In my last malware traffic post, I discussed Dridex malware and the many forms this malware has and how it reaches its victims. If you have not read it, I highly recommend it to see the similarities between malware. You will definitely see common trends. Today we are going to walk through Oskistealer.
This one was a new one to me. I had never heard of this type of malware prior to writing this, but it was really fun and challenging to analyze all the traffic and understand it. This one will be a bit longer. As usual, I will go over everything to the best of my ability. Without further ado, let's get right into it.
Make sure your home lab is ready to go!
Just to be advised that you use this website at your own risk! Be smart and use a sandbox environment when examining any sort of malware! It could lead to loss or damage.
2022-01-07 - TRAFFIC ANALYSIS EXERCISE - SPOONWATCH
SCENARIO :
LAN segment data:
LAN segment range: 192.168.1.0/24 (192.168.1.0 through 192.168.1.255)
Domain: spoonwatch.net
Domain controller: 192.168.1.9 - SPOONWATCH-DC
LAN segment gateway: 192.168.1.1
LAN segment broadcast address: 192.168.1.255
TASK :
Write an incident report based on the pcap and the alerts.
The incident report should contains 3 sections:
Executive Summary: State in simple, direct terms what happened (when, who, what).
Details: Details of the victim (hostname, IP address, MAC address, Windows user account name).
Indicators of Compromise (IOCs): IP addresses, domains and URLs associated with the infection. SHA256 hashes if any malware binaries can be extracted from the pcap.
So from what we can gather from this is the domain name, as well as the domain controller IP address and the IP range (192.168.1.0–1922.168.1.255). There is not really much we can do with this, but that's the least of our worries. We have to figure out what malware we are dealing with, and who the victim or victims are. Which is the task MT has given us.
Wireshark :
Open the PCAP file from the file you have downloaded earlier. It should look something like this. Your column display might be different. I have adjusted some settings to my liking. However, this won't impact anything if you do look exactly like mine.
The first thing I like to do to filter the hundreds of IP's in the Pcap is to check the IPV4 Statistics. You can do that by clicking the statistics ---> IPV4 Statistics. Then you can see the IPV4 addresses and the packet count per IP. You can filter by the highest or lowest packet counts. Once filtered, it should look something like this.
That gives us the IP that has the highest traffic on the subnet, which being 192.168.1.216 at 5849 packet counts, and the next following IPs with lots of traffic as well. From this new information, we can use that IP in our wire shark search.
I would start off by searching for: ip.addr = 192.168.1.216 & & (http.request or http.response or tls.handshake.type == 1). Your result should look something like this.
Now lets analyze the results.
We can see by the first few results that are in purple. That is Trickbot activity, which generally relies on SSL/TLS traffic for command and control communications. We can also identify emotet activity as well, which generally is http traffic. I will show another example from MT that helped me distinguish between the two.
Duncan, B. (2022, January 28). Wireshark tutorial: Examining trickbot infections. Unit42. Retrieved February 10, 2022, from https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/
However, something very suspicious is going on. If it isn't obvious enough, IP address 2.56.57.108 has 7 HTTP Post requests ending in jpg, one PHP, and a zip file. Once the victim has been affected by the oskistealer malware from the infected Microsoft document and enabled macros. So now our next task is to identify those jpgs and files.
Click on the first result " POST /osk//6.jpg HTTP/1.1" and select Follow--> TCP Stream
Perform the same procedure for the following HTTP Post requests. Once completed you should see a pattern for each one "MZ......................@............................................. .!..L.!This program cannot be run in DOS mode."
That's the message no one wants to see, especially at your workplace: you've been #pwned. once infected, we have to air gap this computer to make sure that it doesn't spread onto the network, because so far we have no clue about what we are dealing with. Now with that being done, let's get the hashes for each malicious file.
Let's start in number order. (Before you ask, yes the h.ttp is not a typo, I accidentally clicked on those links and I'm saving you the trouble)
h.ttp://2.56.57.108/osk//1.jpg - 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
h.ttp://2.56.57.108/osk//2.jpg - a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
h.ttp://2.56.57.108/osk//3.jpg - 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
h.ttp://2.56.57.108/osk//4.jpg - 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
h.ttp://2.56.57.108/osk//5.jpg - e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
h.ttp://2.56.57.108/osk//6.jpg - 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
h.ttp://2.56.57.108/osk//7.jpg - c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
Now that we have all the hashes, let's do some research on each one. Go on to Virus total and copy and paste each one individually. Review the results.
After looking up each hash on virus total, you can see that these hashes are all legitimate, so then what is the problem? The problem is that the actual malware isn't included in the pcap. Trust me, I spent a few hours trying to figure out where the malware was in the pcap, and it wasn't until I had to look at the answer key provided by MT that I was able to figure out where the malware was, it wasn't. Once the malware was executed by the user via the malicious document/executable/etc, whatever the user fell victim to. The payload then received all of the http post requests. MT states that in the answer sheet.
" Files associated with this infection that can be extracted from the pcap. None
of these files are malicious (they're all copies of legitimate files), but they are
retrieved by the actual malware that's not in the pcap."
as well as:
"In the pcap, you can export the zip archive POST-ed in the last HTTP request to 2.56.57.108. Export the POST-ed data, then use a hex editor to remove the form header and footer from the binary. However, I've edited the pcap to corrupt the zip archive. Why? Because it gives details about the infected host, and I want to hide the exact details of my lab environment (which is how I generated this pcap) "
With that cleared up and with the hard stuff out of the way, let's now find out the details of the victim (hostname, IP address, MAC address, Windows user account name).
Identifying Host and user information :
If you can recall to my last blog we used
ip.addr==x.x.x.x && nbns
we are going use that filter again for this tutorial
ip.addr==192.168.1.216 && nbns. Result will be Destop-GXNYN02. Now lets find the mac address, click on any result that info comes back with the hostname of the user and select Ethernet II- Source. That is the MAC address for that desktop. Which is Source: ASUSTekC_32:58:f9 (9c:5c:8e:32:58:f9)
With that done , we now have a few things left to find, lets now find the username. We can find that by using
ip.addr==192.168.1.216 && kerberos.cname.string
The username should be "Steve Smith". We dont need to find the IP address beacause its the one we have been using for all the filters. Now we are done. Onto the IOC
Inidicators of Compromise (IOC) :
We are close to finishing. Now we have to list the IOCS associated with this infection. If we can remember what an IOC consists of, it's IP addresses, domains, and URLs associated with the infection. We do not need to do any more research as we have already done it by finding it during our investigation. Paste them below
Domain/URLs/Hashes:
h.ttp://2.56.57.108/osk//1.jpg - 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
h.ttp://2.56.57.108/osk//2.jpg - a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
h.ttp://2.56.57.108/osk//3.jpg - 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
h.ttp://2.56.57.108/osk//4.jpg - 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
h.ttp://2.56.57.108/osk//5.jpg - e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
h.ttp://2.56.57.108/osk//6.jpg - 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
h.ttp://2.56.57.108/osk//7.jpg - c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
IP Addresses:
192.168.1.215
2.56.57.108
Closing :
We have now completed this practice. In this practice, we found the details of the victim, as well as the filters we used to find that information. By using wire shark search filters, we also found the indicators of compromise as well. MT wants us to write an executed summary. As always, I'm going to leave that up to you. Write it in your own words and format it! I know it's been a while since I last posted, but I'm going to take the time to keep on posting content, and to be more active on my social media. As always, feel free to reach out on any social media that I'm associated with if you have any questions, or if I made a mistake and want to discuss it (I'm always wanting to learn and improve), or if you just want to talk about the recent cyber news or projects, don't hesitate to reach out!
Have a great rest of your week!