2016-01-07 – TRAFFIC ANALYSIS EXERCISE – ALERTS ON 3 DIFFERENT HOSTS

SCENARIO:

You are working as an analyst reviewing suspicious network events at your organization’s Security Operations Center (SOC). Things have been quiet for a while. However, you notice several alerts occur within minutes of each other on 3 separate hosts.

We are given a Screenshot of the alerts, a snort events file , a suricata events file and the .Pcap file of the traffic.

The Affected Host: (In order found in the Pcap)

Client 1:

  Client IP address: 192.168.122.130 (192.168.122.130)
  Client MAC address: Dell_e2:4b:86 (00:22:19:e2:4b:86)
  Host Name: FULL-METAL-JACK

Client 2:

  Client IP address: 192.168.122.52 (192.168.122.52)
  Client MAC address: HewlettP_32:a9:17 (00:26:55:32:a9:17)
  Client name: Jennifer-PC

Client 3:
 
  Client IP address: 192.168.122.132 (192.168.122.132)
  Client MAC address: AsustekC_c1:f2:48 (48:5b:39:c1:f2:48)
  Host Name: Hokaydoo-PC

2016-01-07-traffic-analysis-exercise-image-01-Boxed

If we take a closer look at the alerts screenshot we see boxed in “Red” the events for the IP of 192.168.122.52 and appears to have been redirected to a Exploit Kit page but we are missing what kind from the screen shot.

Boxed in “Purple” we have the events for the IP of 192.168.122.132 and it appears that that is was infected with Crypto wall or Alpha Crypt by means of the Neutrino Exploit kit.

Boxed In “Blue” we have events for the IP of 192.168.122.130 and appears to have downloaded an Evil File, no further information available in the screenshot.

Since we are working with 3 different infected systems lets extract the traffic for those systems to their own Pcap file. For that we will use Tshark which is the command line version of Wireshark.

The command will look like:

tshark -2 -R ip.addr==192.168.122.130 -r [Full Path \] 2016-01-07-traffic-analysis-exercise.pcap -w [Full Path \] 192-168-122-130.pcap , and remember to use double quotes around the full paths.

Once we get the Individual files we can then search for items not having to filter out the traffic from the other two systems. Note these packets only contain those that are listed “with” the stated IP Address. So those items before it was assigned an IP should not show up.

Side Note: When looking at the timestamps in the TShark generated Pcap files the timestamps were different in the hex editor than the ones in older Wireshark. I stopped long enough on this post to write another post (and a timestamp converter) on the timestamps located Here. I also discovered that they are the same as the Pcapng format saved by the newer version of Wireshark.

Now lets split out the IP’s with the Snort and the Suricata events files also.

If we open each of the events files  using Notepad++ then we can do a search for the IP Address for each of the 3 IP addresses then use the mark tab to mark all of the Instances of the one we are looking for and then copy paste those to a new file and save it, that way we can research each IP separately with the traffic and the events.

Now that we have everything separated we can go thru each systems incident without getting confused by data from the other two.

Lets just start in order found in the original Pcap file.

Client 1:

  Client IP address: 192.168.122.130 (192.168.122.130)
  Client MAC address: Dell_e2:4b:86 (00:22:19:e2:4b:86)
  Host Name: FULL-METAL-JACK

A quick look thru the log files tells us that files were downloaded to the computer and executed.

The last get request we see for this IP before the infection is to Yahoo mail.

YahooMail

After that we see multiple request GET /Counter ……….

The Suricata Events log supports this with,

Count:1 Event#3.8880 2016-01-07 22:11:26
ETPRO TROJAN Nemucod Downloading Payload

Which tell us that the user opened and infected file from a spam email message.

The first one calls out to (ma-wt.com.sa) 216.158.85.7 but the response resulted in a malformed packet.

Next it called out to (dariostoka.com) 174.36.186.235 where it returned a normal ok but no files downloaded when it was looking for a image file.

Next it calls out to (freshanointingministries-sc.org) 184.168.173.1

Lets take a closer look at this.

getcounterrequest-b

If we take a closer look at this we have a total of 9 request, it calls out to each of the three sites once, increments the counter then calls again. so I would assume that the “rnd” number has something to do with deciding on if a file gets downloaded or not. The first three did not return a file but the last 6 did. Also note the the “id” value in each are exactly the same.

Another interesting thing is if we drop the “id” in to a hex editor we see this.

CounterID-bin

It appears as though it is identifying this system as being in the US and also appears to have some sort of encoded format for transmitting information.

The  six files downloaded was supposed to be “Media Type: image/gif “ but in fact are are .exe files.

ExeFile

(Frame Numbers) are from the extracted individual IP Pcap files.
(7382) filename=66b32.gif Size: 260613 bytes
IP: 216.158.85.7
Host: ma-wt.com.sa
SHA-1: 4d1c87e219a417c3aa86a6cd6847a82d352a8b4e

(7662) filename=174125.gif Size: 260613 bytes SHA1 Hash:
IP: 174.36.186.235
Host: dariostoka.com
SHA-1: 4d1c87e219a417c3aa86a6cd6847a82d352a8b4e

(7958) filename=c9a63078fe7d3741.gif Size: 260619 bytes SHA1 Hash:
IP: 184.168.173.1
Host: freshanointingministries-sc.org
SHA-1: 9a843ce345c45e1ec8b96df2785336c7d2a48af5

(8079) filename=250acae.gif Size: 114688 bytes SHA1 Hash:
IP; 216.158.85.7
Host: ma-wt.com.sa
SHA-1: d5cd460e184120f154d0017b929ede46b56d49ff

(8223) filename=d50f729942631.gif Size: 114688 bytes
IP: 174.36.186.235
Host: dariostoka.com
SHA-1: d5cd460e184120f154d0017b929ede46b56d49ff

(8451) filename=2487ff63fb4e79.gif Size: 145922 bytes
IP: 184.168.173.1
Host: freshanointingministries-sc.org
SHA-1: e63932430d4028b51fa25dae13d9e0188e9a02a5

the first 3 files are the same from 3 different sites. The 3rd one has a few extra bytes changing the Hash value. The next 2 files from 2 different sites are the same but the last is the odd one (C++) from the third site.

The first 5 are VB 5/6 files the last one is C++ 6.0

Here is the Diff on the second and third files.

FileDiff

Without running these files I can not be sure what they do, I am not finding enough information online about them.

The first 3 have a string table of Language ‘Lithuanian” but decompiles to English. the fourth and fifth file has a Version info with Language of “Chinese Traditional” but decompiles to what appears to be German.

An interesting import to me for the last one is “ SetCommBreak” MSDN Link 

Suspends character transmission for a specified communications device and places the transmission line in a break state until the ClearCommBreak function is called.

I’m not sure yet what it would be used for in this case, or even if it was used, but the Clear command is not listed in the imports that I have  seen, suggesting that communication with a device may have been blocked.

Without running these this as far as I can go with client one.

In collusion follow up with user machine for more details on the infection , and retrain the user not to open the spam emails.

Client2:

Client IP address: 192.168.122.52 (192.168.122.52)
Client MAC address: HewlettP_32:a9:17 (00:26:55:32:a9:17)
Client name: Jennifer-PC

The initial alerts shown tells us we are dealing with some kind of “Evil” redirector .

The first part of the traffic tells us the user is doing a Yahoo search for “http://planetside.co. uk /” we find this in packet 1343 in my IP only file or packet 9692 in the original Pcap file. This is the start of the incident, not counting clicking on the link in the search engine.

In order to find the the full chain we need to follow the leads and work backwards to find the beginning of the chain of events .

With as many request as there are and nothing stands out lets try the event logs to see what we can find.

Here is an interesting one in the Snort Events .

BadSript1

Using the highlighted portion of the timestamp from the Snort log we can search in Wireshark for that hit. Once we find that point, then we can “Follow stream” for that packet and we do end up getting a “Packed” script. After unpacking the script we see this.

UnpackedScript

Looking at this scrip it appears to be a benign script for page navigation. Why they decided to pack this thing who knows.

Following up on several of the alerts in the logs turned out to be false leads and several hits were for packets of encrypted traffic.

In conclusion this appears to be several false positives making it appear that this system was infected. I have not found any actual infections thru the traffic.

I recommend checking the users system to verify.

 

Client 3:

Client IP address: 192.168.122.132 (192.168.122.132)
Client MAC address: AsustekC_c1:f2:48 (48:5b:39:c1:f2:48)
Host Name: Hokaydoo-PC

This incident begins with a Google search and a link clicked in the search results for “www.koeppl [dot] com”

This turns out to be the landing page for a Angler EK .

LandingPage

The end of this section of the script looks like this.

Normal

After decoding the  “Eval” section of the script we end up with this.

DecodeLayer1

Then yet another layer of encoding , I see in this picture a few of the characters are missing using an earlier version of my decoder. I still have more work to do on this to fully decode/understand this part of the script.

The result of this compromised page though is a redirect to another page to download the malware flash file.

If we set a filter of  “ http.request.full_uri contains top “ we can see most of the remainder of the infection chain.

FinalChain

The Suricata Events Log tells us we are dealing with a Neutrino EK and they say the check-in is crypto wall but the payment page info here says  Alpha Crypt.

checkin1a

The source code of the extracted payment page contains “How to buy CryptoWall decrypter”.

In conclusion this user clicked on a link in Google that that landed them on the Angler EK landing page.

Compromised site: http://www.koeppl.com  92.51.131.150

Landing page for Angler EK :

89.38.144.75  uacltr.securetopc.top GET /1993/10/14/madness/willow/dick-sort-southward-swallow.html

Associated request:

89.38.144.75  uacltr.securetopc.top GET /1987/09/28/behave/cheerful-stumble-broad.html.swf  (Called twice)

89.38.144.75  gbesbsdsb.securetopc.top GET /surprise/1430317/fellow-touch-death-curl-cast-dance-bubble-moonlight-shock (Resulted in malformed packet)

89.38.144.75 gbesbsdsb.securetopc.top  GET /officer/1277929/tidings-humble-communication  (resulted in possible encrypted file download  (421888 bytes)).

95.128.181.144 3wzn5p2yiumh7akj.waytopaytosystem.com  GET /1f96s0p Payment page.

In conclusion follow up with system to verify the extent of the damage.

This puppy got hammered.

Advertisements

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware, Networking, security and tagged , . Bookmark the permalink.

One Response to 2016-01-07 – TRAFFIC ANALYSIS EXERCISE – ALERTS ON 3 DIFFERENT HOSTS

  1. Pingback: Wireshark and TShark Timestamps | PC's Xcetra Support

Comments are closed.