AmCache.hve
I was working on an incident recently, and while extracting files from the image, I noticed that there was an AmCache.hve file. Not knowing what I would find in the file, I extracted it to include in my analysis. As I began my analysis, I found that the system I was examining was a Windows Server 2012 R2 Standard system. This was just one system involved in the case, and I already had a couple of indicators.
As part of my analysis, I parsed the AppCompatCache value and found one of my indicators:
SYSVOL\downloads\malware.exe Wed Oct 19 15:35:23 2016 Z
I was able to find a copy of the malware file in the file system, so I computed the MD5 hash, and pulled the PE compile time and interesting strings out of the file. The compile time was 9 Jul 2016, 11:19:37 UTC.
I then parsed the AmCache.hve file and searched for the indicator, and found:
File Reference : 28000017b6a
LastWrite : Wed Oct 19 06:07:02 2016 Z
Path : C:\downloads\malware.exe
SHA-1 : 0000
Last Mod Time2: Wed Aug 3 13:36:53 2016 Z
File Reference : 3300001e39f
LastWrite : Wed Oct 19 15:36:07 2016 Z
Path : C:\downloads\malware.exe
SHA-1 : 0000
Last Mod Time2: Wed Oct 19 15:35:23 2016 Z
File Reference : 2d000017b6a
LastWrite : Wed Oct 19 06:14:30 2016 Z
Path : C:\Users\\Desktop\malware.exe
SHA-1 : 0000
Last Mod Time : Wed Aug 3 13:36:54 2016 Z
Last Mod Time2: Wed Aug 3 13:36:53 2016 Z
Create Time : Wed Oct 19 06:14:20 2016 Z
Compile Time : Sat Jul 9 11:19:37 2016 Z
All of the SHA-1 hashes were identical across the three entries. Do not ask for the hashes...I'm not going to provide them, as this is not the purpose of this post.
What this illustrates is the value of what what can be derived from the AmCache.hve file. Had I not been able to retrieve a copy of the malware file from the file system, I would still have a great deal of information about the file, including (but not limited to) the fact that the same file was on the file system in three different locations. In addition, I would also have the compile time of the executable file.
As part of my analysis, I parsed the AppCompatCache value and found one of my indicators:
SYSVOL\downloads\malware.exe Wed Oct 19 15:35:23 2016 Z
I was able to find a copy of the malware file in the file system, so I computed the MD5 hash, and pulled the PE compile time and interesting strings out of the file. The compile time was 9 Jul 2016, 11:19:37 UTC.
I then parsed the AmCache.hve file and searched for the indicator, and found:
File Reference : 28000017b6a
LastWrite : Wed Oct 19 06:07:02 2016 Z
Path : C:\downloads\malware.exe
SHA-1 : 0000
Last Mod Time2: Wed Aug 3 13:36:53 2016 Z
File Reference : 3300001e39f
LastWrite : Wed Oct 19 15:36:07 2016 Z
Path : C:\downloads\malware.exe
SHA-1 : 0000
Last Mod Time2: Wed Oct 19 15:35:23 2016 Z
File Reference : 2d000017b6a
LastWrite : Wed Oct 19 06:14:30 2016 Z
Path : C:\Users\
SHA-1 : 0000
Last Mod Time : Wed Aug 3 13:36:54 2016 Z
Last Mod Time2: Wed Aug 3 13:36:53 2016 Z
Create Time : Wed Oct 19 06:14:20 2016 Z
Compile Time : Sat Jul 9 11:19:37 2016 Z
All of the SHA-1 hashes were identical across the three entries. Do not ask for the hashes...I'm not going to provide them, as this is not the purpose of this post.
What this illustrates is the value of what what can be derived from the AmCache.hve file. Had I not been able to retrieve a copy of the malware file from the file system, I would still have a great deal of information about the file, including (but not limited to) the fact that the same file was on the file system in three different locations. In addition, I would also have the compile time of the executable file.
AmCache.hve
Reviewed by 0x000216
on
Saturday, October 29, 2016
Rating: 5