Difference between pages "Malware analysis" and "Windows Job File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
m (variable-length section)
 
Line 1: Line 1:
Analyzing [[malware]], or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.
+
{{expand}}
  
Some common tools for malware analysis include simple programs like [[strings]]. More complex analysis can be conducted by looking at the headers of executables with programs like [[PEiD]] and [[PeExplorer]]. Finally, the most complete analysis can be done with debuggers like [[IDA Pro]] and [[OllyDbg]].  
+
== Overview ==
 +
On [[Windows]] a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.
  
== See Also ==
+
=== fixed-length section ===
* [[Malware]]
+
* [[List of Malware Analysis Tools]]
+
  
== External Links ==
+
The fixed-length section is 68 bytes in size and consists of:
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-1/ Executable File Analysis (Windows Forensic Analysis) Part 1]
+
{| class="wikitable"
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-2/ Executable File Analysis (Windows Forensic Analysis) Part 2]
+
|-
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-3/ Executable File Analysis (Windows Forensic Analysis) Part 3]
+
! offset
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-4/ Executable File Analysis (Windows Forensic Analysis) Part 4]
+
! size
* [http://www.giac.org/paper/gcih/641/exploiting-microsoftwindows-task-scheduler-job-stack-overflow-vulnerability/104732 Exploiting the Microsoft Windows TaskScheduler‘.job’StackOverflowVulnerability], by Kevin Wenchel, May 2004
+
! value
* [http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1], by Paul Ducklin on October 11, 2013
+
! description
* [http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2], by Paul Ducklin on October 25, 2013
+
|-
 +
| 0
 +
| 2
 +
|
 +
| Product version
 +
|-
 +
| 2
 +
| 2
 +
|
 +
| File version
 +
|-
 +
| 4
 +
| 16
 +
|
 +
| Job UUID (or GUID)
 +
|-
 +
| 20
 +
| 2
 +
|
 +
| Application name size offset <br> The offset is relative from the start of the file.
 +
|-
 +
| 22
 +
| 2
 +
|
 +
| Trigger offset <br> The offset is relative from the start of the file.
 +
|-
 +
| 24
 +
| 2
 +
|
 +
| Error Retry Count
 +
|-
 +
| 26
 +
| 2
 +
|
 +
| Error Retry Interval
 +
|-
 +
| 28
 +
| 2
 +
|
 +
| Idle Deadline
 +
|-
 +
| 30
 +
| 2
 +
|
 +
| Idle Wait
 +
|-
 +
| 32
 +
| 4
 +
|
 +
| Priority
 +
|-
 +
| 36
 +
| 4
 +
|
 +
| Maximum Run Time
 +
|-
 +
| 40
 +
| 4
 +
|
 +
| Exit Code
 +
|-
 +
| 44
 +
| 4
 +
|
 +
| Status
 +
|-
 +
| 48
 +
| 4
 +
|
 +
| Flags
 +
|-
 +
| 52
 +
| 16
 +
|
 +
| Last run time <br> Consists of a SYSTEMTIME
 +
|}
  
=== Careto ===
+
==== SYSTEMTIME ====
* [http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf Unveiling "Careto" - The Masked APT], by [[Kaspersky|Kaspersky Lab]], February 2014
+
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Year
 +
|-
 +
| 2
 +
| 2
 +
|
 +
| Month
 +
|-
 +
| 4
 +
| 2
 +
|
 +
| Weekday
 +
|-
 +
| 6
 +
| 2
 +
|
 +
| Day
 +
|-
 +
| 8
 +
| 2
 +
|
 +
| Hour
 +
|-
 +
| 10
 +
| 2
 +
|
 +
| Minute
 +
|-
 +
| 12
 +
| 2
 +
|
 +
| Second
 +
|-
 +
| 14
 +
| 2
 +
|
 +
| Milli second
 +
|}
  
=== China Chopper ===
+
==== Priority ====
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html Breaking Down the China Chopper Web Shell – Part I], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 7, 2013
+
{| class="wikitable"
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html Breaking Down the China Chopper Web Shell – Part 2], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 9, 2013
+
|-
 +
! Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x00800000
 +
| REALTIME_PRIORITY_CLASS
 +
| The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
 +
|-
 +
| 0x01000000
 +
| HIGH_PRIORITY_CLASS
 +
| The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
 +
|-
 +
| 0x02000000
 +
| IDLE_PRIORITY_CLASS
 +
| The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
 +
|-
 +
| 0x04000000
 +
| NORMAL_PRIORITY_CLASS
 +
| The task has no special scheduling requirements.
 +
|}
  
=== Hacking Team ===
+
==== Status ====
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
+
{| class="wikitable"
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
+
|-
* [http://reverse.put.as/2014/06/26/shakacon-6-presentation-fuck-you-hacking-team-from-portugal-with-love/ Shakacon #6 presentation: Fuck you Hacking Team, From Portugal with Love], by fG!, June 26 2014
+
! Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x00041300
 +
| SCHED_S_TASK_READY
 +
| Task is not running but is scheduled to run at some time in the future.
 +
|-
 +
| 0x00041301
 +
| SCHED_S_TASK_RUNNING
 +
| Task is currently running.
 +
|-
 +
| 0x00041305
 +
| SCHED_S_TASK_NOT_SCHEDULED
 +
| The task is not running and has no valid triggers.
 +
|}
  
=== Hikit ===
+
==== Flags ====
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 1)], by Ryan Kazanciyan, August 20, 2012
+
See: [http://msdn.microsoft.com/en-us/library/cc248283.aspx Flags]
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 2)], by Christopher Glyer, August 22, 2012
+
  
=== PlugX ===
+
=== Variable-length section ===
* [http://labs.lastline.com/an-analysis-of-plugx An Analysis of PlugX], by Roman Vasilenko, December 17, 2013
+
The variable-length section contains the following values:
 +
* Running Instance Count
 +
* Application Name
 +
* Parameters
 +
* Working Directory
 +
* Author
 +
* Comment
 +
* User Data
 +
* Reserved Data
 +
* Triggers
 +
* Job Signature
  
=== Shell Crew ===
+
These values are stored as Unicode strings.
* [http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf RSA Incident Response: Emerging Threat Profile - Shell_Crew], by [[EMC]], January 2014
+
  
=== Uroburos ===
+
==== Unicode string ====
* [https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf Uroburos - Highly complex espionage software with Russian roots], by G Data SecurityLabs, February 2014
+
{| class="wikitable"
* [http://spresec.blogspot.com/2014/03/uroburos-rootkit-hook-analysis-and.html?m=1 Uroburos Rootkit Hook Analysis and Driver Extraction], SP Security Blog, March 20, 2014
+
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Number of characters <br> The value will be 0 if the string is empty.
 +
|-
 +
| 2
 +
| ...
 +
|
 +
| String <br> UTF-16 little-endian with end-of-string character
 +
|}
  
=== Winnti ===
+
== See Also ==
* [https://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-game-130410.pdf "Winnti" More than just a game], by Kaspersky Lab, April 2013
+
* [[Windows]]
  
 +
== External Links ==
 +
* [http://msdn.microsoft.com/en-us/library/cc248285.aspx .JOB File Format], by [[Microsoft]]
  
[[Category:Malware]]
+
[[Category:File Formats]]

Revision as of 11:55, 5 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Overview

On Windows a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.

fixed-length section

The fixed-length section is 68 bytes in size and consists of:

offset size value description
0 2 Product version
2 2 File version
4 16 Job UUID (or GUID)
20 2 Application name size offset
The offset is relative from the start of the file.
22 2 Trigger offset
The offset is relative from the start of the file.
24 2 Error Retry Count
26 2 Error Retry Interval
28 2 Idle Deadline
30 2 Idle Wait
32 4 Priority
36 4 Maximum Run Time
40 4 Exit Code
44 4 Status
48 4 Flags
52 16 Last run time
Consists of a SYSTEMTIME

SYSTEMTIME

offset size value description
0 2 Year
2 2 Month
4 2 Weekday
6 2 Day
8 2 Hour
10 2 Minute
12 2 Second
14 2 Milli second

Priority

Value Identifier Description
0x00800000 REALTIME_PRIORITY_CLASS The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
0x01000000 HIGH_PRIORITY_CLASS The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
0x02000000 IDLE_PRIORITY_CLASS The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
0x04000000 NORMAL_PRIORITY_CLASS The task has no special scheduling requirements.

Status

Value Identifier Description
0x00041300 SCHED_S_TASK_READY Task is not running but is scheduled to run at some time in the future.
0x00041301 SCHED_S_TASK_RUNNING Task is currently running.
0x00041305 SCHED_S_TASK_NOT_SCHEDULED The task is not running and has no valid triggers.

Flags

See: Flags

Variable-length section

The variable-length section contains the following values:

  • Running Instance Count
  • Application Name
  • Parameters
  • Working Directory
  • Author
  • Comment
  • User Data
  • Reserved Data
  • Triggers
  • Job Signature

These values are stored as Unicode strings.

Unicode string

offset size value description
0 2 Number of characters
The value will be 0 if the string is empty.
2 ... String
UTF-16 little-endian with end-of-string character

See Also

External Links