Stingrayahoy — Traffic Analysis Exercise Write-up
04 May 2019
Not having completed one of the traffic analysis exercises in a while, it felt great to get back in Wireshark and digging through packets. I wanted to try something different this time that would also allow me to flex some scripting muscles. I completed most of my analysis using Jupyter Notebook and Python’s Scapy project.
The code used to solve the exercise questions can be found at: https://github.com/msec1203/shared-code/blob/master/mal_traff_analysis_APR.ipynb
Provided with a PCAP, traffic alerts, as well as some basic network information, our job will be to answer the following in an incident response report:
- Executive Summary of what occurred in the exercise traffic
- The host name and account of the infected Windows computer
- The MAC address
- The IP address
- Indicator’s of compromise (IOC’s)
First, I wanted to start off with opening the PCAP in Wireshark to see if anything stood out. Right off the bat, a number of attempted TCP connections between two addresses are displayed that may require further investigation.
The information in Figure 1 is interesting. Note it down for later, and let’s move on. *Note: As I am still learning Python, some of the answers required me to jump back and forth between Wireshark and Jupyter, apologies if anything is confusing.
Since there are a number of questions to answer, I like to start off with pouring over DNS traffic. This can allow an analyst to get an idea of what domains are being queried, as well as find out who the infected host may be.
The above figure displays the output of a simple Python and Scapy script looking for DNS Resource Records (name to IP address mappings). In the script, we will look for a summary of the packets and the answers.
Since we know the domain name for our DC, we can easily find what should be our host on the same network (Seoul-4a67). If we take a peek around there are also a number of answers for some suspicious domains: .xyz, .club, .top, as well as queries for resolver1[.]opendns[.]com and myip.opendns[.]com. Make note of the above and move on.
Playing around with Scapy, I was able to find a cleaner output that provided the same DNS information.
This provides us with not only the host, but also the IP address and a possible MAC address.
Now that we know the hostname, we can seek out the user account name. With this being a Windows system, we can bet that the account name should be located in Kerberos traffic, if there is any.
With all the information gathered above, let’s start looking into possible HTTP/S requests. We will continue using Jupyter notebook from here on.
From the output above we can see our user for this exercise, kim.jooyoung was pretty busy. The script provides us with the source, which was our identified user, as well as the host and path of the files requested. A few file extensions stand out: .fgs, .avi, .rar. and .cab.
The rar requests are especially interesting with the recent WinRAR exploit that made its way around the internet. These URL’s requested definitely give us something to start researching.
Utilizing the VirusTotal API, we can look for positive responses on the URL’s we found above (unfortunately I do not have an enterprise account, so my searches are limited). As suspected the .fgs file found at hxxp://ljeffery54ae[.]top had a number of positives as possibly malicious.
At this point, we can export the HTTP objects out of Wireshark and throw them in VirusTotal or copy and paste the URL.
From what VirusTotal is telling us, the above site is possibly serving Ursnif of Gozi banking malware. We can now start ringing the alarms, as it appears we have confirmed our host is infected.
For good measure, I wanted to again use Scapy to view the HTTP Responses and see if we could pull out the response from the above malware.
Indeed, we can see the “MZ This Program Cannot be run in DOS mode” at the bottom of the screen. This may have been a quick analysis, but I believe we have enough to begin writing our incident report.
Incident Response Report
On 15 April 2019, at 1642 UTC, Monday, the Windows host account name: kim.joonyoung was infected with a Ursnif malware variant. Additionally, the same host was also infected with AZORult malware according to the provided alerts.
Details for the infected Windows Host:
IP address: 10.0.90.175
MAC address: d0:67:e5:b1:53:fa
Host name: SEOUL-4A67-PC
Windows user account: kim.jooyoung
Indicators of Compromise
- ljeffery54ae[.]top (91.240[.]87.19:80) — GET /skoex/po2.php?l=cupk6[.]fgs **Ursnif***
- 161[.]213.250.131:80 — GET /azor[.]rar. **AZORult**
Suspicious Network Traffic/Domains
- DNS query for myip-opendns[.]com
- DNS PTR query for 208.67[.]222.22 (resolver1[.]opendns.com
- pompeiiii[.]org (188.8.131.52:443 — Numerous failed TCP connections
- ksoniay95ee[.]info (184.108.40.206:80) — GET /images/string[.]avi
- zindv[.]club (220.127.116.11:443 — HTTPS/SSL
- 151[.]106.27.208:80 — GET /client[.]rar
- 185.136.169[.]160:443 — HTTPS/SSL
- 185.212.47[.]167:443 — HTTPS/SSL
- 89.163.[.]144.224:80 — GET /klansfuuerifneiferunfasd/modules/client[.]rar
- adsfinder[.]xyz (185.158.249[.]39:443) HTTPS/SSL
- 85.114.134[.]49:80 — POST /index.php
- 198.54.125[.]57:443 — HTTPS/SSL
- qqtube[.]club (109.230.199[.]24:443) — HTTPS/SSL
- parolinos[.]xyz (176.10.125[.]110:443) — HTTPS/SSL
- 68.65.122[.]52:443 — HTTPS/SSL
SHA256 Hash for Ursnif executable: 50007a82f044a695ec9c1cfcc7a495211061112ea6a92771 0ebd3e6c4409e3a2
- Another Note: The above listed IOC’s may or may not indicate the IP addresses list are indeed malicious. More research would be needed before deciding to add them to a blocklist.
This was another fun challenge from Brad, and I hope anyone that reads found something useful or is able to learn from it.