CyberDefenders - Series (Malware Traffic Analysis 1 - Packet Analysis)

 Introduction

The Digital Forensics & Incident Response (DFIR) field is one, where you must keep learning to stay current with the latest development and to keep your skills sharp. Therefore I've decided to start working on some challenges that are delivered through CyberDefenders. It's a great place to work on challenges and to keep developping yourself.

The Challenge

This blog describes the 'Malware Traffic Analysis 1' challenge, which can be found here

Tools used for this challenge:

Write-up

My write-ups follow a standard pattern, which is 'Question' and 'Methodology'. I choose this format, because it allows you to be able to follow along and try this challenge for yourself. I have choosen not to disclose the answer here, since it's also a competition and I don't want to spoil the integrity and fun of competing. 

Question 1
What is the IP address of the Windows VM that gets infected?

Methodology: I have heard great stories about NetworkMiner so I wanted to give it a try.  When I loaded in the PCAP in NetworkMiner it automatically extracts hosts that it finds in the PCAP file. In the PCAP file there is only one host identified as a Windows machine. 

Question 2
What is the hostname of the Windows VM that gets infected?
Methodology: In the 'Hosts' menu of NetworkMiner you will see extracted hosts from the PCAP file, since there's only one Windows machine this is an easy find. 

Question 3
What is the MAC address of the infected VM?

Methodology: This information will be in the same overview as the previous answers using NetworkMiner.


Question 4
What is the IP address of the compromised web site?

Methodology: In total there are 30 sessions in the dataset. Further inspection of the sessions show a few websites that stand out, based on the name of the website. Some websites like bing.com are less likely to be compromised. I was left with 3 websites that I thought might be compromised. Next I noticed that the CyberDenders platform contains hints. For this question, the hint shows that the last byte of the IP-address starts with a 3, leaving us with only one website. Another method is to actually start inspecting the PCAP in Wireshark, but I didn't want to do that just yet and just see what NetworkMiner can do without manual analysis. 


Question 5
What is the domain name of the compromised web site?

Methodology: Using the information from the previous answer you will see that NetworkMiner automatically shows domain names of hosts. 

Question 6
What is the IP address of the server that delivered the exploit kit and malware?

Methodology: With this question I was able to leverage the cool things NetworkMinder does. NetworkMiner extracts the individual web pages that were visited. Using that information you will find that the domain that was the answer to Question 4, 5 contains an embedded Youtube video as well as mentions of "corp-shop" which is another domain that is part of the sessions in the PCAP file. The IP-address of corp-shop is 188.225.73.100. Analyzing the index.html of corp-shop there is an iframe in there which is used to retreive something from another domain "stand.trustandproberealty.com". Inspection of the files that were subsequently downloaded from this domain show a download of a malicious file. IT is possible that you get a warning from your anti-virus software upon opening this PCAP file, which is because of the file that is downloaded from this domain. Now that we know the domain where the malicious file is downloaded from you will also have the IP-address that answers the question.  

Question 7
What is the domain name that delivered the exploit kit and malware?

Methodology: Using the methodology as described above, you will already have the answer to this question. 

Question 8 
What is the redirect URL that points to the exploit kit (EK) landing page?

Methodology: For this question you can rely on the actions described for Question 6. In which we already identified that the initial compromised website has a redirect to another domain, which is the answer to this question. 

Question 9
Other than CVE-2013-2551 IE exploit, what other exploit(s) sent by the EK?

Methodology: To answer this question, I did some research using PacketTotal and Malware-Traffic-Analysis. Using this method you will find that the EK was using two types of exploits, the answer is the technology for which the exploit was developed. 

Question 10
How many times was the payload delivered?

Methodology: I used Wireshark to answer this question. When you filter on the IP-address of the domain that was used to deliver the Exploit Kit, then I counted the of downloads for application/msxdownloads or you can filter on the length of the session. 


Question 11
What are the SIDs of the triggered Snort alerts in the Network Trojan category? Format: insert numbers in ascendingly order

Methodology: Since I did not have a Snort instance running, I simply uploaded the sample to VT got a list of SIDs. You can find the sample here. VirustTotal will show you the Snort alerts and in [] you will also find the SID. 

Question 12
The compromised website has a malicious script with a URL. What is this URL?

Methodology: This answer was already found in Question 6, using the index.html of the first compromised website you will find a part in the body containing a script to a URL. 


Question 13
Extract the exploit file(s). What is (are) the MD5 file hash(es)?
Methodology: One of the awesome things NetworkMiner does it creates a folder structure for your PCAP file for each IP-address/domain it finds and creates a subdirectory with the files. Since we already identified the Exploit Kit and the downloads. The only thing we have to do is calculate the hashes. The Exploit Kit consists of a SWF file and a JAR file, the rest is up to you. 


Question 14
VirusTotal doesn't show how many times a specific rule was fired under the "Suricata alerts" section for the pcap analysis. Run the pcap file against your local Suricata (Emerging Threats Open ruleset) and provide the rule number that was fired the most.

Methodology: I did not have access to a local Suricate instance, I looked at the provided hint and the VirusTotal output where I just filtered for Suricata alerts ending with number 7

Conclusion
This was the first challenge that I did on the CyberDefenders platform and a very interesting one. I learned that using NetworkMiner I quickly can get an idea on what is in a PCAP file. Another interesting part of this challenge is to try to get an idea on how Exploit Kits like this work and the various stages of the attack from a network perspective. I am looking forward to the other challenges in this series. I hope you found this an interesting read, if you have any suggestions or comments feel free to send me a message on Twitter

Popular posts from this blog

Importing Windows Event Log files into Splunk

Write-up Magnet Weekly CTF

Everything you need to know about MailItemsAccessed and more