• Donald Ashdown

Cyber Defenders - Malware Traffic Analysis 1

The attached PCAP belongs to an Exploitation Kit infection. Analyze it using your favorite tool and answer the challenge questions.



Tools:

  • BrimSecurity

  • suricatarunner

  • suricata.rules

  • NetworkMiner

  • WireShark









Questions:


1. What is the IP address of the Windows VM that gets infected?


Upon opening the Wireshark capture, I initially noticed that TLSv1 was being used.

TLSv1 is no longer an acceptable standard. TLSv3 which was derived in 2018 is the current standard. As a result, some attacks will force a downgrade of the transportation encryption strength to TLSv1 for the purposes of decrypting the data in transit. As a result, my guess was the receiving connection.

172.16.165.165



2. What is the hostname of the Windows VM that gets infected?


Here we look at the DNS queries to determine the host name.


#3 What is the MAC address of the infected VM?


Looking at the same packet, we check the Ethernet frames for the destination mac address.



#4 What is the IP address of the compromised web site?

I noticed the infected VM was making many HTTP requests to a wordpress website. I made the assumption if our host is infected, it could either be performing C&C calls or acting as a proxy machine for a malicious actor. The constant HTTP requests to /wp-content/ is not normal for user behavior. So I made an educated guess this could be our target at 82.150.140.30.



#5 What is the FQDN of the compromised website?


We take a look at the HTTP GET request from our infected machine to the compromised website as our destination.


#6 What is the IP address of the server that delivered the exploit kit and malware?


I noticed earlier the suspicious encoded Get requests. This make me think of encoded malware right away.


#7 What is the FQDN that delivered the exploit kit and malware?



#8 What is the redirect URL that points to the exploit kit (EK) landing page?


Taking a look at the refer for our infected computer as the source, and our infected server as the destination. We see the 24corp-shop.com which doesn't work. So I decided to add the referer value as a column value to quickly view all referrers in the pcap and still nothing new. So from Wireshark we will change gears and pivot to Brim security to leverage our Suricata rules.




Adding the column value referer.


We search the "Suricata Alerts by Category" Query, and notice our exploit kit activity. From here we right click on the alert and select "Pivot to logs".



Here see the exploit logs as defined by Suricata.


From here I double check Wireshark and realize I made the simple mistake of not including the / at the end of the URl.



#9 Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with "J". Provide the full application name.


I had seen the java application earlier and it just comes top of mind when I think of application attacks. I would say Java and PHP were top of mind.



#10 How many times was the payload delivered?


I exported all object and 3 threats were detected by windows!


Alternatively the three ms-applications with the suspicious GET requests were suspicious of being related to the payload.



#12 The compromised website has a malicious script with a URL. What is this URL?


#13 Extract the two exploit files. What are the MD5 file hashes? (comma-separated )


Extracting all objects from the pcap provides us several files.




This is not helpful so lets pivot back to our windows machine and check the windows defender logs.




From here we input all the files into virus total until we get out file hashes that match up with the lead characters of the suggested file hashes. We also know that we had an exploit targeting our Java application and another exploit targeting our MS application.




25 views0 comments