ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Malware analysis" and "Windows Job File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
m (variable-length section)
 
Line 1: Line 1:
Analyzing [[malware]], or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.
+
{{expand}}
  
Some common tools for malware analysis include simple programs like [[strings]]. More complex analysis can be conducted by looking at the headers of executables with programs like [[PEiD]] and [[PeExplorer]]. Finally, the most complete analysis can be done with debuggers like [[IDA Pro]] and [[OllyDbg]].  
+
== Overview ==
 +
On [[Windows]] a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.
  
== See Also ==
+
=== fixed-length section ===
* [[Malware]]
+
* [[List of Malware Analysis Tools]]
+
  
== External Links ==
+
The fixed-length section is 68 bytes in size and consists of:
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-1/ Executable File Analysis (Windows Forensic Analysis) Part 1]
+
{| class="wikitable"
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-2/ Executable File Analysis (Windows Forensic Analysis) Part 2]
+
|-
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-3/ Executable File Analysis (Windows Forensic Analysis) Part 3]
+
! offset
* [http://what-when-how.com/windows-forensic-analysis/executable-file-analysis-windows-forensic-analysis-part-4/ Executable File Analysis (Windows Forensic Analysis) Part 4]
+
! size
* [http://www.giac.org/paper/gcih/641/exploiting-microsoftwindows-task-scheduler-job-stack-overflow-vulnerability/104732 Exploiting the Microsoft Windows TaskScheduler‘.job’StackOverflowVulnerability], by Kevin Wenchel, May 2004
+
! value
* [http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1], by Paul Ducklin on October 11, 2013
+
! description
* [http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2], by Paul Ducklin on October 25, 2013
+
|-
 +
| 0
 +
| 2
 +
|
 +
| Product version
 +
|-
 +
| 2
 +
| 2
 +
|
 +
| File version
 +
|-
 +
| 4
 +
| 16
 +
|
 +
| Job UUID (or GUID)
 +
|-
 +
| 20
 +
| 2
 +
|
 +
| Application name size offset <br> The offset is relative from the start of the file.
 +
|-
 +
| 22
 +
| 2
 +
|
 +
| Trigger offset <br> The offset is relative from the start of the file.
 +
|-
 +
| 24
 +
| 2
 +
|
 +
| Error Retry Count
 +
|-
 +
| 26
 +
| 2
 +
|
 +
| Error Retry Interval
 +
|-
 +
| 28
 +
| 2
 +
|
 +
| Idle Deadline
 +
|-
 +
| 30
 +
| 2
 +
|
 +
| Idle Wait
 +
|-
 +
| 32
 +
| 4
 +
|
 +
| Priority
 +
|-
 +
| 36
 +
| 4
 +
|
 +
| Maximum Run Time
 +
|-
 +
| 40
 +
| 4
 +
|
 +
| Exit Code
 +
|-
 +
| 44
 +
| 4
 +
|
 +
| Status
 +
|-
 +
| 48
 +
| 4
 +
|
 +
| Flags
 +
|-
 +
| 52
 +
| 16
 +
|
 +
| Last run time <br> Consists of a SYSTEMTIME
 +
|}
  
=== Careto ===
+
==== SYSTEMTIME ====
* [http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf Unveiling "Careto" - The Masked APT], by [[Kaspersky|Kaspersky Lab]], February 2014
+
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Year
 +
|-
 +
| 2
 +
| 2
 +
|
 +
| Month
 +
|-
 +
| 4
 +
| 2
 +
|
 +
| Weekday
 +
|-
 +
| 6
 +
| 2
 +
|
 +
| Day
 +
|-
 +
| 8
 +
| 2
 +
|
 +
| Hour
 +
|-
 +
| 10
 +
| 2
 +
|
 +
| Minute
 +
|-
 +
| 12
 +
| 2
 +
|
 +
| Second
 +
|-
 +
| 14
 +
| 2
 +
|
 +
| Milli second
 +
|}
  
=== China Chopper ===
+
==== Priority ====
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html Breaking Down the China Chopper Web Shell – Part I], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 7, 2013
+
{| class="wikitable"
* [http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html Breaking Down the China Chopper Web Shell – Part 2], by Tony Lee, Ian Ahl and Dennis Hanzlik, August 9, 2013
+
|-
 +
! Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x00800000
 +
| REALTIME_PRIORITY_CLASS
 +
| The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
 +
|-
 +
| 0x01000000
 +
| HIGH_PRIORITY_CLASS
 +
| The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
 +
|-
 +
| 0x02000000
 +
| IDLE_PRIORITY_CLASS
 +
| The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
 +
|-
 +
| 0x04000000
 +
| NORMAL_PRIORITY_CLASS
 +
| The task has no special scheduling requirements.
 +
|}
  
=== Hacking Team ===
+
==== Status ====
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
+
{| class="wikitable"
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
+
|-
* [http://reverse.put.as/2014/06/26/shakacon-6-presentation-fuck-you-hacking-team-from-portugal-with-love/ Shakacon #6 presentation: Fuck you Hacking Team, From Portugal with Love], by fG!, June 26 2014
+
! Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x00041300
 +
| SCHED_S_TASK_READY
 +
| Task is not running but is scheduled to run at some time in the future.
 +
|-
 +
| 0x00041301
 +
| SCHED_S_TASK_RUNNING
 +
| Task is currently running.
 +
|-
 +
| 0x00041305
 +
| SCHED_S_TASK_NOT_SCHEDULED
 +
| The task is not running and has no valid triggers.
 +
|}
  
=== Hikit ===
+
==== Flags ====
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-1-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 1)], by Ryan Kazanciyan, August 20, 2012
+
See: [http://msdn.microsoft.com/en-us/library/cc248283.aspx Flags]
* [https://www.mandiant.com/blog/hikit-rootkit-advanced-persistent-attack-techniques-part-2/ The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 2)], by Christopher Glyer, August 22, 2012
+
  
=== PlugX ===
+
=== Variable-length section ===
* [http://labs.lastline.com/an-analysis-of-plugx An Analysis of PlugX], by Roman Vasilenko, December 17, 2013
+
The variable-length section contains the following values:
 +
* Running Instance Count
 +
* Application Name
 +
* Parameters
 +
* Working Directory
 +
* Author
 +
* Comment
 +
* User Data
 +
* Reserved Data
 +
* Triggers
 +
* Job Signature
  
=== Shell Crew ===
+
These values are stored as Unicode strings.
* [http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf RSA Incident Response: Emerging Threat Profile - Shell_Crew], by [[EMC]], January 2014
+
  
=== Uroburos ===
+
==== Unicode string ====
* [https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf Uroburos - Highly complex espionage software with Russian roots], by G Data SecurityLabs, February 2014
+
{| class="wikitable"
* [http://spresec.blogspot.com/2014/03/uroburos-rootkit-hook-analysis-and.html?m=1 Uroburos Rootkit Hook Analysis and Driver Extraction], SP Security Blog, March 20, 2014
+
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Number of characters <br> The value will be 0 if the string is empty.
 +
|-
 +
| 2
 +
| ...
 +
|
 +
| String <br> UTF-16 little-endian with end-of-string character
 +
|}
  
=== Winnti ===
+
== See Also ==
* [https://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-game-130410.pdf "Winnti" More than just a game], by Kaspersky Lab, April 2013
+
* [[Windows]]
  
 +
== External Links ==
 +
* [http://msdn.microsoft.com/en-us/library/cc248285.aspx .JOB File Format], by [[Microsoft]]
  
[[Category:Malware]]
+
[[Category:File Formats]]

Revision as of 15:55, 5 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Overview

On Windows a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.

fixed-length section

The fixed-length section is 68 bytes in size and consists of:

offset size value description
0 2 Product version
2 2 File version
4 16 Job UUID (or GUID)
20 2 Application name size offset
The offset is relative from the start of the file.
22 2 Trigger offset
The offset is relative from the start of the file.
24 2 Error Retry Count
26 2 Error Retry Interval
28 2 Idle Deadline
30 2 Idle Wait
32 4 Priority
36 4 Maximum Run Time
40 4 Exit Code
44 4 Status
48 4 Flags
52 16 Last run time
Consists of a SYSTEMTIME

SYSTEMTIME

offset size value description
0 2 Year
2 2 Month
4 2 Weekday
6 2 Day
8 2 Hour
10 2 Minute
12 2 Second
14 2 Milli second

Priority

Value Identifier Description
0x00800000 REALTIME_PRIORITY_CLASS The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
0x01000000 HIGH_PRIORITY_CLASS The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
0x02000000 IDLE_PRIORITY_CLASS The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
0x04000000 NORMAL_PRIORITY_CLASS The task has no special scheduling requirements.

Status

Value Identifier Description
0x00041300 SCHED_S_TASK_READY Task is not running but is scheduled to run at some time in the future.
0x00041301 SCHED_S_TASK_RUNNING Task is currently running.
0x00041305 SCHED_S_TASK_NOT_SCHEDULED The task is not running and has no valid triggers.

Flags

See: Flags

Variable-length section

The variable-length section contains the following values:

  • Running Instance Count
  • Application Name
  • Parameters
  • Working Directory
  • Author
  • Comment
  • User Data
  • Reserved Data
  • Triggers
  • Job Signature

These values are stored as Unicode strings.

Unicode string

offset size value description
0 2 Number of characters
The value will be 0 if the string is empty.
2 ... String
UTF-16 little-endian with end-of-string character

See Also

External Links