Malicious traffic exercises 2014-12-04-traffic-analysis-exercise

pacp packet address

https://www.malware-traffic-analysis.net/2014/12/04/2014-12-04-traffic-analysis-exercise.pcap.zip

Questions and answers

BASIC QUESTIONS

1. What is the IP address of the Windows host that gets infected?

2. What is the MAC address of the infected Windows host?

As can be seen from the above figure, the IP and mac addresses of the infected windows host are 192.168.137.62 and 00:1b:21:ca:fe:d7 respectively

3. What is the domain name of the compromised web site?

4. What is the IP address of the compromised web site?

According to info, the domain name and ip of the compromised website are www.earsurgery.org and 216.9.81.189 respectively

5. What is the domain name that delivered the exploit kit and malware payload?

6. What is the IP address that delivered the exploit kit and malware payload?

View http export objects, find suspicious domain names by content type

Found a swf file in qwe.mvdunalterableairreport.net, dump it

The easiest way is to search in vt and find that it is a CVE-2015-0311 exploit file

Now it can be determined that the domain name and ip of the malicious program are qwe.mvdunalterableairreport.net and 192.99.198.158 respectively.

MORE ADVANCED QUESTIONS

1. What snort events (either VRT or EmergingThreats) are generated by this pcap?

ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses [2018316]
ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST [2018442]
ET CURRENT_EVENTS Angler Encoded Shellcode IE [2018954]
ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 [2019224]

2. What is the exploit kit (EK)?

Angler EK

3. What is the redirect URL that points to the exploit kit (EK) landing page?

4. What is the IP address of the redirect URL that points to the exploit kit (EK) landing page?

Filter one by one, find

Find the page as lifeinsidedetroit.com /02024870e4644b68814aadfbb58a75bc.php?q= e8bd3799ee8799332593b0b9caa1f426

ip is 173.201.198.128

5. Which tcp stream shows the malware payload being delivered?

See that Content-Type: application/octet-stream is to download files in the form of streams, so that files of any format can be downloaded, so the tcp stream that is transmitting the malicious payload is 80, tcp.stream eq 80

EXTRA QUESTIONS

1. Extract the malware payload, deobfuscate it, and remove the shellcode at the beginning. This should give you the actual payload (a DLL file) used for the infection. What’s the MD5 hash of the payload?

Dump the data in the malicious data stream as raw data, and delete the useless data in front of you

Observe the data, you can find that the data should be XOR encrypted, use the tool xortool to restore the data

nhadR2b4 is an XOR string, open the output file and find that there is a pe file, save it

Use tools to view pe type

PE: compiler: Microsoft Visual C/C++(2003)[-]
PE: linker: Microsoft Linker(8.0)[DLL32]     

Get md5: f0d1ef59876e586a34eeb96c1585e910

2. A Flash file was used in conjunction with the redirect URL. What URL was used to retrieve this flash file?

adstairs.ro/544b29bcd035b2dfd055f5deda91d648.swf

3. In the traffic, we see HTTP POST requests to www.earthtools.org and www.ecb.europa.eu.

Why are we seeing these HTTP POST requests?

Determine whether it is connected, it should be a heartbeat packet or the like

4. What web browser was used by the infected host?

Filter ip as host 192.168.137.62, find it is http protocol, trace flow can be seen, user-agent information, browser is IE 9.0

5. What 3 exploits were sent by the exploit kit during this infection?

I have already said that there are flash CVE-2015-0311 and malicious dll, continue to search and find a suspicious stream

Dump the compressed package in the stream and decompress it. Two files can be seen. After analysis, it is found that the CVE-2013-0074 exploit file