Sunday, 12 August 2018

IRIS-H: Alpha is dead! Long live Beta.

Quick Summary

Build Version: 0.2.0 (beta)

Change Type: new version release
Affected Components: API, UI
Short Description: New version includes:

  • (new) complete re-write of the UI 'look & feel'
  • (new) Yara rules support
  • (new) personal service accounts
  • (new) 'Workbench' data view (see Detailed Summary section for description)
  • (new) 'External Intelligence' section added to the 'Report' data view
  • (new) public GitHub repository for issues tracking and feedback
  • API backend data handling infrastructure changes
  • static analysis data extraction routines improvements
  • bug fixes

Outstanding Tasks: Attach external intelligence feeds, minor cosmetic UI fixes, further data parsers improvements.
Known Issues: Minor cosmetic glitches in the UI.

Detailed Summary

Disclaimer: All the functionality descriptions and screenshot examples given below are relevant to the application state at the release time. Some features and interface 'look & feel' might change in the follow up releases.

Sections below describe some of the major features/changes implemented in this release.

New UI

IRIS-H UI has been completely re-written using Akveo Nebular UI and the mighty power of Angular. Where data views and service pages content is mostly the same, their look changed completely. Please see below for detailed breakdown.

Dashboard (Home page)

IRIS-H Dashboard View

The dashboard now performs 3 functions:

  • overall submitted data view
  • system health display
  •  filters for currently loaded data
Where overall submitted data and systems health views are self-explanatory, the data filters functionality is explained below.

Each statistical data view panel is interactive. Clicking on a pie chart section or a bar will filter the 'Submissions' table view. For example, clicking 'Malicious OLE' bar in 'Object Linking & Embedding' panel will change the 'Submissions' table view to display only reports for malicious OLE files.

Filtering 'Submissions' table view using Dashboard submitted data panel
NOTE: The filters will apply only to the data already loaded into the dashboard - 50 latest submissions.

The data displayed in the dashboard depends on the user type - Public / Registered. There is a concept of 'Public' and 'Private' data now. The file analysis data is tied to the user account the file was submitted under.

Public data - file analysis reports generated under 'Public User' account (not logged in)

Private data - file analysis reports generated under logged in user.

Submission Page

Submission page didn't change that much in terms of the content and functionality.

IRIS-H Submission Page
The page now includes submission type indicator - Public/Private

IRIS-H submission type indicator - Public
IRIS-H submission type indicator - Private
Report Page

Content displayed on the report page has been re-worked and majority of the generic information has been removed.

IRIS-H Report page example
The report page now supports multiple reports display using separate report page tabs. Where the same functionality can be achieved with opening separate browsing session tabs in the Internet browser application, this feature serves as a good alternative.

IRIS-H Report page - tabs view example
NOTE: The memory consumed by the tool depends on the number of reports opened at the same time. Use Internet browser page refresh functionality to remove all report tabs except the currently active one.

Workbench Page

Workbench is a new data view type added in this release. It can be accessed through 'Report' page navigation sub-menu or through the main interface side bar if any workbench data is already loaded.

Access 'Workbench' view from 'Report' page

The 'Workbench' page allows for the submitted file content browsing using its structural view. The file content is displayed in HEX and ASCII formats.

IRIS-H Workbench Page example
The 'File Structure' tree view on the left hand side is interact-able as well as the HEX view of the data. When entry in the tree view is selected the corresponding HEX and ASCII pieces of data are scrolled into the view. HEX view is also interact-able the same way except for the scrolling part.

IRIS-H Workbench Page - file content browsing example

On each tree or HEX views interaction, content of the 'Description' panel on the right hand side is updated with corresponding data description as per official file format specification.

Download function is available for each individual file component as well as for the submitted file itself. The 'Download' button can be found on the right hand side in each workbench panel header.

NOTE: This feature is currently available for files in 'Shell Link Binary' format (LNK) only.

General UI features

Akveo Nebular UI offers many features to customize the interface look. All of the customization options are available through 'Settings' sub-menu located in the top right corner.
IRIS-H Interface customization settings
Where all of them are self-explanatory, I'd like to single out my favorite one - UI Theme customization. It allows for the interface theme on-the-fly change. There are currently 3 themes available - light, cosmic and corporate. Corporate theme is the default one, though my personal favorite is cosmic.

IRIS-H with Cosmic UI Theme applied
Yara Rules Support + 'External Intelligence'

New addition to the static analysis engine. IRIS-H will now scan the submitted files and their partial content with Yara rules. The scanning engine is based on node-yara module developed by NoSpaceships.

Current Yara rules set consist of the rules developed and collected by Florian Roth for his Nextron Systems scanners.

'Report' page now includes a new section called 'External Intelligence & Automated Scanning' that displays any Yara matches.

IRIS-H Report Page - Yara match example

This section will also display information collected from external sources. This feature is currently under development.

Personal Service User Account

IRIS-H now supports personal user accounts. Since this new feature is still in testing, the public registration process is currently unavailable, however user accounts can be provisioned upon a request(hit me up on Twitter).

Current personal account design provides the same features as the public account with the exception of making analysis report data private and available only to the user logged in with the account the submitted file was processed under.

There is no other difference in the features set.

GitHub Repository

Repository has been created on GitHub to enable issues tracking. Issue reports and feature suggestions are much appreciated.


This project wouldn't be where it is now without such a great support from the InfoSec community and all those highly talented people who create beautiful tools and applications that help and inspire a curious mind. There are no words to describe how much I value any collaboration that happens in those communities - you can never stop learning.

Special kudos go to:

  • InfoSec community (honest to creators, you are machines. I envy your energy!)
  • Angular community on (you're a mind-blowing folks)
  • Individuals who supported the project with their valuable feedback and file samples. I simply can't post such a big list here and I do not support fame leeching, but you know who you are. I endlessly value our relationships.

Wednesday, 11 July 2018

You only had one job...

Brief translation for some files located in project Pegasus source code leak...


Project Pegasus - Content brief description

Pegasus - complex structured project for x32 and x64 platforms.
Installer injects system kernel into svchost process memory and deletes the source file.

The initial installer passes the execution controls in the following way:
Shellcode -> InstallDispatcherDll

New process passes the execution controls in the following way:
Shellcode -> WorkDispatcherDll -> all other modules

If installing over existing deployment, the build ID check is performed and if found below or equal the current version the installation is canceled.

Modules functionality will take a while to explain and describe in here. If absolutely necessary look at the corresponding source code - the description there is well structured and documented.

Microsoft Visual Studio 2013+ and PHP Tools for Visual Studio from Devsense are required to build the project.

Folders description:

Compiled modules and other code for x32 and x64 platforms

Final installers for both platforms, debug and release version depending on the sub folder it's stored in.

Program libraries used by different sub-projects.

Installer module, performs injects into a new process

Initial installer project

Files necessary for compiling the project without MSVCRT

Resource packing utility

Command execution module using the panel(new process, console command, etc)

Domain propagation module

KBR payment swapping module

Injector module that intercepts KBR data exchange process and receives swapped data from mod_KBRI

Password extraction module, re-written and patched mimikatz code

Communication module, including using pipes for machines with restricted network access

Special Executable file that is uploaded to a remote system in case of domain propagation scenario.

Common header and configuration files

Attached libraries load and execution shellcode

Project assembly scripts and utilities

Client part of the admin panel, integrated into Studio project

Admin panel, copy from the development server

System kernel

In general case,
\shared\config.h is configured first
\tools\MAKE_INSTALLERS.BAT with Release or Debug parameter assembles the rest
\BUILDS\ folder will contain the final build

Wednesday, 7 March 2018

IRIS-H (alpha): Added RTF files parser module

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API, UI
Short Description: API side code logic(parser) has been added to allow for RTF files processing. Currently, the new parser provides basic data extraction capabilities. UI side 'Submission' and 'About' pages have been updated to reflect the new changes.
Outstanding Tasks: Second development iteration.
Known Issues: Some data obfuscation types are not supported.

Detailed Summary

New code logic has been added to IRIS-H to allow for Rich Text Format (RTF) files processing. The 'Submission' page will now accept RTF file upload and pass it for further processing which includes the following:

  • extract document metadata
  • identify and parse embedded objects
  • extract font table
  • detect languages used in the document
  • provide description for all extracted data

Currently, the parsing module only provides essential processing. The module was tested with a good number of malicious RTF files and seems to be relatively stable handling the majority of obfuscation techniques. Thanks to @James_inthe_box for providing the samples!

Example Reports - ASLR/DEP evasion using msvbvm60.dll (–°VE-2017-11826 precursor)

Monday, 5 February 2018

IRIS-H (alpha): Added ZIP files support

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API, UI
Short Description: API side code logic has been added to allow submitting ZIPed files. Industry standard password 'infected' is supported. UI side 'Submission' and 'About' pages have been updated to reflect the new changes.
Outstanding Tasks: None
Known Issues: ZIP files created with Ubuntu 'Archive Manager' throw an error.

Detailed Summary

The code logic has been added to IRIS-H to allow handling file extraction from ZIP archive files. The 'Submission' page will now accept ZIP file upload and perform the following operations with it:

  • identify if the file is a Microsoft Office document in OOXML format
  • identify the number of files in the archive
  • identify if the password is set
  • identify the unpacked size of the compressed file contained in the archive
  • identify if the archive file is 'nested'

The following restrictions and limitations are applied:

  • ZIP file must contain a single file
  • if ZIP file password is enabled it must be set to 'infected'
  • unpacked size of the compressed file contained in the archive must not exceed 10MB
  • ZIP 'nesting' must not exceed 2 levels (ZIP-in-a-ZIP)
  • ZIP file size must not exceed 4MB*
* 4MB ZIP file size limit is enforced by the underlying technology employed to handle the file extraction. More on this in the following section.

What's under the hood?

Disclaimer: The choice of the technology used to implement ZIP files support was mainly driven by a will to learn it. Another contributing factor though is the lack of good NodeJS libraries that provide password protected ZIP files handling.

IRIS-H API and UI components are written in different flavours of JavaScript. Originally, I was looking to implement ZIP files support using a JS library, but to my surprise I couldn't find the one with proper support for different compression and encryption types. I realized it would have to be implemented in a different programming language, but the integration with the rest of the service and its infrastructure seemed challenging until I decided to look into using AWS Lambda.

AWS Lambda supports a number of programming languages including C# with .NET Core 2.0. This opens up a good number of possible solutions. The choice stopped with SharpZipLib. This library supports most of the compression and encryption methods. Building an AWS Lambda function turned out to be a rather easy task. The most challenging part was dealing with the 'RequestResponse' size limitations enforced by 'Invoke' function. The only solution I could find was to apply the ZIP file size limit at the submission time. It's currently set to 4 MB due to the lambda's set limit of 6 MB. 2 MB difference goes toward 'base64' conversion the submitted ZIP file is a subject to when sent to the lambda function. 

Testing it with ZIP files of different sizes shows that it takes about 10 seconds on average to process a 4 MB ZIP file. Those under 1 MB are processed almost with no delay.

Like the rest of the service, this new feature is experimental and requires more thorough testing. I'd appreciate any feedback.

Sunday, 10 December 2017

IRIS-H (alpha): Added LNK files "Console Data Block" structure parser

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: feature update
Affected Components: API
Short Description: Parser for LNK files "Console Data Block" structure has been added. The parser will attempt to extract all relevant data stored in "Console Data Block" structures. The information about Console Window is stored in these structures.
Outstanding Tasks: None

Detailed Summary

IRIS-H Shell Link (.LNK) file parser has been updated to include data extraction routine for "Console Data Block" structuresThe ConsoleDataBlock structure specifies the display settings to use when a link target specifies an application that is run in a console window. Below are just some examples of data stored in these structures:

  • foreground and background text colors in the console window.
  • foreground and background text color in the console window popup.
  • console window buffer size.
  • console window size.
  • console window origins coordinates.
  • font information.
  • cursor information.
  • edit settings.
Below screenshot show an example of "Console Data Block" data extracted by IRIS-H.

IRIS-H report showing "Console Data Block" data

Monday, 27 November 2017

IRIS-H (alpha): Updated LNK file parser / Command line arguments deobfuscation added

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: feature update
Affected Components: API & UI (clear browser cache for 'iris-h.service' to see the changes)
Short Description: Parser for LNK files has been updated. Command line arguments string deobfuscation and URL extraction code have been added. UI Report page has been updated to display the new data.
Outstanding Tasks: None

Detailed Summary

IRIS-H Shell Link (.LNK) file parser has been updated and now attempts to deobfuscate the command line arguments string. When the command line arguments string is present, the service will attempt the following:

  • detect environment variables assignments with 'set' command
  • detect environment variables usage with ' ' and ' ' special characters
  • replace referenced environment variables with their corresponding values
  • remove escaping characters ' ' and ' '
  • detect and extract URL strings
  • detect string concatenation operations and perform them

Below is a report example showing the new feature in action.

LNK file analysis results showing deobfuscated command line arguments string and extracted URL

More examples can be found here:

IRIS-H UI changes might require your Internet browser cache clean up for website to take effect.

Thursday, 16 November 2017

IRIS-H (alpha): Updated OOXML 'document' file parser

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: feature update
Affected Components: API
Short Description: OOXML 'document' file parser has been updated to detect and extract "Drawing Object Non-Visual Properties".
Outstanding Tasks: None

Detailed Summary

"Drawing Object Non-Visual Properties(docPr) element specifies non-visual object properties for the parent DrawingML object. These properties are specified as child elements of 'docPr' element." - ECMA-376 Part 1 (section

OOXML 'document' file parser has been updated to extract non-visual object properties associated with inline drawing objects(pictures). The extracted data will be displayed in the corresponding 'document' panel under 'Individual Components' section on the report page. The following properties will be considered:

  • descrSpecifies alternative text for the current DrawingML object, for use by assistive technologies or applications which do not display the current object.
  • hidden - Specifies whether this DrawingML object is displayed. When a DrawingML object is displayed within a document, that object can be hidden (i.e., present, but not visible).
  • name - Specifies the name of the object. Typically, this is used to store the original file name of a picture object.
  • title - Specifies the title (caption) of the current DrawingML object.

Some of the above properties might be omitted from the property set. IRIS-H will only extract and display properties present in the set. See below for an example:
'document' panel showing non-visual object properties extracted from inline drawing object

As seen in the screenshot above, these properties might contain digital artifacts that can be helpful in a digital forensics investigation.

Full report for the example above can be found here -

IRIS-H (alpha): Added OOXML 'Footer Part' parser

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API
Short Description: Parser for OOXML "Footer Part" has been added. The parser detects and extracts text content including special field characters.
Outstanding Tasks: None

Detailed Summary

"Footer Part contains the information about a footer displayed for one or more sections. Each Footer part is the target of an explicit relationship in the part-relationship item for the Main Document. Each footer has a corresponding 'ftr' element in a Footer part, which contains the text of the footer.ECMA-376 Part 1 (section 11.3.6)

A new parser for OOXML 'Footer Part' has been added to IRIS-H. The parser will detect and extract text content including special field characters. The extracted content can be found in a new panel under 'Individual Components' section on the report page. See an example below:

Example of a Footer Part panel showing extracted text content.

If the extracted content includes special field characters, they will be analysed for presence of blacklisted field character command and if any detected, the findings will be populated in 'Malicious Findings' panel on the report page. Below is the corresponding findings panel:

Corresponding findings panel showing detected field character type

Full report for the example above can be found here -