let's start:
Downloading the Capture File and Understanding the Assignment
- Download the .pcap file from https://www.malware-traffic-analysis.net/
- Familiarize yourself with the assignment instructions.
LAN segment data:
LAN segment range: 172.16.0[.]0/24 (172.16.0[.]0 through 172.16.0[.]255)
Domain: sunnystation[.]com
Domain controller: 172.16.0[.]52 - SUNNYSTATION-DC
File Server: 172.16.0[.]53 - SUNNYFILESERVER
LAN segment gateway: 172.16.0[.]1
LAN segment broadcast address: 172.16.0[.]255
TASK
What hosts/user account names are active on this network?
What type of malware are they infected with?
Identifying Active IP Addresses
We can identify active devices on the network by looking for IP addresses that frequently transmit or receive data. Wireshark provides filters to achieve this.
- Apply the filter dhcp to capture DHCP messages exchanged during device initialization.
This will reveal IP addresses assigned to devices on the network.
the following IP addresses appear to be active across multiple protocols:
172.16.0.170
172.16.0.149
172.16.0.131
Finding Host Information (Username, Hostname)
Now that you have IP addresses, let's gather additional details about the devices.
- Use the filter kerberos.CNameString to find Kerberos authentication packets.
- Select a packet and expand the kerberos field in the packet details pane. Look for the as-req field, then expand req-body, cname, and finally CNameString. This often contains the username for the device.
- Hostnames might also be included within Kerberos traffic.
172.16.0.170 00:12:f0:64:d1:d9 DESKTOP-W5TFTQY everett.french
172.16.0.131 2c:27:d7:d2:06:f5 DESKTOP-VD151O7 tricia.becker
172.16.0.149 00:1b:fc:7b:d1:c0 DESKTOP-KPQ9FDB nick.montgomery
Detecting Malware
172.16.0.149
- Apply the filter http.request to capture HTTP requests sent by devices.
- Examine each request closely, focusing on suspicious URLs. For instance, in your analysis, 172.16.0.149 sent a request to
www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/
which is linked to Emotet malware.
Right-click on this packet and follow the TCP stream associated with the suspicious HTTP request to inspect packet content. The first two bytes appearing as "MZ" after the HTTP response headers could indicate a malicious file.
To extract and analyze this potential malware:
- Go to File > Export Objects > HTTP in Wireshark.
- Select the file associated with the suspicious hostname (e.g.,
www.ajaxmatters.com
) and content type (e.g., application/x-msdownload). This file type is often used for DLLs and EXEs.
- Save the extracted file.
- Open a terminal, navigate to the file location, and run the command shasum -a 256 to calculate the SHA-256 hash, a unique identifier for the file.
SHA256 hash for Emotet DLL: 14b57211308ac8ad2a63c965783d9ba1c2d1930d0cafd884374d143a481f9bf3
Next, we'll identify Command and Control (C2) server communication, which allows the malware to receive instructions from the attacker. I have tried these filters:
- ip.addr==172.16.0.149 && tls.handshake.type eq 1
- ip.addr==172.16.0.149 && tcp.analysis.flags
- dns traffic
- smtp traffic
- Common C2 protocols include HTTP, HTTPS, DNS, IRC, and custom protocols
- C2 traffic often exhibits recognizable patterns such as periodic communications, communications with unusual times of day, or a high volume of traffic to a particular destination. Look for patterns that deviate from normal network behavior or unknown IP addresses.
The capture shows the compromised host (172.16.0.149) using the TCP Window Update with Zero Window technique repeatedly. This technique is often used by attackers to exploit vulnerabilities in TCP implementations and force the remote server to send more data than it normally would.
The destinations use ports commonly associated with email services (587) and web traffic (443, 80). Emotet malware is known to steal credentials and exploit these ports to send spam and steal sensitive information .
The client attempts to connect to multiple SMTP servers (74.208.5.15, 116.254.112.253, 142.250.138.109, 46.97.120.162, 27.34.147.95, 122.17.147.238, 192.185.4.31) one after another. This behavior is often associated with spammers. Some of the captured traffic includes the AUTH LOGIN command, which is used to authenticate with the SMTP server using a username and password. This suggests the malware may be attempting to steal credentials to further compromise system.
The captured traffic showing a login attempt with Base64 encoded credentials is concerning. In a secure SMTP connection, the credentials would be sent using a more secure method like SASL (RFC 4405) which encrypts the data transmission.
There is an email from the spambot traffic over unencrypted SMTP you can export from the pcap in Wireshark by using File --> Export Objects --> IMF
I am using morzilla thunderbird to view this malicious email.
172.16.0.170
applying the filter: ip.addr==172.16.0.170 && http.request || tls.handshake.type eq 1
find a suspicious server, URLhaus indicates dalgahavuzu.com is Emotet from its epoch 5 botnet
To find c2 Traffic, we can do the same as we did with the first window host:
applying this filter : ip.addr==172.16.0.170 && tcp.analysis.flags
172.16.0.131
Applying the filter : ip.addr==172.16.0.131 && http.request
An image file: Ocklqc.jpg, returned from 156.96.154.210 is a binary that represents a Windows DLL file with the bytes in reverse order. extracting it and uploaded on virustotal indicate it malicious, but it didn't specify the type of malware.
received other get request, but all share a pattern. An encoded resource in a βuar3β file path. Researching the domain names links them to XLoader, formerly FormBook(Joe Sandbox).
applying the filter : ip.addr==172.16.0.131 && dns
Top comments (0)