WIP-MTA-20160513.md

Brad says:

Review the traffic and consult the alerts if necessary. You should be able to get the following information from the pcap:

The user's first and last name
The host name of the user's Windows computer
The MAC address of the user's Windows computer
What type(s) or item(s) of malware the user's computer is infected with.
How the user's computer got infected with the item(s) of malware.

---

Reviewing conversation summary (or endpoints) in Wireshark Statistics menu although there are many IP and TCP flows one IPv4 address is in all found IP, TCP, and UDP conversations. NetBIOS name traffic shows registrations requests from the IP. The MAC is all over ...

Target system: 10.0.21.136, 84:8f:69:09:1c:3b Name: MCCOOMB-PC<00> (Workstation/Redirector)

With the last name from the hostname we can Edit/Find bytes and after the NB and DNS we see a web form submitted with email donald.mccomb@gmail.com. The snort events logged aren't in order an the Suricata events have o timestamps. Manually pieceing the first snort logs back together in order ...

 capinfos 2016-05-13-traffic-analysis-exercise.pcap 
 tail 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 head 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep -c 16 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep -c '16:' 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep -c '-16:' 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep -c '\-16:' 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep -c '13\-16:' 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep -c '13\-15:' 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep -c '13\-14:' 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep -c '13\-15:' 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep '13\-15:' 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep -c '13\-15:55' 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep '13\-15:55' 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep -A3 -B3 '13\-15:55' 2016-05-13-traffic-analysis-exercise-snort-events.txt 
 grep -A3 -B3 '13\-15:55' 2016-05-13-traffic-analysis-exercise-snort-events.txt > inorder
 grep -A3 -B3 '13\-15:57' 2016-05-13-traffic-analysis-exercise-snort-events.txt >> inorder
 grep -A3 -B3 '13\-15:58' 2016-05-13-traffic-analysis-exercise-snort-events.txt >> inorder
 grep -A3 -B3 '13\-15:59' 2016-05-13-traffic-analysis-exercise-snort-events.txt >> inorder
 less inorder 
 grep '\[\*\*\]' inorder 
 grep '\[\*\*\]' inorder >> 20160513.txt 

We see these alerts fire in order, giving us a good idea of the scenario:

[**] [1:38619:3] INDICATOR-COMPROMISE binary download while text expected [**]
[**] [1:15306:22] FILE-EXECUTABLE Portable Executable binary file magic detected [**]
[**] [1:25050:7] MALWARE-CNC Win.Trojan.Zeus variant outbound connection [**]
[**] [1:28039:5] INDICATOR-COMPROMISE Suspicious .pw dns query [**]
[**] [1:28039:5] INDICATOR-COMPROMISE Suspicious .pw dns query [**]
[**] [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query [**]
[**] [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query [**]
[**] [1:25050:7] MALWARE-CNC Win.Trojan.Zeus variant outbound connection [**]
[**] [1:25050:7] MALWARE-CNC Win.Trojan.Zeus variant outbound connection [**]
[**] [1:25050:7] MALWARE-CNC Win.Trojan.Zeus variant outbound connection [**]

Take the first Snort alert there and get the other IP, find the streams in Wireshark (ip.addr == 199.83.131.18), and follow the first one (tcp.stream eq 50). Save the received (HTTP 200) traffic side as a file. From the headers we know it is gzipped. Before trying to expand it trim off the HTTP headers with hexeditor to the last double line feed.

 bless devhands-file-extract 
 file devhands-file-extract blessed-devhands-export 
 gunzip -l blessed-devhands-export
 gunzip -tv blessed-devhands-export
 gunzip -d -c blessed-devhands-export > ungz
 file ungz 
 md5sum ungz 

The gzipped file downloaded from 199.x.x.x (developinghands[dot] ) is known to VirusTotal with 46 / 55 saying it's Locky crypto ransomware. So, that's cetainly part of the problem here.

Within 2 minutes Snort time the system is HTTP POSTing to userinfo.php, which seems to have fired our first Zeus variant C2 alert. There's a pattern of identical looking posts and 404 responses in that traffic that looks very regular:

$ tcpdump -nn -r 2016-05-13-traffic-analysis-exercise.pcap 'host 5.34.183.40' | grep '\[P' | wc -l
reading from file 2016-05-13-traffic-analysis-exercise.pcap, link-type EN10MB (Ethernet)
46

## 32 post and 404 pairs

$ tcpdump -nn -r 2016-05-13-traffic-analysis-exercise.pcap 'host 5.34.183.40' | grep '\[P' | head -2
reading from file 2016-05-13-traffic-analysis-exercise.pcap, link-type EN10MB (Ethernet)
15:57:26.741010 IP 10.0.21.136.49211 > 5.34.183.40.80: Flags [P.], seq 1:631, ack 1, win 256, length 630
15:57:27.018701 IP 5.34.183.40.80 > 10.0.21.136.49211: Flags [P.], seq 1:727, ack 631, win 1983, length 726

$ tcpdump -nn -r 2016-05-13-traffic-analysis-exercise.pcap 'host 5.34.183.40' | grep '\[P' | tail -2
reading from file 2016-05-13-traffic-analysis-exercise.pcap, link-type EN10MB (Ethernet)
16:28:46.926938 IP 10.0.21.136.49830 > 5.34.183.40.80: Flags [P.], seq 1:631, ack 1, win 256, length 630
16:28:47.135166 IP 5.34.183.40.80 > 10.0.21.136.49830: Flags [P.], seq 1:727, ack 631, win 1983, length 726

## in ~30 min of pcap time

The alerts for suspicious DNS activity mingle with the Zeus C2 alerts, and are possibly DGA activity. They are certainly high entropy.

$ tcpdump -nn -r 2016-05-13-traffic-analysis-exercise.pcap -A 'udp port 53' | grep '\.pw'
reading from file 2016-05-13-traffic-analysis-exercise.pcap, link-type EN10MB (Ethernet)
15:57:48.737419 IP 10.0.21.136.63147 > 10.0.13.54.53: 36887+ A? gxbfekwwlswgis.pw. (35)
6...5.+.s.............gxbfekwwlswgis.pw.....
....5...l...............gxbfekwwlswgis.pw................5.ns0
15:57:48.941370 IP 10.0.21.136.49936 > 10.0.13.54.53: 49885+ A? cktjoiwhc.pw. (30)
6...5.&.,............	cktjoiwhc.pw.....
....5...g.I............	cktjoiwhc.pw................5.ns0
16:23:35.221733 IP 10.0.21.136.52792 > 10.0.13.55.53: 28783+ A? gxbfekwwlswgis.pw. (35)
7.8.5.+..po...........gxbfekwwlswgis.pw.....
....5.8.l..po...........gxbfekwwlswgis.pw................5.ns0
16:23:35.337682 IP 10.0.21.136.63565 > 10.0.13.55.53: 9550+ A? cktjoiwhc.pw. (30)
7.M.5.&.}%N..........	cktjoiwhc.pw.....
....5.M.g!.%N..........	cktjoiwhc.pw................5.ns0

Having explained our first batch of alerts let's look to root cause.

Before the malware download there is a cluster of TLS traffic we can't read and and the clear POST to the form on http://www.liveprayer[dot]com/signup.cfm . The headers of the clear traffic for and around that page confirm use of tracking and/or advertisements (Google, Microsoft). The liveprayer site also has graphics in various formats, and some are created with Adobe tools whose headers are in the clear HTTP traffic.

Continuing into the first 1000 packets we see more TLS, including certificates for gmail, gstatic, googleusercontent, accounts.youtube suggesting Google apps / session. At packet 176 we see a Bing query for mail.google.com. User agent , DNS queries, and traffic for MS properties all suggest IE11 on Windows ??.

A better algorithm filters out all of the 443 to let you read the clear traffic more quickly: !(tcp.port==443). While browsing this way we see some suspicous Javscript downloads in tcp.stream eq 104:

GET /wp-content/plugins/google-analyticator/external-tracking.min.js?ver=6.4.9 HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: http://www.emidioleite.com.br/2014/09/26/solucionando-erro-429-activex-ao-enviar-re-sefip-cns/

Tracking this proved frustrating as there are many JS files in the air and they are all minified, legit or not. The BR site does refer out to a known evil redirector in stream 108:

GET /P4YrUf HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.emidioleite.com.br/2014/09/26/solucionando-erro-429-activex-ao-enviar-re-sefip-cns/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: g00.co
DNT: 1
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Date: Fri, 13 May 2016 16:03:55 GMT
Server: Apache
Location: http://magusserver.top/jquery-migrate.min.g4.js

That Javascript looks much more promising and I'm still struggling to untangle it.

so how in wireshark did you find the first name ?

Thanks for the question! Reviewing the Gist, I guessed the user's first name from the email address used in the form submission. I'm not aware of another source of that in the PCAP, but there could be. Let me know if you find one :) Good hunting, cheers, Ben

…

On Wed, Apr 8, 2020 at 6:39 PM blackishpanther ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ so how in wireshark did you find the first name ? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://gist.github.com/0af4157289ddd35d5095187695c23aa9#gistcomment-3246368>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAWN7QFR4TY2VOHEX3KIYKLRLT4LXANCNFSM4MEJDFHA> .

-- Ben S. Knowles | BBSTi, CISSP, GIAC**0xA, GSE, ITIL, LPI Information Security Leader & Educator | Twitter, Github: @DFIRnotes