2015-09-11 - TRAFFIC ANALYSIS EXERCISE - ANSWERS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-09-11-traffic-analysis-exercise.pcap.zip   9.9 MB (9,893,007 bytes)
• 2015-09-11-traffic-analysis-exercise-malware-from-infected-host.zip   353.6 kB (353,609 bytes)
• 2015-09-11-traffic-analysis-exercise-emails.zip   415.7 kB (415,702 bytes)

 

ANSWERS

Below is an example of a summary covering the incident:

 

TRAFFIC REVIEW

Make sure when you downloaded the pcap that you recieved the full 12.1 MB of data.  Some people have had issues not getting the full pcap.  As always, I suggest you change your default column display in Wireshark as shown here.

The pcap is all traffic from Greggory's computer, which was using 192.168.137[.]56 as its IP address.  Reviewing the DHCP and NBNS traffic will confirm the mac address and host name for Greggory's computer.

 

A quick check of the browsing traffic shows the user agent string for the majority of the HTTP GET request (at least those not related to the malware) as shown below.  This will give you the operating system.

 

Let's review the Snort-based events using Security Onion.  I used tcpreplay on the pcap in Security Onion.  I've got Security Onion set up using Suricata as the IDS with the EmergingThreats open signature set.  My results in Sguil showed Angler EK and CryptoWall checkin-traffic.

 

Sguil groups the alerts by source IP address.  In this case, there are multiple destination IP addresses.  So how do we find out what they are?  Escalate the events for that particular alert by selecting that line and hitting F9.

Go to the "Escalated Events" tab to see all of these events.  When you review these events, you'll find a 5 1/2 minute gap between two groups of alerts.  This is the dividing line between the two different CryptoWall samples that were recovered from Greggory's infected computer.

 

Let's go back to the Angler EK.  The alerts indicate the EK was on 216.245.212[.]78.  Looking through the pcap, you'll find the Angler EK landing page. The landing page shows the compromised website that was the referer.

 

The malware payload (always sent encrypted by Angler EK) was 216,076 bytes.  The first CryptoWall sample is 216,067 bytes.  The similar size (within 100 bytes) indicates this CryptoWall sample was sent by Angler EK.

 

Going through the traffic, you shouldn't find anything tying the second set of post-infection CryptoWall 3.0 callback traffic to any other traffic.  That one likely came from one of the emails.  Lets look at the emails and see if we can figure out which one (if any of them) are the cause of the second CryptoWall 3.0 infection.

 

EMAIL REVIEW

FIRST EMAIL - Subject: Homicide Suspect

Malware extracted from the attached zip is at: https://www.hybrid-analysis.com/sample/240a0e11f0ce82aa368e51457dcf37e2f6260465bce4db946dd5f6e39c874916?environmentId=1 .  That analysis shows the attachment is an Upatre file downloader.  In this case, it downloaded Dyre malware.  None of the traffic shown in this analysis is in the pcap of the traffic.  This is not assoicated with the infected computer.

Summary:

 

SECOND EMAIL - Subject: RE:resume

The attached Word document can be found at: https://www.hybrid-analysis.com/sample/5a56547721d751a12acbf2135a0c054bd72a09da3ac93a1562786edbf4b591ee?environmentId=1

I couldn't really tell anything about it from the automated analysis tools, so I opened the document in a VM.  The document has macros that will need to be enabled for it to perform its malicious actions.

 

The document isn't a file downloader.  The malware appears to be embedded within the document itself.  Once you enable macros, you'll find malware saved to the User's AppData\Roaming folder.  I got a copy before it deleted itself.

 

The malware had the same size and file hash as the other CryptoWall copy extracted from Greggory's infected computer.

 

THIRD EMAIL - Subject: Suspicious login to your account #10906

This email has a link to a fake Paylpal login page, which has already been taken down.

 

FOURTH EMAIL - Subject: Your e-ticket #0000321424

This email has a zipped .js file attachment, and it should match previous emails I've already described at: https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/

 

FINAL WORDS

Hopefully, this exercise has helped improve your traffic analysis skills.  Tanks for following along!

 

The company's founder came up with the name after his first conversation with a potential customer.

Company founder:  You want your order when?
Potential customer:  Tomorrow.
Company founder:  Tomorrow??  That's a bridge too far!

40 years later, that company is the world's largest supplier of novelty toilets.

 

Click here to return to the main page.