top of page
Search

Wireshark: Malware Traffic Analysis #1

  • darksymphonie
  • Dec 20, 2021
  • 5 min read

Welcome to episode #1 of my weekly series "Wireshark: Malware Traffic Analysis". This is great practice for any individual who wants to gain hands-on experience with Wireshark. All credit goes to @Malware_traffic on Twitter. He is the owner of this site, where he uploads PCAP files for you to solve, as well as technical blog posts to help assist you.


Without further ado, lets get started!



So, before we begin any research, we must first see what is provided to us.It's a major key when doing CTF's, or any lab, etc. What is given, and how can we use it? From now on, I'm going to refer to Malware_traffic, the owner of the site, as MT for short. So MT gives us the scenario and the task given to complete this exercise. From what is given to us, we see that the subnet range is from 172.16.1.0-255, as well as the domain, which is dualrunning.net. So now let's get Wireshark fired up and solve this exercise.


Just to be advised that you use this website at your own risk! Be smart and use a sandbox environment when examining any sort of malware! It could lead to loss or damage.


Scenario :

LAN segment data:


  • LAN segment range: 172.16.1.0/24 (172.16.1.0 through 172.16.1.255)

  • Domain: dualrunning.net

  • Domain controller: 172.16.1.2 - Dualrunning-DC

  • LAN segment gateway: 172.16.1.1

  • LAN segment broadcast address: 172.16.1.255

TASK :

  • Write an incident report based on the pcap and the alerts.

  • The incident report should contains 3 sections

  • Executive Summary: State in simple, direct terms what happened (when, who, what).

  • Details: Details of the victim (hostname, IP address, MAC address, Windows user account name).

  • Indicators of Compromise (IOCs): IP addresses, domains and URLs associated with the infection. SHA256 hashes if any malware binaries can be extracted from the pcap.


Wireshark :

Make sure to follow the instructions on the site when downloading the zip files. Now that you have opened the pcap file, it should look something like this.



Now that we have Wireshark open, let's find out which IP address is causing the most traffic. To do that, go to the top and find Statistics-IPV4 Statistics-All Addresses. You should see this now.


So now we see that IP address 172.16.1.239 has the highest packet count. So that should be a good indicator to investigate that IP address. So let's do that now. Close out of the statistics page that opened up and head on over to the search bar. But before we start filtering, we have to refer to the task that MT has given us.

  • Executive Summary: State in simple, direct terms what happened (when, who, what).

  • Details: Details of the victim (hostname, IP address, MAC address, Windows user account name).

  • Indicators of Compromise (IOCs): IP addresses, domains and URLs associated with the infection. SHA256 hashes if any malware binaries can be extracted from the pcap.

In order to complete Executive Summary we have to complete the details and IOC task first. I start by searching for the Desktop name + Mac address of the PC.


Desktop Name + Mac Addresses 

ip.addr==172.16.1.239 && nbns or ip.src==172.16.1.239 && nbns

we can see that a few results have filtered. Notice now that we can see a desktop name associated with that IP. It should be "DESKTOP-F3P7XLU". 

This filter as well shows the Mac addresses as well, It's not as simple, and what you have to do is click on the first frame and at the bottom of Wireshark click on Ethernet II. You now should see
 Source: ASUSTekC_10:05:25 (00:13:d4:10:05:25) <---- This is the Mac Address

Windows user account name + Windows OS :

We are almost done with finding out all the details about our victim. This is what we have so far


Details of the victim:

IP: 172.16.1.239

Desktop Name: DESKTOP-F3P7XLU

MAC :(00:13:d4:10:05:25)

Windows User : ???

Windows Version: ???


Another thing to understand is that we are investigating a Windows server domain. On a Windows server, one of the protocols Kerberos is an authentication protocol that is used to verify the identity of a user or host configured. We can use kerberos as a filter in our wireshark search.

ip.src==172.16.1.239 && kerberos.CNameString


With that follow the path to find the username 
Kerberos-asreq-reqbody-cname-cnamestring


Now lets find the operating system of the victim and we have all the information we need to write a summary report. 

This is not as complex as the others use: 
ip.src==172.16.1.239 && http

right click the first frame and click follow-tcp stream. Locate where it says "user-agent" and it should look something like this.

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.67

Boom. We got then last piece we need, (Windows NT 10.0; Win64; x64).

Indicators of compromise (IOCs)


Our final task is to find IP addresses, domains and URLs associated with the infection. We already did all the hard work, now we just have to do some filtering. 


To find the domain and URLs. I use two ways and both work. The first way is by 
1) ip.src==172.16.1.239 && http.request 
 or
2) file-export objects-http
 
 for this example ill be using example 1.
 Two frames stand out try to find them!



The obvious choice were :

  1. GET /wpcontent/Receipt-9650354.xls?evagk=2MyeEdhGPszY

  2. GET /templates/file6.bin

In this post, I won't go over in detail the specifics of this type of malware. The malware that the victim downloaded is called "Dridex." This specific malware is commonly distributed through emails. Dridex malware is commonly attached to infected Microsoft office documents or direct links to malicious files. For instance, our victim downloaded an xls (excel) file. which we can see here.

/wpcontent/Receipt-9650354.xls?evagk=2MyeEdhGPszY = .XLS excel file

Once the victim has opened the malicious file, the Dridex malware has already been installed in most cases. In my next post, I will go over this malware, but for now, this is just a quick summary of what it consists of.


Here is an article by CISA that explains it in detail.


Dridex Post-infection traffic :

• 202.29.60.34 port 443 - HTTPS traffic

• 72.11.131.199 port 443 - HTTPS traffic

• 207.244.250.103 port 443 - HTTPS traffic

• 45.145.55.170 port 453 - HTTPS traffic

• 84.232.252.62 port 443 - HTTPS traffic

As well as the reverse web shell IP:

• 81.17.23.125 port 443 - HTTP traffic


(IP Addresses + Reverse Web-shell IP)


Malware Hash:

Now lets acquire the SHA256 hash's from both downloads. To do that you can download both files from here: Sample1 & Sample2 . Another way is just by exporting the downloads from wire shark. Now here is where we have to be careful, I recommend not doing it on your HOST PC. You're dealing with dangerous malware! Open it on a sandbox environment!


Sample 1:


SHA256 Hash : 4c56a5a7e49b23fcfab4b8d469d42e583497178b9b237374db3e1 4289f2afc64


Linux command : sha256sum......
Windows command : get-filehash........

Sample 2:


SHA256 Hash: 8e2d3f6bc5f7b639638d2f5ec751bc2985f1636005131623c5d2c44 8885c5d89


Linux command : sha256sum......
Windows command : get-filehash........

Closing

Congratulations! You have completed this analysis! You have identified the details of the victim as well as found the IOC's. All that remains is to write a summary report. I'm going to leave that for you to complete. This was really fun and challenging for me. This was my first technical blog post, and I tried my best to explain it in the easiest way for the reader to understand and follow along. If you have any questions, concerns, or inquiries. Feel free to reach out! My next blog will be about Dridex malware.




 
 
 

コメント

bottom of page