Monday, April 4, 2016

The Curious Case Of The Chan Pelana Device

Last year around July a buddy of mine sent me an email regarding curious message he saw after unlocking his pc (Win7) in the morning. The pc had been left on overnight. He wasn’t sure what this chan pelana device was or how it got installed on his system and a quick google search did not turn up any meaningful results.

So I collected the event logs (Application,System and Security) and registry hives (System, Software, Security, Ntuser, Usrclass, etc.) from the system among other files to further help out. My analysis goals were
  • Identify what Chan Pelana was
  • Identify the approximate time of when it was installed
  • Identify whether this was a malicious event or not

Why start with these sources?
Well, the system event log would contain events related to plug and play activity, services and other system related activity. The system registry hive contains configuration information for services and drivers to name a few. As the registry hives contain time stamps I may find one related to driver installation activity.
To create the micro timeline I used Harlan Carvey’s wevtx batch script and regtime.exe to get the time stamps from the system registry hive.

F:\analysis\user-pc\> wevtx logs\*system ntfs\events
Regtime -r registry\SYSTEM -m HKLM/SYSTEM_ >> ntfs\events
Parse -f ntfs\events -o > ntfs\event_tln.txt

As my friend's time zone is EST and the tools output to UTC I kept that in mind as I looked through the output. The excerpt below is from the micro timeline. I pivoted on events that occurred during the overnight time frame he gave which would put these events happening around 11:00 PM EST.
Fri Jul 24 03:04:33 2015 Z
  EVTX     Server            - Microsoft-Windows-DriverFrameworks-UserMode/10002;user-pc.ent.acme.corp,S-1-5-18,WpdMtpDriver,{AAAE762B-A6A2-4C45-B5D8-9A83AFB6BB70},1.9.0,true
  REG                        - M... HKLM/SYSTEM_ControlSet001/Control/Class/{EEC5AD98-8080-425F-922A-DABF3DE3F69A}
  EVTX     Server            - Microsoft-Windows-DriverFrameworks-UserMode/10000;user-pc.ent.acme.corp,S-1-5-18,USB\VID_04E8&PID_6860\03157DF3EB6F073F,1.9.0

Fri Jul 24 03:04:34 2015 Z
  EVTX     Server            - Microsoft-Windows-UserPnp/20003;user-pc.ent.acme.corp,S-1-5-18,WUDFRd,system32\DRIVERS\WUDFRd.sys,USB\VID_04E8&PID_6860\03157DF3EB6F073F,true,true,0
  REG                        - M... HKLM/SYSTEM_ControlSet001/Enum/USB/VID_04E8&PID_6860/03157df3eb6f073f/Device Parameters/WpdMtpDriver
  EVTX     Server            - Microsoft-Windows-UserPnp/20003;user-pc.ent.acme.corp,S-1-5-18,WinUsb,system32\DRIVERS\WinUsb.sys,USB\VID_04E8&PID_6860\03157DF3EB6F073F,false,true,0

  EVTX     Server            - Microsoft-Windows-DriverFrameworks-UserMode/10100;user-pc.ent.acme.corp,S-1-5-18,0

The following information stood out…
WpdMtpDriver - MTP device, cellphone, camera, mp3 payer
03157DF3EB6F073F- possible serial number
HKLM/SYSTEM_ControlSet001/Enum/USB/VID_04E8&PID_6860/03157df3eb6f073f/Device Parameters/WpdMtpDriver -Registry key being modified

It seems I was possibly dealing with an USB device that uses the media transfer protocol, to further validate this I looked up a presentation by Nicole Ibrahim on MTP devices. (link) Page 15 of the PDF slide deck explains the process that happens when an MTP device is inserted and the plug and play events seen in the system event log seem to match. On Page 23 the sub key that I saw in my micro timeline was a child of one that was modified in Nicole’s testing. (CurrentControlSet\Enum\USB\)
I then loaded the system registry hive to Eric Zimmerman’s registry explorer and navigated to the key ControlSet001/Enum/USB/VID_04E8&PID_6860/03157df3eb6f073f to see what other information I could find.

The devicedesc value denotes a string data value of “SM-G920W8” and our FriendlyName value contains a string data value of Chan Pelana. Aha! A match to what my friend had seen. A quick google search for the “SM-G920W8” string turned up a hit to a Samsung cell phone model for the Canadian market.

So let’s recap on the analysis goals
  • Identify what Chan Pelana was
    • A Canadian Samsung cell phone.
  • Identify the approximate time of when it was installed
    • Without the my next best source was the windows event log and registry timestamps and based on these the install approximately occurred on Fri Jul 24 03:04:34 2015 UTC
  • Identify whether this was a malicious event or not
    • I contacted my friend with my findings and as it turned out they had visitors from Canada and one of them happened to plug their phone to my friend’s computer to charge during the night. So that ruled out the malicious component.

And that concludes the curious case of Chan Pelana.

1 comment:

  1. Daniel,

    Great work and focus on the goals. What I really like about this is that it illustrates how a problem can be solved and answers can be provided, in a timely manner, through targeted analysis.

    Great job, keep up the good work.