This is the start of my malware traffic analysis series.
In this series, I aim to break down some PCAP files available publicly that contain known infections.
For the start of the series, we are gonna use a PCAP file from the website Malware Traffic Analysis: 2022-02-23 - TRAFFIC ANALYSIS EXERCISE - SUNNYSTATION
This is the scenario available to us:
- LAN segment range: 172.16.0.0/24 (172.16.0.0 through 172.16.0.255)
- Domain: sunnystation.com
- Domain controller: 172.16.0.52 - SUNNYSTATION-DC
- File Server: 172.16.0.53 - SUNNYFILESERVER
- LAN segment gateway: 172.16.0.1
- LAN segment broadcast address: 172.16.0.255
The 2022-02-23-traffic-analysis-exercise.pcap.zip only contains a single PCAP file without any other data.
First Indicator of Compromise
After loading this to Wireshark, I immediately notice a suspicious entry:
There is a suspicious GET request to /c7g8t/zbBYgukXYxzAF2hZc/. We can analyze this request by
following the protocol stream, which is
a very useful feature of Wireshark.
This shows that the request is sent to hxxp[://]www[.]ajaxmatters[.]com/c7g8t/zbBYgukXYxzAF2hZc/ (defanged version of the URL).
Running this against Virustotal shows that 2 vendors detected it as malicious.
Searching the full URL in URLHaus also shows that this URL is used to deliver malware (although the website is now down at the time of writing). It also shows that this is related to the Emotet malware.
With this, we identified our first infection. We now need to identify the user who was impacted by this. By looking at the traffic from the PCAP file, we know that the hosts available are mostly running Windows. We can try to filter for Kerberos traffic to identify the user who was impacted by this malware:
Filtering for kerberos.CNameString shows that the user affected was nick.montgomery.
Second Indicator of Compromise
After looking at the PCAP file for a while, we can identify another suspicious entry:
This time, there is a suspicious GET to /Ocklqc.jpg. Again, we will follow the HTTP stream to analyze the request:
It appears that the request is made without the host header this time. Searching the full URL using the IP address in Virustotal shows that the IP address is possibly malicious.
Let’s keep looking at the HTTP requests sent from the host 172.16.0.131 for now to gather more data:
It appears that the host is also sending multiple HTTP requests that follows the format /uar3/?<BASE64_ENCODED_DATA>=<BASE64_ENCODED_DATA>
After searching for a bit, it appears that it’s related to the XLoader malware.
With this, we now identified our second infection. We now need to identify the affected user:
Again, filtering for kerberos.CNameString shows that the affected user was tricia.becker.
Summary
In this analysis, we identified that the following hosts/users that were infected by two different malware:
172.16.0.149- Username:
nick.montgomery - Malware: Emotet
- Username:
172.16.0.131- Username:
tricia.becker - Malware: XLoader
- Username:
Unfortunately, it seems I missed one infected host when I compared my analysis to the provided answers.
The host that I missed only connected to malicious hosts via HTTPS, which makes it much more difficult to analyze, as there was no session key given to decrypt the traffic.
After thinking for a bit, one thing I could’ve done to identify the hosts in the TLS traffic is to get the list of destination IP address and then do a reverse DNS lookup. This could help me identify which hosts are possibly malicious.
Unfortunately, it didn’t return anything helpful, as it’s possible that the malicious IP addresses don’t have a valid domain name.
I looked into other things that might help me identify suspicious behavior and stumble upon the following things:
- JA3 - TLS fingerprinting with Wireshark
- I loaded the JA3 dissector, but it appears that the fingerprints in the PCAP file doesn’t belong to any known list.
- Extract certificate using NetworkMiner
The free version of NetworkMiner allows us to extract the certificate for the TLS connection in the PCAP file. With this, I was able to identify some suspicious behavior like:
- Connects to multiple IP addresses that uses a certificate for
example.com - Connects to a suspicious host
hxxps[://]dalgahavuzu[.]com/
Virustotal shows that hxxps[://]dalgahavuzu[.]com/ is malicious.
It also shows that the IP addresses that use a certificate for example.com are also malicious.
Hopefully, I will remember to also inspect TLS connections, even without the session key, as the PCAP file can still provide us enough information to analyze this data.