VHD Forensics — the sequel

In my recent article (here) I wondered why cybercriminals would use VHD files for their campaigns and offered a few tips and tools to analyse VHD files for forensic artifacts. After posting the article, I received a few questions about why VHD file forensics might be worth investing time into. This article continues on my forensic journey into this file format that is being used by cybercriminals.

Digging more for VHD files, I discovered another one that supposed to belong to the same group:

Hash: d5d9210ef49c6780016536b0863cc50f6de03f73e70c2af46cc3cff0e2bf9353

Filename: 30–1868.vhd

File size: 12.00 MB (12583424 bytes)

IN this case, the VHD file contains also two files:

Figure 1 Content of VHD file

Similar modus operandi as described in the previous article, the executable with the filename of “30–1868 20.10.2020.exe”. A quick lookup on VirusTotal revealed this executable belonging to the Zebrocy trojan family.


Mounting the VHD file in read-only mode, again we extract the Master-File-Table:

Figure 2 MFT analysis of VHD

We observe the creation date of the VHD file to be around October 21st, 2020 whereas the copied files (PDF and EXE) are created before this date.

More comparison details

Using gain the PowerShell module ‘PowerForensics’, we started to extract more information from the volume:

Figure 3 Powerforensics VHD volume 1

Let’s compare this information to the previous VHD file I analyzed in the previous article:

Figure 4 PowerForensics VHD previous VHD file

The volume Serial number of the disk is identical. Interesting, is there may be more we can gather? Let’s analyze the footer of the VHD file. Using my favorite HEX-editor FileInsights, I’m opening up the file and scroll towards the bottom of the file to inspect the footer.

Figure 5 Footer of VHD file

Before digging into the bytes, let’s compare with the previous VHD footer:

Figure 6 Footer of the previous VHD file

Except for the modification time, all values are the same! Including the GUID value of “6D CA 9A 42 A4 6E 55 DA C8 F7 96 DB”. According to Microsoft’s documentation on VHD file formats:

“Every hard disk has a unique ID stored in the hard disk. This is used to identify the hard disk. This is a 128-bit universally unique identifier (UUID). This field is used to associate a parent hard disk image with its differencing hard disk image(s).”

In our case, this means the same (V)HD was used for two different campaigns.

Is there more?

In the unallocated disk space of the disk seems to be remnants of a deleted file:

Figure 7 Deleted file

Using Photorec, I carved out the file that was deleted. It was the same malware file as discovered when mounting the file, both SHA256 hashes were equal.


As I discovered in the previous article, investigating the usage of VHD files from a forensic approach can reveal valuable details in an investigation. In this case, the same GUID value has been observed that hints towards the usage of the same (V)HD for both campaigns. Although two different malware families are used (Zebrocy and Sednit), both are attributed by the industry to the APT28/Sofacy group.

Saved by His Grace • Visionary Threat Research leader•synth lover •opinions are my own• Speaker•