Malware Traffic Analysis 1 Walkthrough — Cyberdefenders

Challenge Link: Malware Traffic Analysis 1

Tools:

• Brim
• Wireshark
• NetworkMiner

1. What is the IP address of the Windows VM that gets infected?
   Open the pcap file using Brim and click the alert detected by Suricata.

The image above shows the IP Address of the Windows VM.

2. What is the hostname of the Windows VM that gets infected?

Based on DHCP traffic, we can identify the machine information such as IP address, MAC address, Hostname, etc.

Since I already knew the IP Address of the Windows VM, I used it to query to only display its DHCP traffic.

_path=="dhcp" | client_addr 172.16.165.165

The query above produces the following output:

3. What is the MAC address of the infected VM?

Since DHCP traffic provides the host’s MAC address, I used the same query from Q.2.

The image above shows the MAC Address of the infected VM.

4. What is the IP address of the compromised website?

I used the query below to parse the HTTP traffic that K34EN6W3N-PC is accessing.

_path=="http" id.orig_h==172.16.165.165 | cut id.orig_h, id.resp_h, host | count() by host, id.resp_h

I filtered out www.youtube.com since this is a legit site and focused only on the four sites.

The referer header contains the address of the webpage from which a resource has been requested.

I used the query below to display the four sites’ referer, destination IP Address, method, and file format/content then I sorted the timestamp by ascending.

_path=="http" id.orig_h==172.16.165.165 | cut id.orig_h, id.resp_h, host, method, referrer, ts, resp_mime_types | sort ts

The query above produces the following output:

The first event shows that K34EN6W3N-PC did a Bing search at 02:11:55. Upon checking the referer, the user is searching ciniholland[.]nl

At 02:11:57, K34EN6W3N-PC is accessing adultbiz.in and the referer is ciniholland[.]nl

At 02:12:11, K34EN6W3N-PC is accessing 24corp-shop[.]com and the referer is ciniholland[.]nl

At 02:12:41, K34EN6W3N-PC is accessing stand[.]trustandprobaterealty[.]com and the referer is 24corp-shop[.]com

Table

Since the host www[.]ciniholland[.]nl had a connection on all the detected sites, I checked the HTML code using Wireshark.

The query below will parse all the HTTP traffic from www[.]ciniholland[.]nl

_path=="http" host=="www.ciniholland.nl" | sort ts

By selecting the first event and clicking the Packets at the top right corner, WireShark will automatically open.

Right-click on the GET request and navigate to Follow > HTTP Stream.

The image below shows that www[.]ciniholland[.]nl has an embedded JavaScript, and it will redirect users to hxxp[://]24corp-shop[.]com using a hidden iframe.

Upon checking the URL’s reputation, multiple security vendors reported it as Malicious, Malware, and Suspicious.

hxxp[://]24corp-shop[.]com reputation

After analyzing the HTML code of www[.]ciniholland[.]nl, I can now conclude that this is the compromised website.

5. What is the FQDN of the compromised website?
You can determine the FQDN of the compromised website from question number 4.

6. What is the IP address of the server that delivered the exploit kit and malware?

Click the Suricata Alerts by Category to show all the Alerts detected by Suricata.

Since I’m looking for an exploit kit, I checked the Exploit Kit Activity Detected logs by right-clicking the alert and selecting the Pivot to logs.

The image below shows the IP Address that delivered the exploit kit and malware.

7. What is the FQDN that delivered the exploit kit and malware?

One way to determine the FQDN is by analyzing the HTTP traffic of the Server.

_path=="http" id.resp_h==37.200.69.143 host

The query above produces the following output:

8. What is the redirect URL that points to the exploit kit (EK) landing page?

Now that I already know the domain that delivered the exploit kit, I can use the table from question number 3 to find the referer.

9. Other than CVE-2013–2551 IE exploit, another application was targeted by the EK and starts with “J”. Provide the full application name.

event_type=="alert" alert.severity==1 alert.category=="Exploit Kit Activity Detected" | count() by alert.signature | sort -r

I used the query above to parse all the alerts related to exploit kit.

The question already has a clue that the answer starts with the letter “J”. Based on the image above, we can now determine the application name.

10. How many times was the payload delivered?

When I opened the pcap file in NetworkMiner, Windows Defender detected 3 threats.

11. The compromised website has a malicious script with a URL. What is this URL?

I used the same procedure on viewing the HTML code from Q.4.

The image above shows the embedded URL and the malicious script in www[.]ciniholland[.]nl

12. Extract the two exploit files. What are the MD5 file hashes? (comma-separated )

I used the server’s IP address, which delivered the exploit kit and malware, to retrieve the MIME type and its corresponding MD5 value.

_path=="files" source=="HTTP" 37.200.69.143 in tx_hosts | cut tx_hosts, rx_hosts, md5, mime_type

The query above produces the following output:

I filtered out all the html/xml files and then checked the JAR and shockwave flash file reputations in VirusTotal.

Select the MD5, then click VirusTotal Lookup.

1e34fdebbf655cebea78b45e43520ddf (JAR file) reputation

7b3baa7d6bb3720f369219789e38d6ab (Flash file) reputation

Check out this cheat sheet to read more about Zeek Logs.