As my winter vacations come to an end, I decided to start warming up my brain in preparation for the final semester of my graduate program. Malware-Traffic-Analysis.net is a very good resource for practicing PCAP analysis. In this article, I describe my answers to the analysis questions of the PCAP file available here.
Note: In this article, I’m using Wireshark for the complete PCAP analysis.
IP Address of Infected Windows VM
The infected host would be making
POST requests to remote hosts/domains. Wireshark’s
http.request filter would display only said requests. In the below snap, source IP address
172.16.165.165 is the infected Windows VM address.
Hostname of Infected Windows VM
Hostname is visible in
DHCP) traffic. It can be seen in the below snap of
NBNS traffic that the hostname for IP address
MAC Address of Infected Windows VM
MAC address of a host is visible in its
DHCP traffic. In the below snap of
DHCP traffic, it can be seen that the client is
172.16.165.165 and its MAC address is
IP Address and Domain Name of Compromised Website
From the output of display filter,
http.request it can be seen that the infected host communicates with the following remote domains:
The user lands on
www[.]ciniholland[.]nl through a Bing search result. This is evident from the
Referer field in the
www[.]ciniholland[.]nl acts as a
Referer to multiple other domains as is evident in the screenshots below.
Interaction with adultbiz[.]in
adultbiz[.]in has an IP address of
126.96.36.199. Following the TCP traffic, it seems to me that it is an ad site. I have read tales of websites paying to be whitelisted from ad blockers like Adblock Plus.
adultbiz[.]in also seems to be doing this through the value in
Interaction with 24corp-shop.com
A level 2 question on this page mentions CVE-2013-2551 where attackers can “execute arbitrary code via a crafted web site that triggers access to a deleted object”. The below traffic indicates that the said vulnerability might have been exploited.
Compromise of ciniholland[.]nl
It can be seen below in the source code of
ciniholland[.]nl/index[.]html that an invisible iframe is being created with source URL
24corp-shop[.]com. This suggests that the website
ciniholland[.]nl with IP address
82[.]150[.]140[.]30 is compromised.
IP Address and Domain Name of Website Delivering Malware
In the snap below, it can be seen that the user lands on the website,
The source code of
24corp-shop[.]com/index.html as shown below shows that an iframe is created with source URL,
stand[.]trustandprobaterealty[.]com with a hardcoded PHP session ID.
Interaction with stand[.]trustandprobaterealty[.]com
We can see in the snap below that multiple files are requested from
Extracting the above files and checking their hashes on VirusTotal leads to the conclusion that the domain,
stand[.]trustandprobaterealty[.]com is delivering malware.
root@malnet:~/malware_traffic_exercises/2014-11-16/Files# ls 24CorpIndex.html index.html jar jquery.php mp3 notfound.gif swf xml root@malnet:~/malware_traffic_exercises/2014-11-16/Files# sha256sum * ... 178be0ed83a7a9020121dee1c305fd6ca3b74d15836835cfb1684da0b44190d3 jar ... e2e33b802a0d939d07bd8291f23484c2f68ccc33dc0655eb4493e5d3aebc0747 swf ...
The IP address and domain name of the website delivery malware is
stand[.]trustandprobaterealty[.]com respectively. From VT results, it looks like the delivered malware are RIG exploit kit and CVE-2012-0507 java exploit.
Thanks for reading!
In this article, I described my analysis for the provided PCAP file. The most challenging aspect of this analysis was the identification of CVE-2013-2551 exploit. If it wasn’t already provided on the questions page, I would have had more difficulty in identifying the exploit.
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!