Malware Traffic Analysis : 2014-11-23
The Malware-traffic-analysis is a source for pcap files and malware samples.
Target audience:
Malware-traffic-analysis provides pcap files that are captured in a live environment.
These pcaps are provided as an exercise or challenge which can benefit a person who’s interested to get into SOC[Security Operations Center] and are great ways to brush up on network forensic skills.
The exercises gives a person knowledge on:
- How network traffic flow occurs between a client and a server.
- How certain protocols work and their purpose.
- Type and signature of several malwares.
Objective:
The challenge contains set of questions which I will try to cover and explain in this post.
Note:
Usually the pcaps are monitored and analysed using a free and open-source packet analyzer called wireshark which gives user GUI experience.
For a change , I will use a similar tool called Tshark which is a terminal oriented version of Wireshark designed for capturing and displaying packets when an interactive user interface isn’t necessary or available. It supports the same options as wireshark.
The pcap files are protected by a password “infected”.
In this post i will be using certain filters and commands to sort out the traffic in pcap from Tshark, to follow up with the basic commands and filters used in this post, feel free to read my previously published article here.
Malware Traffic Analysis : 2014–11–23:
In this post we will be playing with a pcap file that has been published on 2014-11–23 here.
Lets dive into the analysis part.
In the 1st set of questions i.e basic set we were told to find out the IP, MAC and host name of the machine and IP and domain name of some sites.
Using the basic commands and filters i mentioned in my previous article, we found:
IP of the host - 172.16.165.132
MAC address of the host - 00:0c:29:c5:b7:a1
IP and domain of the compromised site:
- After 2 google visits, it has been identified that the host has visited “hijinksensue:cxx”, this site has redirection to few other sites.
- After analysing those redirected sites, "static.charlotteretirementcommunities:cxx" is observed that it has GET request containing "k?tstmp", after a little bit of search in google about the "k?tstmp" , it is found to be malicious which led to the exploit kit landing page.
We come to a conclusion that the Compromised site is hijinksensue:cxx
EK landing page and the redirected site:
In the http request traffics, it has been observed that the sites g.trinketking:cxx and h.trinketking:cxx uses an unusual destination port:51439.
- After exporting the objects, it is found that the “h.trinketking:cxx” is delivering a PE32 executable which is a DLL file named cars.php%… a windows executable.
- After further examination of http stream of that particular packet, it is observed that it contains a hint in the encoded area, “This program cannot be run in DOS mode”, from which we can conclude that it is actually a exe file.
By the following analysis we can conclude
That the URL that redirected to the EK landing page was static.charlotteretirementcommunities:cxx
And the EK landing pages were g.trinketking:cxx and it’s subdomain h.trinketking:cxx which was found to be delivering the exploit.
Type of the malware:
When the cars.php file is uploaded to virustotal, the file was confirmed to be a malicious.
When the pcap is analysed in Suricata an open source-based intrusion detection system and intrusion prevention system , the following alerts were shown
And the malware type is found to be Sweet orange.
“The End”
I hope this article gives you an idea on analysing a network packet.
I will recommend you to try it yourself , as it will give an experience.
Finally I thank whoever reading this, for spending your valuable time on my article.
Author: Girithar Ram R
Contact: https://www.linkedin.com/in/girithar-ram-ravindran-a4341017b/s
