Module 10
Discovering where the malware came from
Last updated on: 26 July 2024
Edit this page on GitHubModule 10
Last updated on: 26 July 2024
Edit this page on GitHubNo malware spontaneously appears on a targeted person’s device. It always comes from somewhere. Sometimes, that somewhere is obvious: the targeted person realizes that the link they clicked on was malicious. In other cases, the infection vector may be less clear. Learning where the infection came from can be important for managing future risk. If the initial infection source was untargeted, the victim may have just been the victim of a criminal gang with no goals other than making money. On the other hand, if the initial infection came from a sophisticated targeted social engineering attack, they are likely to face continuing future attacks from the same threat actor.
After completing this subtopic, practitioners should be able to do the following:
The first step in tracing the origin of the attack is to establish the time that the malware was installed. If you have identified the downloaded malware file, you can use the timestamps on the file. This is harder than one might imagine at first because file system timestamps are complicated. The short answer is to start with the file creation time of the first file that was downloaded. Note that files extracted from archives may have different creation times; it’s important to start with the actual file that was downloaded.
For more information on desktop filesystem timestamps, see this whitepaper from SANS on Windows, this description of the near-infinite time stamps on MacOS, this description of linux timestamps and a way of viewing file creation time on ext4.
For mobile devices, MVT provides some timestamp information. For iOS, this is described in the documentation. For Android, less information is extracted, and you might have to do on-device checks.
The Google Files app will show the modified time of a file from the meatball menu for each file.
Note that mobile malware typically is much less obvious about leaving easily accessible traces on the file system. The common ways that mobile devices are infected is via fake sideloaded apps, malicious apps in the Apple/Google app store, or via sophisticated browser exploits that gain deep access to the device before downloading any files. In the last cases, malicious files may not show up in common download directories.
Whether or not you find a malicious file, the next step is to find where it came from. There are several bits of information you can collect and look for.
In some operating systems, downloads are associated with their source. This means that files can contain metadata which shows what server they were downloaded from. This guide shows how to check such information on Windows and Linux, while this one does the same for macOS. Such metadata will show you the server from which the file was downloaded, but not what caused the download.1 Also note that the link the targeted person clicked on might not be the download URL due to redirects.
Next up, look for emails, messages, etc. that may have triggered the download. You can use any timestamp and URL information you identified previously to help.
For at least five files in your downloads folder:
Ask a peer or mentor to double check your work and ensure that you have correctly read all the metadata.
On Android, install a (non-malicious) app and use the file manager to find the app properties and see what you can learn about the app. If you have access to a test Android phone, download an app from outside Google Play and do the same. Ask a peer or mentor to double check your work and ensure that you have correctly read all the app properties.
Filesystem Timestamps: What Makes Them Tick?
FreeOverview of timestamps, their portability, and technical workings, with a focus on Windows.
macOS timestamps from extended attributes and spotlight
FreeGuide to using advanced file metadata in macOS to find different file timestamps.
File Timestamps in Linux: atime, mtime, ctime Explained
FreeExplanation of different types of file timestamps in Linux and how to interpret them.
File creation time on ext4 Linux
FreeDetails on how ext4 manages file timestamps and where to find creation time information.
Records extracted by mvt-ios
FreeInformation on files generated by MVT when analyzing iOS dumps and how to interpret them.
Files by Google
FreeAndroid app providing access to advanced file metadata.
Mark of the Web from a Read Team’s Perspective
FreeIntroduction to Mark of the Web, indicating files downloaded from the web requiring special security considerations.
Beware: Chromium-based browsers save download origin url for files
FreeDiscussion on how Windows and Linux systems store metadata about file download origins.
Find Out Where a File was Downloaded From in Mac OS X
FreeGuide on extracting download URLs from macOS file metadata.
On Windows, you will additionally see a number corresponding to a Zone ID. The Zones associated with downloaded files are as follows:
Congratulations on finishing Module 10!
Mark the checkbox to confirm your completion and continue to the next module.
Marks the current module as completed and saves the progress for the user.
You've completed all modules in this learning path.