Cyberdefenders-Malware Traffic Analysis 2

Target audience:

Cyberdefenders.org is a training platform focused on the defensive side of cybersecurity, aiming to provide a place for blue teams to practice, validate the skills they have, and acquire the ones they need.

The exercises gives a person knowledge on:

• How network traffic flow occurs between a client and a server.
• How certain protocols work and their purpose.
• Type and signature of several malwares.

Objective:

The challenge contains set of questions which I will cover and explain in this post

Note:

Usually the pcaps are monitored and analysed using a free and open-source packet analyzer called wireshark which gives user GUI experience.

But here we will be using combination of several tools to understand the concept in a better way.

The challenges can be downloaded here, protected by a password “cyberdefenders.org”.

Important Note:
It has been observed that the pcap provided is the same one published by Malware-Traffic-Analysis.net.

FYI i have wrote an analysis article on that pcap here, please feel free to check it out :)

In this post we will be playing with a challenge file that has been published on Sept 16, 2020.

Let’s start to answer the questions !!!

1. What is the IP address of the Windows VM that gets infected?

• To find the IP we should analyse the traffic flow.
• We usually use wireshark for it, but to feel a CLI, we use Tshark.
• To get to know about some basic commands and filters used in Tshark, click here to know.I used it in a challenge similar to this one and published as an article.

Answer:

So the IP address of the host is 172.16.165.132

2. What is the MAC address of the infected VM?

Answer:

So the MAC address of the host is 00:0c:29:c5:b7:a1

3. What are the IP address and port number that delivered the exploit kit and malware?

• while analysing the traffic flow, we found a site hijinksensue:cxx using an unusual destination port:51439.

Answer:

• After exporting the objects, it is found that the “h.trinketking:cxx” is delivering a PE32 executable which is a DLL file named cars.php%… a windows executable.

• After further examination of http stream of that particular packet, it is observed that it contains a hint in the encoded area, “This program cannot be run in DOS mode” which is as exe.

After a search in VirusTotal, it is found that the 37[.]143.15.180:51439 is the IP and port of the EK landing page.

4. What are the two FQDN’s that delivered the exploit kit? comma-separated in alphabetical order.

• In the http request traffics, it has been observed that the sites g.trinketking.com and h.trinketking.com uses an unusual destination port:51439.

Answer:

So the two FQDN’s that delivered the exploit kit were g.trinketking.com and h.trinketking.com

5. What is the IP address of the compromised web site?

• After 2 google visits, it has been identified that the host has visited “hijinksensue:cxx”, this site has redirection to few other sites.
• After analysing those redirected sites, “static.charlotteretirementcommunities:cxx” is observed that it has GET request containing “k?tstmp”, after a little bit of search in google about the “k?tstmp” , and found to be malicious, which led to the exploit kit landing page.

Answer:

So the compromised site’s IP is found to be 192.30.138.146

6. What is the FQDN of the compromised website?

Answer:

From the previous analysis we can conclude that the FQDN of the site is hijinksensue.com

7. What is the name exploit kit (EK) that delivered the malware? (two words)

• Here we use Suricata to get EK’s type

Answer:

So we can conclude that it is a Sweet Orange.

8. What is the redirect URL that points to the exploit kit landing page?

Answer:

From the 5th question’s explanation, we can conclude that the redirection URL is static.charlotteretirementcommunities[.]com

9. What is the IP address of the redirect URL that points to the exploit kit landing page?

Answer:

Since we found the redirect URL’s FQDN and it’s IP address is concluded to be 50.87.149.90

10. Extract the malware payload (PE file) from the PCAP. What is the MD5 hash?

• After exporting the malicious file named cars.php and uploaded to virustotal.com we can get the MD5 hash of it

Answer:

And the hash is found to be 1408275c2e2c8fe5e83227ba371ac6b3

11. What is the CVE of the exploited vulnerability?

• Since we know the EK’s type, we try google to find the answer for it.

Answer:

And the CVE is found to be CVE-2014–6332.

12. What is the mime-type of the file that took the longest time (duration) to be analyzed using Zeek?

• In this case we use brim security to find the answer.
• The MIME type is used to identify the type of data.
• Upload the pcap in brim and analyse.

Answer:

From the analysis we can conclude that the MIME type is
application/x-dosexec

13. What was the referrer for the visited URI that returned the file “f.txt”?

• We use brim for this.
• Use _path=’http’ f.txt filter to filter out the traffic and analyse the details.

Answer:

And the referrer for the visited URI that returned the file “f.txt” is found to be http://hijinksensue.com/assets/verts/hiveworks/ad1[.]html

14. When was this PCAP captured?

• Open the pcap in Wireshark and analyse the details of the file.

Answer:

And the date of the captured packet is 23/11/2014.

15. When was the PE file compiled?

• Analyse the malicious file in virustotal.

Answer:

And the compilation timestamp is found to be 21/11/2014

16. What is the name of the SSL certificate issuer that appeared only once?

• Use https://try.bro.org/#/tryzeek/saved/533117 site and upload the pcap.
• Go to ssl section and analyse.

Answer:

• Here you can see a unique IP 2.18.189.224
• But unfortunately now a days the site is not providing any certificate issuer details.
• So we use Wireshark and filter out the IP .
• And we try to view the ssl certificate issuer details.

From the above analysis we conclude the cert issuer name is Cybertrust

17. What were the two protection methods enabled during the compilation of the present PE file? Format: comma-separated in alphabetical order

• Since this article is about covering the traffic analysis, i won’t be explaining the protection method kind of stuffs.
• But i will give you a hint how to find the protection method.
• Use winchecksec.exe for the analysis.

Answer:

And you will find the protection methods DEP and SEH .

“The End”

I hope this article gives you an idea on analysing a network packet.

I will recommend you to try it yourself , as it will give an experience.

Finally I thank whoever reading this, for spending your valuable time on my article.

Author: Girithar Ram R

Contact: https://www.linkedin.com/in/girithar-ram-ravindran-a4341017b/s