SUNNYSTATION

Malware Traffic Analysis Exercise

In this blog I will explain how I solved the exercise called Sunnystation. You can find it on the Malware Traffic Analysis site which provides very good material to practice this kind of skills.

Each exercise presents us with a scenario where we are given information about the network, a description of the case for context, in addition to samples which in this case is a traffic capture, and the challenge is to answer a series of questions that the author provides.

For this exercise we have the task of answering the following questions:

  1. What hosts/user account names are active on this network?

  2. What type of malware are they infected with?

For the first question there are several methods to obtain hostnames and users. Currently most networks make use of DHCP to assign IP to the endpoints, there are protocols that provide related information such as NetBios Name Service, traffic that is not encrypted as HTTP could we see the traffic related to some authentication, etc. You can follow this tutorial.

NBNS Traffic.
DHCP Requests.

Because we detect the existence of NBNS and that most likely they are Windows machines, we can see SMB traffic in case any computer needs to access a resource and authentication is required. With the filters applied above we have detected the active computers and we have information such as IP and Hostname which can help us to search for more specific traffic.

In this case we have used a filter to look for traffic from this 172.16.0.131 machine and involving port 445. We have detected an SMB2 packet called Session Setup Request, which is sent by the client to request a new session to a Server.

User Account for Host 172.16.0.131

For the last two devices, applying the same filter as the previous one, we find a packet called Tree Connect Request which is basically sent by a client to request access to a share. With the above findings we would have the answer to the first question in the table below.

User Account for Host 172.16.0.170
User Account for Host 172.16.0.149
IP:Hostname:User Account
172.16.0.131:DESKTOP-VD15107:tricia.becker
172.16.0.170:DESKTOP-W5TFTQY:everett.french
172.16.0.149:DESKTOP-KPQ9FDB:nick.montgomery

For the second and last question we will be investigating host by host traffic to detect suspicious activity.

Host - 172.16.0.131:DESKTOP-VD15107

When investigating HTTP traffic from this computer we detected connections to different sites but with the same pattern looking for a base 64 encoded resource in the uar3 path. When we started to review the information about them we detected that they are related to the loader called XLoader formerly known as FormBook.

Host - 172.16.0.170:DESKTOP-W5TFTQY

When I started to check the HTTP traffic I detected that the traffic content was kind of obfuscated as you can see in the yellow underlined part. When I investigated the domain I found reports that associated it to a C2 of dridex and emotet. It is known that this type of malware usually use HTTPS for the initial phase so I proceeded to review the traffic. Later we found the following domain dalgahavuzu.com, which upon investigation we found that it was associated with emotet and that it was used to download a DLL, which could be the first stage of the infection. In conclusion, as can be seen in the time of the packages, first the DLL was downloaded and then the obfuscated C2 traffic.

Emotet C2 Traffic.
Download DLL associated with Emotet.

Host - 172.16.0.149:DESKTOP-KPQ9FDB

This one was a little easier to identify the infection. When reviewing the HTTP traffic I detected the download of a dll and as you can see there was first a GET and then a response with code 200 so we can conclude that it was a successful download. When investigating the domain I found a report that associates the domain and the downloaded dll to emotet. The traffic presents the same behavior as the previous one, a download of a dll and then the obfuscated C2 traffic.

The evidence gathered is sufficient to conclude that there is an infection and to proceed with the remediation of the equipment. The table below summarizes the host and what malware they are infected with, which would be the answer to the second question.

172.16.0.131 - XLoader
172.16.0.170 - Emotet
172.16.0.149 - Emotet

Finally I would like to thank Brad for the effort in sharing material for the community.

I Hope you enjoy it and feel free to get in touch with me if you have any questions or suggestions.

PreviousVBS.DunihiNextPMA Chapter 1 - Labs

Last updated

Was this helpful?