CyberDefenders - Series (Malware Traffic Analysis 1 - Packet Analysis)

-

 Introduction

The Digital Forensics & Incident Response (DFIR) field is one, where you must keep learning to stay current with the latest development and to keep your skills sharp. Therefore I've decided to start working on some challenges that are delivered through CyberDefenders. It's a great place to work on challenges and to keep developping yourself.

The Challenge

This blog describes the 'Malware Traffic Analysis 1' challenge, which can be found here

Tools used for this challenge:

Write-up

My write-ups follow a standard pattern, which is 'Question' and 'Methodology'. I choose this format, because it allows you to be able to follow along and try this challenge for yourself. I have choosen not to disclose the answer here, since it's also a competition and I don't want to spoil the integrity and fun of competing. 

Question 1
What is the IP address of the Windows VM that gets infected?

Methodology: I have heard great stories about NetworkMiner so I wanted to give it a try.  When I loaded in the PCAP in NetworkMiner it automatically extracts hosts that it finds in the PCAP file. In the PCAP file there is only one host identified as a Windows machine. 

Question 2
What is the hostname of the Windows VM that gets infected?
Methodology: In the 'Hosts' menu of NetworkMiner you will see extracted hosts from the PCAP file, since there's only one Windows machine this is an easy find. 

Question 3
What is the MAC address of the infected VM?

Methodology: This information will be in the same overview as the previous answers using NetworkMiner.


Question 4
What is the IP address of the compromised web site?

Methodology: In total there are 30 sessions in the dataset. Further inspection of the sessions show a few websites that stand out, based on the name of the website. Some websites like bing.com are less likely to be compromised. I was left with 3 websites that I thought might be compromised. Next I noticed that the CyberDenders platform contains hints. For this question, the hint shows that the last byte of the IP-address starts with a 3, leaving us with only one website. Another method is to actually start inspecting the PCAP in Wireshark, but I didn't want to do that just yet and just see what NetworkMiner can do without manual analysis. 


Question 5
What is the domain name of the compromised web site?

Methodology: Using the information from the previous answer you will see that NetworkMiner automatically shows domain names of hosts. 

Question 6
What is the IP address of the server that delivered the exploit kit and malware?

Methodology: With this question I was able to leverage the cool things NetworkMinder does. NetworkMiner extracts the individual web pages that were visited. Using that information you will find that the domain that was the answer to Question 4, 5 contains an embedded Youtube video as well as mentions of "corp-shop" which is another domain that is part of the sessions in the PCAP file. The IP-address of corp-shop is 188.225.73.100. Analyzing the index.html of corp-shop there is an iframe in there which is used to retreive something from another domain "stand.trustandproberealty.com". Inspection of the files that were subsequently downloaded from this domain show a download of a malicious file. IT is possible that you get a warning from your anti-virus software upon opening this PCAP file, which is because of the file that is downloaded from this domain. Now that we know the domain where the malicious file is downloaded from you will also have the IP-address that answers the question.  

Question 7
What is the domain name that delivered the exploit kit and malware?

Methodology: Using the methodology as described above, you will already have the answer to this question. 

Question 8 
What is the redirect URL that points to the exploit kit (EK) landing page?

Methodology: For this question you can rely on the actions described for Question 6. In which we already identified that the initial compromised website has a redirect to another domain, which is the answer to this question. 

Question 9
Other than CVE-2013-2551 IE exploit, what other exploit(s) sent by the EK?

Methodology: To answer this question, I did some research using PacketTotal and Malware-Traffic-Analysis. Using this method you will find that the EK was using two types of exploits, the answer is the technology for which the exploit was developed. 

Question 10
How many times was the payload delivered?

Methodology: I used Wireshark to answer this question. When you filter on the IP-address of the domain that was used to deliver the Exploit Kit, then I counted the of downloads for application/msxdownloads or you can filter on the length of the session. 


Question 11
What are the SIDs of the triggered Snort alerts in the Network Trojan category? Format: insert numbers in ascendingly order

Methodology: Since I did not have a Snort instance running, I simply uploaded the sample to VT got a list of SIDs. You can find the sample here. VirustTotal will show you the Snort alerts and in [] you will also find the SID. 

Question 12
The compromised website has a malicious script with a URL. What is this URL?

Methodology: This answer was already found in Question 6, using the index.html of the first compromised website you will find a part in the body containing a script to a URL. 


Question 13
Extract the exploit file(s). What is (are) the MD5 file hash(es)?
Methodology: One of the awesome things NetworkMiner does it creates a folder structure for your PCAP file for each IP-address/domain it finds and creates a subdirectory with the files. Since we already identified the Exploit Kit and the downloads. The only thing we have to do is calculate the hashes. The Exploit Kit consists of a SWF file and a JAR file, the rest is up to you. 


Question 14
VirusTotal doesn't show how many times a specific rule was fired under the "Suricata alerts" section for the pcap analysis. Run the pcap file against your local Suricata (Emerging Threats Open ruleset) and provide the rule number that was fired the most.

Methodology: I did not have access to a local Suricate instance, I looked at the provided hint and the VirusTotal output where I just filtered for Suricata alerts ending with number 7

Conclusion
This was the first challenge that I did on the CyberDefenders platform and a very interesting one. I learned that using NetworkMiner I quickly can get an idea on what is in a PCAP file. Another interesting part of this challenge is to try to get an idea on how Exploit Kits like this work and the various stages of the attack from a network perspective. I am looking forward to the other challenges in this series. I hope you found this an interesting read, if you have any suggestions or comments feel free to send me a message on Twitter

Popular posts from this blog

Importing Windows Event Log files into Splunk

-
Image
Introduction In this blog post I will show you how to import Windows event log files in Splunk. I was inspired by  this  post on how to import '.evtx' files into Elastic and I thought it was a good idea to write this blog on how to achieve the same goal with Splunk. Log analysis is a critical part of DFIR and on numerous occassions I found myself sitting with a bunch of Windows event logs that needed to be analysed. So I hope it will be useful for you as well.  Setup your environment For this experiment, I have used a cool dataset published by Blackstorm Security . The dataset contains Windows event log samples associated to specific attack and post-exploitation techniques The event logs are stored in their repository and categorized per attack type. First step is to download Splunk Enterprise for free here Next follow the installation steps and upon successful completion, you have your own Splunk server running Optional, if you want to analyse Sysmon loggin
Read more

Write-up Magnet Weekly CTF

-
Image
It is time for some fun and time to sharpen up my Mobile Forensics skills. Magnet Forensics has decided to organize a weekly CTF challenge, every Monday a new challenge will be published for the last quarter of 2020. This gives everyone a week to work on a challenge and then it will be closed and a new challenge will be published. I really like this setup, as it is a lot easier to combine with work life. More information about the CTF can be found on the Magnet website . I will use and update this article to write down my methodology to solving the challenge and hopefully the answer as well.    Quick navigation  To navigate to the write-up of a certain week, use the links below: Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Week 8 Week 9 Week 10 Week 11 Week 12 CTF Setup  For the month October a mobile Android Image is used download  here .  For the month November a Linux image is used download  here . For the month December a Windows memory image is used download here I use
Read more

CyberDefenders - Series (Malware Traffic Analysis 2 - Packet Analysis)

-
Image
Introduction The Digital Forensics & Incident Response (DFIR) field is one, where you must keep learning to stay current with the latest development and to keep your skills sharp. Therefore I've decided to start working on some challenges that are delivered through  CyberDefenders . It's a great place to work on challenges and to keep developping yourself. The Challenge This blog describes the 'Malware Traffic Analysis 2' challenge, which can be found  here .  Tools used for this challenge: -  NetworkMiner -  Wireshark -  PacketTotal -  VirusTotal - Brim Write-up My write-ups follow a standard pattern, which is 'Question' and 'Methodology'. I choose this format, because it allows you to be able to follow along and try this challenge for yourself. I have choosen not to disclose the answer here, since it's also a competition and I don't want to spoil the integrity and fun of competing.  Question 1 What is the IP address of the Windows VM that g
Read more