2015-11-24 - TRAFFIC ANALYSIS EXERCISE - ANSWERS

NOTICE:

ASSOCIATED FILES:

 

ANSWERS

Below are the answers for this traffic analysis exercise

 

DETAILS

You can easily find tie the mac address, ip address, and host name together by looking through the DHCP traffic (UDP port 67) or NBNS traffic as shown below.

 

Someone has already submitted the pcap to VirusTotal, and we find a number of Snort and Suricata alerts from it.

 

Checking the Suricata alerts from the VirusTotal analysis, we find alerts for exploit kit activity.

 

I had to playback the pcap in Security Onion using the ETPRO ruleset to confirm this was Angler EK.  And I got an IP address for it.

 

Using Wireshark, filter on http.request and the IP address, and you'll see the Angler EK URLs.

 

How did Tom's computer get to the EK server?  It either came from a compromised website, or possibly through a gate.  (Read more about gate traffic here.)  If it's a gate, sometimes you won't see the gate as a referer in the landing page for the EK.  I'll do a filter for ip contains [whatever the EK domain is] in Wireshark.  You'll notice a frame before the first HTTP GET request to the landing page.

 

Let's follow the TCP stream to see what it is.

 

Looks like it's gate traffic.  You can also see the referer in the HTTP headers.

 

Let's make sure there isn't anything else between this gate and the compromised website.  Filter on ip contains [whatever the gate domain is] in Wireshark.  If you do that, you'll find a frame before the HTTP GET request to the gate URL.

 

Let's follow the TCP stream to see what it is.

 

And it looks like an ad server from the compromised website's domain returned the gate URL in an iframe.

 

And that completes the kill chain for this infection.  Comrpomised website (actually an ad server from the website's domain) --> Gate --> EK.

There's more we can examine, but that's all I'm going through for the answers, here.  I can't get Angler EK's malware payload from the pcap, because Angler uses some form of encryption that I cannot decode.

Of note, whenever I've seen Angler EK traffic, I've most often found one of two things as the payload: ransomware or Bedep.  If it's ransomware (CryptoWall, TeslaCrypt, etc), I can usually grab a decrypted copy of the payload from the infected host.  If it's Bedep, it's a "file-less" infection where Bedep is never written to disk, but is held in memory.  We can see from the Suricata alerts, this is a Bedep infection.

 

Bedep will download more malware (which is also sent encrypted over the network).  In this scenario, at least one piece of follow-up malware was found on the infected host: C:\Users\Turkey-Tom\AppData\Roaming\BackUp1086666136.exe.  You have the SHA256 file hash, so you can search for this on VirusTotal or Hybrid-Analysis.com to see if anyone has submitted it.  Turns out someone did...

 

You can use the Hybrid-Analysis.com link above to get a copy of the malware found on Tom's infected computer.

 

FINAL WORDS

For those who read all the way through this page, thanks for participating!  I also appreciate the emails I've received, along with the retweets and likes from Twitter.  These exercises are always fun to create.  Hope this has been helpful.

 

Click here to return to the main page.