Open in app

Sign in

Write

Sign in

The Art of Network Hunter (pt.2)

Daniel Simplício
6 min readJan 2, 2019

In the first part from this post, we were able to identify the attacker, summarizing “Until this moment, we can conclude the host 172.30.200.50 is probably infected by a malware that do request for external domains like www.gtishare.com [223.25.233.248]”.

After identifying the “Patient Zero”, we have to try understand everything that happens during the attack and try to create a timeline for that. First, let’s check the full report provided on the website of Hybrid analysis.

Apparently, the file is just an inoffensive PDF, as you can see the file was normally open in a sandbox machine.

File opened in the sandbox

After analyzing the process in the sandbox machine, we could verify that the opened PDF made one call for other executable “a.exe”, the “a.exe” call another executable, “trojan.exe” [suggestive name for a malware] and lastly, the trojan.exe call for a windows program netsh.exe that put the trojan.exe as an allowed program on the victim’s machine.

File analyzed by sandbox

You can validate that the infected host made several requests for the domain’s attackers. This behavior can mean things like:

  • Remote Access
  • Remote code execution
Requests made by the file

After discovering the actions that the malware performs on the victim’s machine, we will use the tcpdump in the PCAP file to search for inconsistencies in the requests like as executing remote commands, encoded data packets, network lateral movement and etc.

As you can see below, we can note some inconsistencies during the exchange of packages, it is possible to see several encoded requests in base64 between the local network to the internet.

Requests encoded in base64

If we perform a basic treatment do decode a simple sample, it is clear that the attacker is executing commands remotely on the victim’s machine.

Requests decoded in base64

Now that we know how the attacker was encoding his actions on the network through the withdrawn sample, we just need to parse the PCAP file to find out all the acts that the attacker performed on the victim’s machine.

Command performed by the attacker

After we treat the PCAP file, it was verified that the file that we created with the actions taken by the attacker contains more than 1900 lines between executions and return of commands.

file created after the parser of the PCAP file
Parsing the file
Decoding the file parsed

Let’s analyze what the attacker did of interesting in the victim’s machine

1 - Enumeration of domain users.

2 - Enumeration of local administrators.

3 - Enumeration of network.

4 - Performed the program called x64.exe.

5 - Copied two files “ninikatz.ps1” and “dllhost.exe”.

A - Analyzing the file, we can say that the ninikatz.ps1 and mimikatz.ps1 is the same script.

B - Analyzing the file, we can say that the dll.exe is the same of putty.exe.

The attacker used the dll.exe file to crate a tunnel between the victim’s machine and the attacker’s server, enabling remote access on the victim’s machine.

6 - Accessed the DC1 Server.

7 - Accessed the File Server.

8 - Used the hotfix.dat application (as you can see, in the second line, this is a winrar application) to compress the files. Notice that it saved the compressed file as “logo.png”.

→ The evidence that the logo.png and logo2.png are winrar files.

9 - Realized the same procedure in another directory, creating the logo2.png.

10 - Copied the file email.aspx (webshell) to an ISS Server.

11 - Copied the .rar files [logo.png and logo2.png] to the IIS server for exfiltrate the data.

12 - Deleted the logs and left the victim’s machine.

13 - Files that have been leaked (Sample)

Conclusion

After analyzing the PCAP file, we were able to do a re-creation of the details of the attack suffered by the corporation, such as:

→ Identify the source of the attack.
→ Identify which host was infected by the attack.
→ Identify how the host was infected.
→ Identify the malware used to realize the attack.
→ Perform the extraction and analysis of the malware used in the attack.
→ Validate that the attacker actually made unauthorized access to the internal network of the corporation.
→ Validate how the attacker made unauthorized access.
→ Validate the actions taken by the attacker during unauthorized access to the infected host, such as:

  • User enumeration.
  • Dump credentials of at least one user.
  • Unauthorized access to file servers.
  • Exfiltration of data.

→ Validate the internal machines that the attacker accessed during the attack.
→ Validate that the attacker performed the creation of WebShell on a ISS Server.
→ Validate that the server that the WebShell was installed was used to perform data extraction.

With all of this information, it’s possible to verify how important is for corporations to always realize analysis and maintenance of the network logs, as well as to always count on professionals prepared and qualified to do these types of service.

Authors

Daniel “Oi*” Simplício ( https://www.linkedin.com/in/danielakaoi )

Victor “Xopis” Haberkorn ( https://www.linkedin.com/in/vhaberkorn )

References

  • Network Forensics: Notions and Challenges - Ahmad Almulhem
  • Network Forensics and Analysis Poster (SANS)
  • Let’s learn tcpdump
  • Network Forensics - Tracking Hackers Through Cyberspace
Security
Forensics
Networking
Cybersecurity
Linux

--

--

Daniel Simplício

Written by Daniel Simplício

32 Followers

Daniel a.k.a Oi*, Pentester🐧, Hackerbuilder🏋🏽, Inf0sec rese4rch👨🏽‍💻, CS:GO player, CTF Player?(sometimes), RTFM++ Let’s hackin’ and I need more c0ffee ☕️

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams