SUNNYSTATION
Malware Traffic Analysis Exercise
Last updated
Was this helpful?
Malware Traffic Analysis Exercise
Last updated
Was this helpful?
In this blog I will explain how I solved the exercise called . You can find it on the site which provides very good material to practice this kind of skills.
Each exercise presents us with a scenario where we are given information about the network, a description of the case for context, in addition to samples which in this case is a traffic capture, and the challenge is to answer a series of questions that the author provides.
For this exercise we have the task of answering the following questions:
What hosts/user account names are active on this network?
What type of malware are they infected with?
For the first question there are several methods to obtain hostnames and users. Currently most networks make use of DHCP to assign IP to the endpoints, there are protocols that provide related information such as NetBios Name Service, traffic that is not encrypted as HTTP could we see the traffic related to some authentication, etc. You can follow this .
Because we detect the existence of NBNS and that most likely they are Windows machines, we can see SMB traffic in case any computer needs to access a resource and authentication is required. With the filters applied above we have detected the active computers and we have information such as IP and Hostname which can help us to search for more specific traffic.
For the second and last question we will be investigating host by host traffic to detect suspicious activity.
Host - 172.16.0.131:DESKTOP-VD15107
Host - 172.16.0.170:DESKTOP-W5TFTQY
Host - 172.16.0.149:DESKTOP-KPQ9FDB
The evidence gathered is sufficient to conclude that there is an infection and to proceed with the remediation of the equipment. The table below summarizes the host and what malware they are infected with, which would be the answer to the second question.
I Hope you enjoy it and feel free to get in touch with me if you have any questions or suggestions.
In this case we have used a filter to look for traffic from this 172.16.0.131 machine and involving port 445. We have detected an SMB2 packet called , which is sent by the client to request a new session to a Server.
For the last two devices, applying the same filter as the previous one, we find a packet called which is basically sent by a client to request access to a share. With the above findings we would have the answer to the first question in the table below.
When investigating HTTP traffic from this computer we detected connections to different sites but with the same pattern looking for a base 64 encoded resource in the uar3 path. When we started to review the information about them we detected that they are related to the loader called formerly known as .
When I started to check the HTTP traffic I detected that the traffic content was kind of obfuscated as you can see in the yellow underlined part. When I investigated the domain I found reports that associated it to a C2 of and . It is known that this type of malware usually use HTTPS for the initial phase so I proceeded to review the traffic. Later we found the following domain dalgahavuzu.com, which upon investigation we that it was associated with emotet and that it was used to download a DLL, which could be the first stage of the infection. In conclusion, as can be seen in the time of the packages, first the DLL was downloaded and then the obfuscated C2 traffic.
This one was a little easier to identify the infection. When reviewing the HTTP traffic I detected the download of a dll and as you can see there was first a GET and then a response with code 200 so we can conclude that it was a successful download. When investigating the domain I a report that associates the domain and the downloaded dll to emotet. The traffic presents the same behavior as the previous one, a download of a dll and then the obfuscated C2 traffic.
Finally I would like to thank for the effort in sharing material for the community.
