2016-03-30 – TRAFFIC ANALYSIS EXERCISE – MARCH MADNESS

Here is another “Malware Traffic Exercise”.

The Scenario:

The last company we were working for at Cupids Arrow in one of the last exercise went bankrupt and do to needing  a job we accepted the offer from the former owners to work for their new company but this time we are working alone and with less resources than before.

At least we don’t have  Sven staring at us.

The System:

Filter used: “bootp.fqdn.name”

Client name: Rockword-PC
Client MAC address: Micro-St_a6:fb:ce (00:1d:92:a6:fb:ce)
Your (client) IP address: 10.21.101.121 (10.21.101.121)

In this one we have a large Pcap file and a screenshot of the alerts generated.

2016-03-30-traffic-analysis-exercise-image-03

Here we see several alerts coming from several different IP’s so we will just have to go down the list and check them all out.

Alert list and filters used , some of my initial notes.

ip.addr eq 198.154.248.183 and (http.request or http.response) Link from Google search.
ip.addr eq 85.93.0.34 and (http.request or http.response)  First redirect using flash.
ip.addr eq 185.46.11.245 and (http.request or http.response) This is Angler EK
ip.addr eq 23.211.235.162 and (http.request or http.response)  Getting currency rates.
ip.addr eq 82.141.230.141 and (http.request or http.response)  2 packets, 1 POST 1 Response ok
ip.addr eq 171.35.182.56 and (http.request or http.response)  POST and 404 replies using hidden Base64 encoded string.
ip.addr eq 103.234.36.148 and (http.request or http.response)  Down;oad a downloader program.
ip.addr eq  104.193.252.234 and (http.request or http.response) not real sure what this one is doing.
ip.addr eq  89.163.241.90 and (http.request or http.response) Not Sure, more ad’s ??
ip.addr eq  162.244.32.122 and (http.request or http.response)  More ad’s ??
ip.addr eq  162.244.32.121 and (http.request or http.response) more ad’s / BDEP ??
ip.addr eq  85.25.41.95 and (http.request or http.response) more.
ip.addr eq  143.95.32.93 and (http.request or http.response)  GameBuilder ??
ip.addr eq  68.177.32.113 and (http.request or http.response) Strange. Encoded /XOR ed escaped string.

As we can see here we got quite a few alerts to deal with but I will start with something that did not make the alert list.

Is this screenshot we see some “Gif89a” files with something called Xmp Data in them. This is the first time I’ve noticed them. A quick search tells us it is supposed to be for metadata for the file.

Gif-Xmp

There is an exploit that can use this section for crashing the viewing application and the amount of spaces and return characters in between the opening and closing tags for this type seems excessive to me. More research on this certain file will need to be done.

The first 3 look similar and are all served up by the roadrunner email client that was used most likely from the advertisements used in it. Packets 3542, 3833 and 3890.

But the last one looks like this which is more like what the description here at http://www.vurdalakov.net/misc/gif/netscape-buffering-application-extension makes it sound like it is supposed to be like. The search term used to find that link was “Extension label: Application (0xff)”

The Wireshark filter used to find just those 4 was “image-gif.extension.label == 0xff”

Normal

After all of the email stuff we next see a click on a link from a Google search.

The Google link leads us to thingstodo.viator[.]com: type A, class IN, addr 198.154.248.183

Packet 7892 is our Get request and we next land at the Response in packet 8009.

Wow a lot of traffic has went by already.

Here  we have a compression failed error  in Wireshark but we can still see the information at the end of the page by following the TCP Stream.

FlashRedirect1

We see 2 get request  packets. One at packet 9696 that downloads a flash file packet 9745 does some form of base 64 decoding and the send out a link to another site.

The get request for packet 9809 is exactly like the one from with the exception, except  that “/index.php” is tacked on to the end which we get redirected again at packet 9913 to http:[//]fireman.carsassurance[.]info/topic/82711-crammer-warder-wept-scenically-wad-difficult-sparingly/’

This leads us to packet 9957 and the response is at packet 10198 which is indeed the Angler EK.

AnglerTraffic

If we view the traffic here associated with the Angler EK we see at packets 9957 and 10205 they are associated with the first flash file that directed us to the exploit kit. 9957 is the get request for the Angler EK landing page and 10205 appears to be a encoded form of base 64 with some data in it. In packet 102011 we have the get request for the Flash file from the Angler EK and in packet 111201 we have a encrypted payload which is most likely decoded by the Flash file.

This in turn leads us to the next Alert at packet 11766 and the response at 11844 which is some currency rates. The alert suggest that it may be a connectivity beacon.

The next alert in packets 11854 and 11863 appear to be from the malware sending data using a base64 encoded string using a post request.

The next alerts at packet 14212 and IP 171.35.182.56 are listed as ETPRO TROJAN Win32/Neutrino checkin 4 .

HiddenDataPost

If we take a closer look at this traffic this is hidden communications with the Command and control server.

CNCTraffic

This traffic is using a Post and 404 Not found pages to pass information back and forth.

The 404 traffic is hiding base 64 string in comment fields.

This leads us to the next alert where this traffic is downloading a binary file named domand756.exe

our next alert is for IP 104.193.252.234 I’m still not totally sure what this is doing but appears to be sending some host information.

FirstUnknown

If we look at these DNS request, back to back right after the EXE was downloaded it would suggest that the calls was made from the malware.

If we look at the malware using PE Studio and look at the Virus total report it has several different names.

PeStudioVirustotal

We see traffic in the alerts for the Bedep  server response from

We also see query’s for NPT servers in several locations and using 2 different Google DNS servers.

NPTQuerys

Here is the traffic associated with what the alerts is saying is the CnC traffic

moregoodstafsforus.com: type A, class IN, addr 85.25.41.95
jimmymorisonguitars.com: type A, class IN, addr 89.163.241.90
daytonamagik.com: type A, class IN, addr 162.244.32.122
bookersmartest.xyz: type A, class IN, addr 162.244.32.121
lovelyroomsforday.com: type A, class IN, addr 104.193.252.234
kjnoa9sdi3mrlsdnfi.com: type A, class IN, addr 89.163.240.118

Each one calls out and and ends up with “HTTP/1.1 302 Moved Temporarily”

Looking at these they all call out to http[:]//popcash[.]net/world/go/103680/204726
Which is a Popup advertiser.

All of the above appear to be doing the cascading calls. the last on in the list is using the same type of calls but is calling out to http[://]c.feed-xml[.]com which is another ad network.

In packets 14847 and 14925 we see that the popcash is directing to a online game

location: http[:]//track.diginews[.]pw/f8a38426-2a48-4dd4-817e-3b521b9af37d?siteid=204726&country=US\r\n

In packets 15003 and 15028 IP: 68.177.32.113 we se another redirect from popcash to the Fake POP Up alert. (part of the decoded source below)

FakeAlert

This also at the bottom of the script direct to histats.com

HitStats

s4.histats.com: type A, class IN, addr 184.173.167.98
s4.histats.com: type A, class IN, addr 208.43.241.178
s4.histats.com: type A, class IN, addr 208.43.241.179
s4.histats.com: type A, class IN, addr 208.43.241.181

The last alert Listed is another Redirect from popcash to a adult site.

Referer: http://popcash%5B.%5Dnet/world/go/103680/204726/

Full request URI: http://xxxsexcamera%5B.%5Dclub/

There is more traffic that did not make the alert list from popcash and the redirects associated with them.

In conclusion this infection generated a lot of traffic and no doubt dropped several files on the infected system. I’m also sure that a lot of windows popped up at the time.

Recommendations :

Follow up with the user and clean the system or do a clean install.

Advertisements

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware, Networking, security and tagged , . Bookmark the permalink.