PCAP Analysis – 1

Posted by

As my winter vacations come to an end, I decided to start warming up my brain in preparation for the final semester of my graduate program. Malware-Traffic-Analysis.net is a very good resource for practicing PCAP analysis. In this article, I describe my answers to the analysis questions of the PCAP file available here.

Note: In this article, I’m using Wireshark for the complete PCAP analysis.

IP Address of Infected Windows VM

The infected host would be making GET/POST requests to remote hosts/domains. Wireshark’s http.request filter would display only said requests. In the below snap, source IP address 172.16.165.165 is the infected Windows VM address.

Hostname of Infected Windows VM

Hostname is visible in NBNS (and DHCP) traffic. It can be seen in the below snap of NBNS traffic that the hostname for IP address 172.16.165.165 is K34EN6W3N-PC.

MAC Address of Infected Windows VM

MAC address of a host is visible in its DHCP traffic. In the below snap of DHCP traffic, it can be seen that the client is 172.16.165.165 and its MAC address is f0:19:af:02:9b:f1.

IP Address and Domain Name of Compromised Website

From the output of display filter, http.request it can be seen that the infected host communicates with the following remote domains:

  • www[.]bing[.]com
  • www[.]ciniholland[.]nl
  • adultbiz[.]in
  • youtube[.]com
  • 24corp-shop[.]com
  • stand[.]trustandprobaterealty[.]com

The user lands on www[.]ciniholland[.]nl through a Bing search result. This is evident from the Referer field in the HTTP header.

www[.]ciniholland[.]nl acts as a Referer to multiple other domains as is evident in the screenshots below.

Interaction with adultbiz[.]in

adultbiz[.]in has an IP address of 185.53.178.9. Following the TCP traffic, it seems to me that it is an ad site. I have read tales of websites paying to be whitelisted from ad blockers like Adblock Plus. adultbiz[.]in also seems to be doing this through the value in X-Adblock-Key field.

Interaction with 24corp-shop.com

A level 2 question on this page mentions CVE-2013-2551 where attackers can “execute arbitrary code via a crafted web site that triggers access to a deleted object”. The below traffic indicates that the said vulnerability might have been exploited.

Compromise of ciniholland[.]nl

It can be seen below in the source code of ciniholland[.]nl/index[.]html that an invisible iframe is being created with source URL 24corp-shop[.]com. This suggests that the website ciniholland[.]nl with IP address 82[.]150[.]140[.]30 is compromised.

IP Address and Domain Name of Website Delivering Malware

In the snap below, it can be seen that the user lands on the website, stand[.]trustandprobaterealty[.]com from 24corp-shop[.]com.

The source code of 24corp-shop[.]com/index.html as shown below shows that an iframe is created with source URL, stand[.]trustandprobaterealty[.]com with a hardcoded PHP session ID.

Interaction with stand[.]trustandprobaterealty[.]com

We can see in the snap below that multiple files are requested from stand[.]trustandprobaterealty[.]com.

Extracting the above files and checking their hashes on VirusTotal leads to the conclusion that the domain, stand[.]trustandprobaterealty[.]com is delivering malware.

root@malnet:~/malware_traffic_exercises/2014-11-16/Files# ls
24CorpIndex.html  index.html  jar  jquery.php  mp3  notfound.gif  swf  xml

root@malnet:~/malware_traffic_exercises/2014-11-16/Files# sha256sum *
...
178be0ed83a7a9020121dee1c305fd6ca3b74d15836835cfb1684da0b44190d3  jar
...
e2e33b802a0d939d07bd8291f23484c2f68ccc33dc0655eb4493e5d3aebc0747  swf
...

The IP address and domain name of the website delivery malware is 37[.]200[.]69[.]143 and stand[.]trustandprobaterealty[.]com respectively. From VT results, it looks like the delivered malware are RIG exploit kit and CVE-2012-0507 java exploit.

Thanks for reading!

In this article, I described my analysis for the provided PCAP file. The most challenging aspect of this analysis was the identification of CVE-2013-2551 exploit. If it wasn’t already provided on the questions page, I would have had more difficulty in identifying the exploit.

Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!

Leave a Reply

Your email address will not be published.