Malware Traffic Analysis 2
- wadas24
- Aug 8, 2021
- 4 min read
Malware Traffic Analysis 2
This is independent research and does not reflect my employer
Overview
The purpose of this document is to perform a deep packet analysis of network traffic that has been compromised due to malware/exploit kit.
Evidence (Chain of Custody)
Filename: mta2.pcap
Filehash: 546b26789a5539ec62b3ed449aabd917
Date Acquired: Fri 06 Aug 2021 10∶47∶32 AM UTC
Technical Summary
During this analysis, we are able to see that this user had come across a compromised website (hijinksensue.com). The compromised website has reached out to its C2 server (g.trinketking.com & h.trinketking.com) to deliver the exploit kit “Sweet Orange.” We are also able to determine that that was suspicious behavior coming from an additional domain (static.charlotteretirementcommunities.com.) With the three domains found, and the exploit kit hash discovered, I would recommend a full sweep of proxy logs and a hash search to see if any other host may have been compromised. I would also remove this host from the network, reset all users passwords, and look to see if any other users have been recently added. I would check for any new processes added to this host in an attempt to gain persistence. Lastly, I would make sure to apply appropriate patches and update patching policies.
IOCs
Domain:hijinksensue.com
Domain: g.trinketking.com
Domain: h.trinketking.com
Domain:static.charlotteretirementcommunities.com
Hash: 1408275c2e2c8fe5e83227ba371ac6b3 (md5)
Analysis
What is the IP address of the Windows VM that gets infected?
172.16.165.132
Using WireShark the .pcap file can be opened. Within WireShark, the Statistics > Endpoint tab will show us all IP addresses found, going to the top talker/host will show us the IP address from which these packets were captured.
What is the MAC address of the infected VM?
00:0c:29:c5:b7:a1
Filtering any packets from the compromised IP using the Berkeley Packet FIlter (BPF) “ip.addr==172.16.165.132” we can see all packets that contain our host. Looking through the results we can find the MAC address from our host.
What are the IP address and port number that delivered the exploit kit and malware? (Note: answered number 5 first)
37.143.15.180:51439
To begin this analysis I started by looking at all of the dns requests to see where this host was attempting to go. I did see several requests that “looked suspicious” but was unable to directly correlate, so I had moved on to question 5.
Now that I have a compromised website, I can begin to pivot to see if this website led to any other suspicious activity. Looking at all HTTP traffic from our compromised host, I can see that there are three (3) suspicious HTTP requests with a destination port of 51439, which also shows the http.referrer of hijinksensue.com.
What are the two FQDN's that delivered the exploit kit? comma-separated in alphabetical order.
g.trinketking.com,h.trinketking.com
From the answer to question 3, I can display the http.host names and view both of these FQDNs.
What is the IP address of the compromised web site?
192.30.138.146
For this question I began by filtering to look at all HTTP traffic. I am then able to again use the statistics feature to find the top talker. Using this feature lead me to the IP and domain hijinksensue.com
What is the FQDN of the compromised website?
hijinksensue.com
Using the findings from question 5, I am able to find the FQDN for the compromised website.
What is the name exploit kit (EK) that delivered the malware? (two words)
Sweet orange
Using the entire MD5 of the packet capture, you can view any alerts associated with this file in VirusTotal. This packet capture alerted to possible exploit kit “Sweet Orange”
What is the redirect URL that points to the exploit kit landing page?
static.charlotteretirementcommunities.com/k?tstmp=3701802802
To find the URL that led to the exploit page landing kit, I needed to identify the first DNS attempt to go to g.trinketking.com. Once if I found this first attempt, I can then look at the traffic just prior to this attempt to discover what lead to this landing page.
What is the IP address of the redirect URL that points to the exploit kit landing page?
50.87.149.90
This IP address was directly related to answer 8
Extract the malware payload (PE file) from the PCAP. What is the MD5 hash?
1408275c2e2c8fe5e83227ba371ac6b3
Knowing that the file was from 37.143.15.180:51439. I can extract the application/octet-stream from h.trinketking.com. Once I have the file I can use the md5sum command to get this value.
What is the CVE of the exploited vulnerability?
CVE-2014-6332
By performing google searches on the Sweet Orange exploit kit I was able to find several CVE’s that were used with this kit. https://www.recordedfuture.com/tracking-exploit-kits/
What is the mime-type of the file that took the longest time (duration) to be analyzed using Zeek?
application/x-dosexec
To perform this task I did not use Zeek as I do not have this program. I took the largest file, which is also the file we used for question 10, the malware exploit. I then used a MIME file type checker. Once this file was examined it returned the correct answer.
What was the referrer for the visited URI that returned the file "f.txt"?
hxxp://hijinksensue.com/assets/verts/hiveworks/ad1.html
Using the Edit > Find Packet tab in WireShark, I searched for f.txt and it brought me to the packets containing this filename.
When was this PCAP captured?
23/11/2014
The date and time of the capture is found by switching your time preferences within WireShark.
When was the PE file compiled?
21/11/2014
With the md5sum value you for the PE grabbed in question 10. I can then throw this hash into VIrusTotal where it was detected to be malicious. In the details section. The creation time is found.
What is the name of the SSL certificate issuer that appeared only once? (one word)
CyberTrust
Using the BPF “x509sat.printableString” we can view all SSL certificates. The only one that appears once is the answer.
Comments