Here is another “Malware Traffic Exercise”.
The last company we were working for at Cupids Arrow in one of the last exercise went bankrupt and do to needing a job we accepted the offer from the former owners to work for their new company but this time we are working alone and with less resources than before.
At least we don’t have Sven staring at us.
Filter used: “bootp.fqdn.name”
Client name: Rockword-PC
Client MAC address: Micro-St_a6:fb:ce (00:1d:92:a6:fb:ce)
Your (client) IP address: 10.21.101.121 (10.21.101.121)
In this one we have a large Pcap file and a screenshot of the alerts generated.
Here we see several alerts coming from several different IP’s so we will just have to go down the list and check them all out.
Alert list and filters used , some of my initial notes.
ip.addr eq 18.104.22.168 and (http.request or http.response) Link from Google search.
ip.addr eq 22.214.171.124 and (http.request or http.response) First redirect using flash.
ip.addr eq 126.96.36.199 and (http.request or http.response) This is Angler EK
ip.addr eq 188.8.131.52 and (http.request or http.response) Getting currency rates.
ip.addr eq 184.108.40.206 and (http.request or http.response) 2 packets, 1 POST 1 Response ok
ip.addr eq 220.127.116.11 and (http.request or http.response) POST and 404 replies using hidden Base64 encoded string.
ip.addr eq 18.104.22.168 and (http.request or http.response) Down;oad a downloader program.
ip.addr eq 22.214.171.124 and (http.request or http.response) not real sure what this one is doing.
ip.addr eq 126.96.36.199 and (http.request or http.response) Not Sure, more ad’s ??
ip.addr eq 188.8.131.52 and (http.request or http.response) More ad’s ??
ip.addr eq 184.108.40.206 and (http.request or http.response) more ad’s / BDEP ??
ip.addr eq 220.127.116.11 and (http.request or http.response) more.
ip.addr eq 18.104.22.168 and (http.request or http.response) GameBuilder ??
ip.addr eq 22.214.171.124 and (http.request or http.response) Strange. Encoded /XOR ed escaped string.
As we can see here we got quite a few alerts to deal with but I will start with something that did not make the alert list.
Is this screenshot we see some “Gif89a” files with something called Xmp Data in them. This is the first time I’ve noticed them. A quick search tells us it is supposed to be for metadata for the file.
There is an exploit that can use this section for crashing the viewing application and the amount of spaces and return characters in between the opening and closing tags for this type seems excessive to me. More research on this certain file will need to be done.
The first 3 look similar and are all served up by the roadrunner email client that was used most likely from the advertisements used in it. Packets 3542, 3833 and 3890.
But the last one looks like this which is more like what the description here at http://www.vurdalakov.net/misc/gif/netscape-buffering-application-extension makes it sound like it is supposed to be like. The search term used to find that link was “Extension label: Application (0xff)”
The Wireshark filter used to find just those 4 was “image-gif.extension.label == 0xff”
After all of the email stuff we next see a click on a link from a Google search.
The Google link leads us to thingstodo.viator[.]com: type A, class IN, addr 126.96.36.199
Packet 7892 is our Get request and we next land at the Response in packet 8009.
Wow a lot of traffic has went by already.
Here we have a compression failed error in Wireshark but we can still see the information at the end of the page by following the TCP Stream.
We see 2 get request packets. One at packet 9696 that downloads a flash file packet 9745 does some form of base 64 decoding and the send out a link to another site.
The get request for packet 9809 is exactly like the one from with the exception, except that “/index.php” is tacked on to the end which we get redirected again at packet 9913 to http:[//]fireman.carsassurance[.]info/topic/82711-crammer-warder-wept-scenically-wad-difficult-sparingly/’
This leads us to packet 9957 and the response is at packet 10198 which is indeed the Angler EK.
If we view the traffic here associated with the Angler EK we see at packets 9957 and 10205 they are associated with the first flash file that directed us to the exploit kit. 9957 is the get request for the Angler EK landing page and 10205 appears to be a encoded form of base 64 with some data in it. In packet 102011 we have the get request for the Flash file from the Angler EK and in packet 111201 we have a encrypted payload which is most likely decoded by the Flash file.
This in turn leads us to the next Alert at packet 11766 and the response at 11844 which is some currency rates. The alert suggest that it may be a connectivity beacon.
The next alert in packets 11854 and 11863 appear to be from the malware sending data using a base64 encoded string using a post request.
The next alerts at packet 14212 and IP 188.8.131.52 are listed as ETPRO TROJAN Win32/Neutrino checkin 4 .
If we take a closer look at this traffic this is hidden communications with the Command and control server.
This traffic is using a Post and 404 Not found pages to pass information back and forth.
The 404 traffic is hiding base 64 string in comment fields.
This leads us to the next alert where this traffic is downloading a binary file named domand756.exe
our next alert is for IP 184.108.40.206 I’m still not totally sure what this is doing but appears to be sending some host information.
If we look at these DNS request, back to back right after the EXE was downloaded it would suggest that the calls was made from the malware.
If we look at the malware using PE Studio and look at the Virus total report it has several different names.
We see traffic in the alerts for the Bedep server response from
We also see query’s for NPT servers in several locations and using 2 different Google DNS servers.
Here is the traffic associated with what the alerts is saying is the CnC traffic
moregoodstafsforus.com: type A, class IN, addr 220.127.116.11
jimmymorisonguitars.com: type A, class IN, addr 18.104.22.168
daytonamagik.com: type A, class IN, addr 22.214.171.124
bookersmartest.xyz: type A, class IN, addr 126.96.36.199
lovelyroomsforday.com: type A, class IN, addr 188.8.131.52
kjnoa9sdi3mrlsdnfi.com: type A, class IN, addr 184.108.40.206
Each one calls out and and ends up with “HTTP/1.1 302 Moved Temporarily”
Looking at these they all call out to http[:]//popcash[.]net/world/go/103680/204726
Which is a Popup advertiser.
All of the above appear to be doing the cascading calls. the last on in the list is using the same type of calls but is calling out to http[://]c.feed-xml[.]com which is another ad network.
In packets 14847 and 14925 we see that the popcash is directing to a online game
In packets 15003 and 15028 IP: 220.127.116.11 we se another redirect from popcash to the Fake POP Up alert. (part of the decoded source below)
This also at the bottom of the script direct to histats.com
s4.histats.com: type A, class IN, addr 18.104.22.168
s4.histats.com: type A, class IN, addr 22.214.171.124
s4.histats.com: type A, class IN, addr 126.96.36.199
s4.histats.com: type A, class IN, addr 188.8.131.52
The last alert Listed is another Redirect from popcash to a adult site.
Full request URI: http://xxxsexcamera%5B.%5Dclub/
There is more traffic that did not make the alert list from popcash and the redirects associated with them.
In conclusion this infection generated a lot of traffic and no doubt dropped several files on the infected system. I’m also sure that a lot of windows popped up at the time.
Follow up with the user and clean the system or do a clean install.