Interpreting the action tables and execution graphs
Action tables and execution graphs show 15 days of telemetry associated with each detection made by advanced protection. This telemetry shows the actions taken by the programs involved in an attack. A certain degree of technical knowledge is necessary to be able to extract activity patterns and key information in each situation.
The following section provides some basic guidelines to interpret the action tables with some real-life examples of threats.
The names of the threats indicated herein might vary across security vendors. We recommend that you use a hash to identify malware.
Example 1: Trj/OCJ.A malware activity
The Details tab provides key information about the malware found. In this case, the most important data is as follows:
-
Threat: Trj/OCJ.A
-
Computer: XP-BARCELONA1
-
Detection path: TEMP|\Rar$EXa0.946\appnee.com.patch.exe
Activity
The Activity tab shows a number of actions because Advanced EDR was configured in Hardening mode and the malware already resided on the computer when Advanced EDR was installed. The malware was unknown at the time of running.
Hash
Use the hash string to obtain more information on sites such as VirusTotal and get a general idea of the threat and how it works.
Detection path
The path where the malware was detected for the first time on the computer belongs to a temporary directory and contains the 'RAR' string. Therefore, the threat comes from a RAR file temporarily uncompressed into the directory, and which resulted in the appnee.com.patch.exe executable.
Activity tab
| Step | Date | Action | Path |
|---|---|---|---|
|
1 |
3:17:00 |
Is created by |
PROGRAM_FILES|\WinRAR\WinRAR.exe |
|
2 |
3:17:01 |
Is run by |
PROGRAM_FILES|\WinRAR\WinRAR.exe |
|
3 |
3:17:13 |
Creates |
TEMP|\bassmod.dll |
|
4 |
3:17:34 |
Creates |
PROGRAM_FILES|\Adobe\ACROBAT 11.0\Acrobat\AMTLIB.DLL.BAK |
|
5 |
3:17:40 |
Modifies |
PROGRAM_FILES|\Adobe\ACROBAT 11.0\Acrobat\amtlib.dll |
|
6 |
3:17:40 |
Deletes |
PROGRAM_FILES|\ADOBE\ACROBAT 11.0\ACROBAT\AMTLIB.DLL.BAK |
|
7 |
3:17:41 |
Creates |
PROGRAM_FILES|\Adobe\ACROBAT 11.0\Acrobat\ACROBAT.DLL.BAK |
|
8 |
3:17:42 |
Modifies |
PROGRAM_FILES|\Adobe\ACROBAT 11.0\Acrobat\amtlib.dll |
|
9 |
3:17:59 |
Runs |
PROGRAM_FILES|\Google\ Chrome\Application\chrome.exe |
Steps 1 and 2 indicate that the malware was uncompressed by WinRAR.exe and run from that program. The user opened the compressed file and clicked its binary.
After being run, in step 3 the malware created a DLL file (bassmod.dll) in a temporary folder, and another one (step 4) in the installation directory of the Adobe Acrobat 11 program. In step 5, it modified an Adobe DLL file, to take advantage perhaps of a program vulnerability.
After modifying other DLL files, it launched an instance of Google Chrome which is when the timeline finishes. Advanced EDR classified the program as a threat after that string of suspicious events and stopped its execution.
The timeline shows no actions on the Windows registry, so it is very likely that the malware is not persistent or was not able to modify the Windows registry to make sure it could survive a computer restart.
The Adobe Acrobat 11 software was compromised, so a reinstall is recommended. Thanks to the fact that Advanced EDR monitors both goodware and malware executables, the execution of a compromised program is detected as soon as it triggers dangerous actions, and is blocked.
Example 2: Communication with external computers by BetterSurf
BetterSurf is a potentially unwanted program that modifies the web browser installed on user computers, injecting ads in the web pages they visit.
The Details tab provides key information about the malware found. In this case, it shows this data:
-
Name: PUP/BetterSurf
-
Computer: MARTA-CAL
-
Detection path: PROGRAM_FILES|\VER0BLOCKANDSURF\N4CD190.EXE
Dwell time
In this case, the dwell time is very long: The malware remained dormant on the customer network for almost 12 days. This is increasingly normal behavior and can be due to various reasons. For example, the malware did not carry out any suspicious actions until very late, or the user downloaded the file but did not run it at the time. In any case, the threat was unknown to the security service, so there was no malware signature to compare it to.
Activity tab
| Step | Date | Action | Path |
|---|---|---|---|
|
1 |
3/8/2015 11:16 |
Is created by |
TEMP|\08c3b650-e9e14f.exe |
|
2 |
3/18/2015 11:16 |
Is created by |
SYSTEM|\services.exe |
|
3 |
3/18/2015 11:16 |
Loads |
PROGRAM_FILES|\VER0BLOF\N4Cd190.dll |
|
4 |
3/18/2015 11:16 |
Loads |
SYSTEM|\BDL.dll |
|
5 |
3/18/2015 11:16 |
Communicates with |
127.0.0.1/13879 |
|
6 |
3/18/2015 11:16 |
Communicates with |
37.58.101.205/80 |
|
7 |
3/18/2015 11:17 |
Communicates with |
5.153.39.133/80 |
|
8 |
3/18/2015 11:17 |
Communicates with |
50.97.62.154/80 |
|
9 |
3/18/2015 11:17 |
Communicates with |
50.19.102.217/80 |
In this case, you can see how the malware communicated with different IP addresses. The first address (step 5) is the infected computer itself, and the rest are external IP addresses to which it connected through port 80 and from which the advertising content was probably downloaded.
The main preventive measure in this case should be to block those IP addresses in the corporate firewall.
Before adding rules to block IP addresses in the corporate firewall, you should consult those IP addresses in the associated RIR (RIPE, ARIN, APNIC, etc.) to see the networks to which they belong. In many cases, the remote infrastructure used by malware is shared with legitimate services housed in providers such as Amazon and similar, so blocking certain IP addresses would be the same as blocking access to legitimate web pages.
Example 3: Access to the Windows registry by PasswordStealer.BT
PasswordStealer.BT is a Trojan that logs the user activity on the infected computer and sends the information obtained to an external server. Among other things, it captures screens, logs keystrokes, and sends files to a C&C (Command & Control) server.
The Details tab provides key information about the malware found. In this case, it shows this data:
Detection path: APPDATA|\microsoftupdates\micupdate.exe
The name and location of the executable file indicate that the malware poses as a Microsoft update. This particular malware cannot infect computers by itself; it requires the user to run it manually.
Activity tab
Advanced EDR was configured in Hardening mode and the malware already resided on the computer when Advanced EDR was installed. The malware was unknown at the time of running.
Action table
| Step | Date | Action | Path |
|---|---|---|---|
|
1 |
03/31/2015 23:29 |
Is run by |
PROGRAM_FILESX86|\internet explorer\iexplore.exe |
|
2 |
03/31/2015 23:29 |
Is created by |
INTERNET_CACHE|\Content.IE5\ QGV8PV80\ index[1].php |
|
3 |
03/31/2015 23:30 |
Creates key pointing to EXE file |
\REGISTRY\USER\S-1-5[...]9- 5659\Software\Microsoft\Windows\ CurrentVersion\Run?MicUpdate |
|
4 |
03/31/2015 23:30 |
Runs |
SYSTEMX86|\notepad.exe |
|
5 |
03/31/2015 23:30 |
Thread injected by |
SYSTEMX86|\notepad.exe |
In this case, the malware was generated in step 2 by a web page and run by Internet Explorer.
The sequence of actions has a granularity of one microsecond. For this reason, the actions executed within the same microsecond might not appear in order on the timeline, as in step 1 and step 2.
After being run, the malware became persistent in step 3, adding a branch to the Windows registry to run every time the computer started up. It then started to execute typical malware actions such as opening the notepad and injecting code in one of its threads.
As a remediation action in this case and in the absence of a known disinfection method, you can minimize the impact of the malware by deleting the malicious Windows registry entry. However, it is quite possible that the malware might prevent you from modifying that entry on infected computers; in that case, you would have to either start the computer in safe mode or with a bootable CD to delete the entry.
Example 4: Access to confidential data by Trj/Chgt.F
Trj/Chgt.F was uncovered by WikiLeaks at the end of 2014 as a tool used by government agencies in some countries for selective espionage.
In this example, we go directly to the Activity tab to show you the behavior of this advanced threat.
Action table
| Step | Date | Action | Path |
|---|---|---|---|
|
1 |
4/21/2015 2:17:47 |
Is run by |
SYSTEMDRIVE|\Python27\pythonw.exe |
|
2 |
4/21/2015 2:18:01 |
Accesses data |
#.XLS |
|
3 |
4/21/2015 2:18:01 |
Accesses data |
#.DOC |
|
4 |
4/21/2015 2:18:03 |
Creates |
TEMP|\doc.scr |
|
5 |
4/21/2015 2:18:06 |
Runs |
TEMP|\doc.scr |
|
6 |
4/21/2015 2:18:37 |
Runs |
PROGRAM_FILES|\Microsoft Office\Office12\WINWORD.EXE |
|
7 |
4/21/2015 8:58:02 |
Communicates with |
192.168.0.1/2042 |
The malware was initially run by the Python interpreter (step 1), and later accessed an Excel file and a Word document (steps 2 and 3). In step 4, a file with an SCR extension was run, probably a screensaver with some type of flaw or error that could be exploited by the malware.
In step 7 the malware established a TCP connection. The IP address is private, so the malware connected to the customer own network.
In a case such as this, it is important to check the content of the files accessed by the threat to assess the loss of information. However, the timeline of this particular attack shows that no information was extracted from the customer network.
Advanced EDR disinfected the threat and blocked any subsequent execution of the malware on this and other customers systems.