106.JPG<br>
A quick clean up to isolate what files have that fishy inclusion. Looks like three of them generated alerts alluding to embedded executables. Of note, these three have naming conventions different than the majority of other images that start with IMG.
iq-bash<br>
$ y . | cut -d. -f2 | distribution<br>
Key|Ct (Pct) Histogram<br>
/IMR07509|4 (44.44%) ----------------------------------------------------<br>
/IMR08404|2 (22.22%) --------------------------<br>
/IMR08106|2 (22.22%) --------------------------<br>
Next, we’d like to carve the executables out from the images for further inspection. There’s a number of ways to “skin the cat” so to speak. A favorite tool of ours for carving files out of larger blobs is foremost.sourceforge.net. Thanks AF OSI!
IMR08106.jpg
Here is the first kitty that we will be playing with.
iq-bash<br>
Foremost started at Fri Aug 14 18:29:31 2020<br>
Invocation: foremost IMR08106.JPG<br>
Output directory: /home/josiah/kitty/www.eastcoastpersians.com/IMR08106/output<br>
Configuration file: /usr/local/etc/foremost.conf<br>
------------------------------------------------------------------<br>
File: IMR08106.JPG<br>
Start: Fri Aug 14 18:29:31 2020<br>
Length: 552 KB (565248 bytes)</p>
<p>Num Name (bs=512) Size File Offset Comment</p>
<p>0: 00000000.jpg 125 KB 0<br>
1: 00001048.jpg 1 KB 536844<br>
2: 00000520.gif 27 KB 266240 (385 x 204)<br>
3: 00000400.exe 52 KB 204800 09/26/2007 17:49:08<br>
4: 00001088.dll 2 KB 557056 08/18/2008 09:53:09<br>
Finish: Fri Aug 14 18:29:31 2020</p>
<p>5 FILES EXTRACTED</p>
<p>jpg:= 2<br>
gif:= 1<br>
exe:= 2<br>
------------------------------------------------------------------<br>
So we have found one .exe and one .dll embedded within that image. Doing a quick look to see if any of those files are in VirusTotal with their AV detection and the MD5 hash.
iq-bash<br>
$ find . -maxdepth 2 -type f | while read L; do echo $L && vt file-report `md5sum $L` | grep positives -A1; done<br>
./exe/00000400.exe<br>
"positives": 0,<br>
"resource": "37737b3b387295d1c55e9b154f0c4100",<br>
./gif/00000520.gif<br>
./jpg/00001048.jpg<br>
./jpg/00000000.jpg<br>
./dll/00001088.dll<br>
"positives": 0,<br>
"resource": "49c8e4efab006abb6693859f96737195",<br>
37737b3b387295d1c55e9b154f0c4100
The first file 00000400.exe looks to be commonly named ITMRT_TRACE.exe. A benign ececutable assoicated with eTrust PestPatrol Anti-Spyware and can be found here on VirusTotal
49c8e4efab006abb6693859f96737195
The second file ‘00001088.dll’ looks to be commonly named hpqd_cul_s.dll is a HP dll for non-versioned MSI files found at VirusTotal.
Both older, well-known, benign files that are embedded in the image… odd.
IMR07509.jpg
Our second hand-sized culprit.
First, carve out the embedded files.
iq-bash<br>
Foremost started at Fri Aug 14 17:59:13 2020<br>
Invocation: foremost IMR07509.JPG<br>
Output directory: /home/josiah/kitty/www.eastcoastpersians.com/IMR07509/output<br>
Configuration file: /usr/local/etc/foremost.conf<br>
------------------------------------------------------------------<br>
File: IMR07509.JPG<br>
Start: Fri Aug 14 17:59:13 2020<br>
Length: 420 KB (430080 bytes)</p>
<p>Num Name (bs=512) Size File Offset Comment<br>
~<br>
23: 00000224.exe 76 KB 114688 06/05/2008 20:06:09<br>
24: 00000680.exe 79 KB 348160 12/04/2002 09:24:15<br>
And check to see if they exist on VirusTotal and their detection rate.
iq-bash<br>
$ ls | while read L; do echo $L && vt file-report \`md5sum $L` | grep positives -A1; done<br>
00000224.exe<br>
"positives": 0,<br>
"resource": "03e5567ad53e8afa43622cfbf45bab26",<br>
00000680.exe<br>
"positives": 0,<br>
"resource": "a27d713b51923e72e58fae4d5ca073d7",<br>
03e5567ad53e8afa43622cfbf45bab26
The first executable 00000224.exe is found VirusTotal and looks to be xpicleanup.exe, which is part of XULRunner. A discontinued, packaged version of the Mozilla platform
a27d713b51923e72e58fae4d5ca073d7
The second one 00000680.exe is found here VirusTotal. Once again, a benign Microsoft executable looking to be associated with a fun arcade game from the 90’s named Crazy Taxi.
IMR08404
Finishing up with this little fella
Running foremost on the image of this adorable kitten found 4 different DLLs!
iq-bash<br>
$ foremost IMR08404.JPG</p>
<p>Foremost started at Fri Aug 14 19:51:46 2020<br>
Invocation: foremost IMR08404.JPG<br>
Output directory: /home/josiah/kitty/www.eastcoastpersians.com/IMR08404/output<br>
Configuration file: /usr/local/etc/foremost.conf<br>
------------------------------------------------------------------<br>
File: IMR08404.JPG<br>
Start: Fri Aug 14 19:51:46 2020<br>
Length: 1 MB (1966080 bytes)</p>
<p>Num Name (bs=512) Size File Offset Comment</p>
<p>0: 00000000.jpg 153 KB 0<br>
1: 00000368.dll 194 KB 188416 07/06/2008 12:06:10<br>
2: 00001584.dll 253 KB 811008 04/14/2008 00:10:48<br>
3: 00002584.dll 132 KB 1323008 03/18/2010 08:42:51<br>
4: 00002864.dll 488 KB 1466368 03/19/2003 04:14:51<br>
Finish: Fri Aug 14 19:51:46 2020</p>
<p>5 FILES EXTRACTED</p>
<p>jpg:= 1<br>
exe:= 4<br>
------------------------------------------------------------------<br>
All four of them are in VirusTotal, and do not have any AV detections.
iq-bash<br>
$ find . -maxdepth 2 -type f | while read L; do echo $L && vt file-report `md5sum $L` | grep positives -A1; done<br>
./jpg/00000000.jpg<br>
./dll/00002584.dll<br>
"positives": 0,<br>
"resource": "3e4573658de57508e6e57b39c4f1f937",<br>
./dll/00002864.dll<br>
"positives": 0,<br>
"resource": "561fa2abb31dfa8fab762145f81667c2",<br>
./dll/00001584.dll<br>
"positives": 0,<br>
"resource": "f17ce6ba781c726879a32ee90836395d",<br>
./dll/00000368.dll<br>
"positives": 0,<br>
"resource": "663cc57dafd43f5994ecd9d710c56d6d",<br>
3e4573658de57508e6e57b39c4f1f937
The first .dll there, found on VirusTotal, is another benign, Microsoft file originally found as Microsoft.Build.Conversion.v4.0.dll.
561fa2abb31dfa8fab762145f81667c2
This .dll is associated with Medieval II Total War for Steam. Also not malicous VirusTotal
f17ce6ba781c726879a32ee90836395d
Legitimate Windows Operating system .dll on VirusTotal The Perm3dd.dll file is a system file including functions needed by many software, games, and system tools.
663cc57dafd43f5994ecd9d710c56d6d
Finally, mxdwdui.dll is a module belonging to Microsoft XPS Document Writer from Microsoft Corporation.VirusTotal
Conclusion
We ended up identifying multiple, benign executables within the pictures of these kitties through the use of YARA, foremost, and a bit more FU. Potentially used for security control validation, I am still dying to know WHY, so please reach out if you have any speculations.