Monday, August 29, 2016

BANDARCHOR RANSOMWARE - Traffic Analysis

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 26th 2016 .  And the focus is mainly on using Splunk tool to detect  and observe the behavior. Suricata is used as the NIDS engine with ET signatures.  Wireshark is used to further observer the payload. And honey client THUG to analyse and pass on the output to Splunk.

http://www.malware-traffic-analysis.net/2016/08/26/index3.html

ASSOCIATED FILES:


2016-08-26-EITest-Rig-EK-sends-Bandarchor.pcap.zip

Set-up


The set-up is to run the like Suricata (IDS), Wireshark and honeypot inside the separate instance for analysis and used a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk

http://www.brainfold.net/2015/08/suricata-installation-configuration-to_6.html

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events. Once the traffic is loaded into Splunk and viewed inside  the suricata dashbaord, i can straightawaypot some domains and files downloaded that looks out-of-normal.

Alerts raised by the NIDS











HTTP Requests to malicious domains
















HTTP Traffic with flow of information



















HTTP Traffic in Wireshark












Files Downloaded












Post infection traffic



















Malicious Executable analysis
Imports



PE info - Sections


















Threat Intelligence on the IOC shows various submission and hits on VT and Malshare sites.

IOC - 109.236.87.204


Threat Intelligence on the IOC - 85.93.0.110


Wednesday, August 24, 2016

PSEUDO-DARKLEECH NEUTRINO EK - CRYPMIC RANSOMWARE

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 23th 2016 .  And the focus is mainly on using Splunk tool to detect  and observe the behavior. Suricata is used as the NIDS engine with ET signatures.  Wireshark is used to further observer the payload. And honey client THUG to analyse and pass on the output to Splunk.


http://www.malware-traffic-analysis.net/2016/08/23/index2.html
ASSOCIATED FILES:

2016-08-23-pseudoDarkleech-Neutrino-EK-sends-CrypMIC.pcap

Set-up

The set-up is to run the like Suricata (IDS), Wireshark and honeypot inside the separate instance for analysis and used a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk

http://www.brainfold.net/2015/08/suricata-installation-configuration-to_6.html

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events. Once the traffic is loaded into Splunk and viewed inside  the suricata dashbaord, i can straightawaypot some domains and files downloaded that looks out-of-normal.

Alerts raised by the NIDS


High level Traffic information with types of files


The below screenshot showing the http traffic happened during the infection

HTTP Traffic with sequence of events

Files Downloaded
Screenshots shows the files downloaded and its type

Iframe injection





















Threat Intelligence for the indicator shows the following hits



____________________     Results found for: 66.8.77.86     ____________________
No results found in the RTex DNS
No results found in the FNet URL
[+] VT ASN: 16637
[+] VT Country: ZA
[+] VT AS Owner: No results found
[+] VT pDNS: ('2015-08-24 00:00:00', 'alcom.co.za')
[+] VT pDNS: ('2013-11-05 00:00:00', 'altech.co.za')
[+] VT pDNS: ('2015-01-04 00:00:00', 'altech.com')
[+] VT pDNS: ('2015-05-30 00:00:00', 'altronpower.com')
[+] VT pDNS: ('2015-05-30 00:00:00', 'altrontmt.com')
[+] VT pDNS: ('2015-01-16 00:00:00', 'ard.co.za')
[+] VT pDNS: ('2016-01-01 00:00:00', 'arhytera.co.za')
[+] VT pDNS: ('2014-09-16 00:00:00', 'atcaltdevl01.ltc.co.za')
[+] VT pDNS: ('2014-10-14 00:00:00', 'atcaltechl01.techconcepts.co.za')
[+] VT pDNS: ('2016-07-15 00:00:00', 'avengwater.com')
[+] VT pDNS: ('2015-08-24 00:00:00', 'duraset.co.za')
[+] VT pDNS: ('2015-08-24 00:00:00', 'fleetcall.co.za')
[+] VT pDNS: ('2015-09-17 00:00:00', 'grinaker-lta.com')
[+] VT pDNS: ('2015-07-01 00:00:00', 'ltc.co.za')
[+] VT pDNS: ('2016-03-02 00:00:00', 'mailmarshall.co.za')
[+] VT pDNS: ('2015-11-13 00:00:00', 'q-balancer.co.za')
[+] VT pDNS: ('2014-03-09 00:00:00', 'svr.netstar.altech.co.za')
[+] VT pDNS: ('2015-06-30 00:00:00', 'techconcepts.co.za')
[+] VT pDNS: ('2015-08-24 00:00:00', 'technologyconcepts.co.za')
[+] VT pDNS: ('2015-01-08 00:00:00', 'traffic.netstar.altech.co.za')
[+] VT pDNS: ('2016-02-15 00:00:00', 'traffic.netstar.dev.atcsp.co.za')
[+] VT pDNS: ('2014-01-08 00:00:00', 'www[.]alcom.co.za')
[+] VT pDNS: ('2014-01-08 00:00:00', 'www[.]alcommatomo.co.za')
[+] VT pDNS: ('2014-01-04 00:00:00', 'www[.]altech.co.za')
[+] VT pDNS: ('2013-12-09 00:00:00', 'www[.]altech.com')
[+] VT pDNS: ('2013-12-24 00:00:00', 'www[.]altechisis.com')
[+] VT pDNS: ('2015-10-05 00:00:00', 'www[.]altron.co.za')
[+] VT pDNS: ('2015-10-08 00:00:00', 'www[.]altron.com')
[+] VT pDNS: ('2015-10-15 00:00:00', 'www[.]altronprofile.co.za')
[+] VT pDNS: ('2015-08-27 00:00:00', 'www[.]altronprofile.com')
[+] VT pDNS: ('2015-01-12 00:00:00', 'www[.]altrontmt.com')
[+] VT pDNS: ('2014-07-09 00:00:00', 'www[.]anfs.co.za')
[+] VT pDNS: ('2015-01-21 00:00:00', 'www[.]ard.co.za')
[+] VT pDNS: ('2016-07-12 00:00:00', 'www[.]arhytera.co.za')
[+] VT pDNS: ('2014-01-17 00:00:00', 'www[.]arrow.altech.co.za')
[+] VT pDNS: ('2015-12-29 00:00:00', 'www[.]brightplus.co.za')
[+] VT pDNS: ('2014-03-19 00:00:00', 'www[.]clarins.co.za')
[+] VT pDNS: ('2016-01-06 00:00:00', 'www[.]collab.altech.co.za')
[+] VT pDNS: ('2014-07-15 00:00:00', 'www[.]dse.co.za')
[+] VT pDNS: ('2016-03-03 00:00:00', 'www[.]enterprisesolutions.altech.co.za')
[+] VT pDNS: ('2015-02-11 00:00:00', 'www[.]fleetcall.co.za')
[+] VT pDNS: ('2014-01-09 00:00:00', 'www[.]netstar.altech.co.za')
[+] VT pDNS: ('2013-07-13 00:00:00', 'www[.]netstar.co.za')
[+] VT pDNS: ('2016-02-17 00:00:00', 'www[.]radioholdings.co.za')
[+] VT pDNS: ('2014-07-15 00:00:00', 'www[.]techconcepts.co.za')
[+] VT Malware: ('2016-03-29 10:37:06', 'ca222d4a9ef3a8e8308d8cc6cd65ef5f9b52adcbbf7a23f1eabd504915cab4a8')
[+] VT Mal URLs: ('hxxp://www[.]altech.com/', '2016-06-20 04:55:05')
[+] VT Mal URLs: ('hxxp://altech.com/', '2016-06-17 10:52:52')
[+] VT Mal URLs: ('hxxp://altech.com/disclaimer', '2016-04-13 03:46:39')
[+] VT Mal URLs: ('hxxp://altech.com/sitemap', '2016-04-04 14:48:46')
[+] VT Mal URLs: ('hxxp://altech.com/news/42v-quad-synchronous-step-down-dcdc-converter-delivers-93-efficiency-operates-3v-42v-inputs', '2016-04-04 13:23:28')
[+] VT Mal URLs: ('hxxp://altech.com/news/altech-netstar-changes-stolen-vehicle-recovery-game', '2016-04-04 11:55:10')
[+] VT Mal URLs: ('hxxp://altech.com/sustainability-overview', '2016-04-04 10:29:22')
[+] VT Mal URLs: ('hxxp://altech.com/node/add', '2016-04-04 08:22:47')
[+] VT Mal URLs: ('hxxp://altech.com/enquiries', '2016-04-04 06:40:57')
[+] VT Mal URLs: ('hxxp://altech.com/customer-care', '2016-04-04 05:13:17')
[+] VT Mal URLs: ('hxxp://altech.com/contacts', '2016-04-04 03:45:49')
[+] VT Mal URLs: ('hxxp://altech.com/sustainability-contacts', '2016-04-04 02:18:40')
[+] VT Mal URLs: ('hxxp://altech.com/sustainability-reports', '2016-04-04 01:01:02')
[+] VT Mal URLs: ('hxxp://altech.com/human-capital', '2016-04-03 23:37:17')
[+] VT Mal URLs: ('hxxp://altech.com/environment', '2016-04-03 22:13:44')
[+] VT Mal URLs: ('hxxp://altech.com/b-bbee', '2016-04-03 20:45:35')
[+] VT Mal URLs: ('hxxp://altech.com/csi', '2016-04-03 19:16:03')
[+] VT Mal URLs: ('hxxp://altech.com/overview', '2016-04-03 17:52:54')
[+] VT Mal URLs: ('hxxp://altech.com/altech-blog', '2016-04-03 16:26:55')
[+] VT Mal URLs: ('hxxp://altech.com/media-contacts', '2016-04-03 15:05:24')
[+] VT Mal URLs: ('hxxp://altech.com/media', '2016-04-03 13:43:09')
[+] VT Mal URLs: ('hxxp://altech.com/lets-talk-tmt', '2016-04-03 12:24:40')
[+] VT Mal URLs: ('hxxp://altech.com/news/news-events', '2016-04-03 11:02:23')
[+] VT Mal URLs: ('hxxp://altech.com/vehicle-tracking-and-recovery', '2016-04-03 09:27:47')
[+] VT Mal URLs: ('hxxp://altech.com/voip', '2016-04-03 07:57:46')
[+] VT Mal URLs: ('hxxp://altech.com/turnkey-communication-systems', '2016-04-03 06:27:19')
[+] VT Mal URLs: ('hxxp://altech.com/telecoms-managed-services', '2016-04-03 05:05:01')
[+] VT Mal URLs: ('hxxp://altech.com/multi-media-product-support', '2016-04-03 03:39:07')
[+] VT Mal URLs: ('hxxp://altech.com/multi-media-manufacturing', '2016-04-03 02:07:25')
[+] VT Mal URLs: ('hxxp://altech.com/multi-media-managed-services', '2016-04-03 00:39:38')
[+] VT Mal URLs: ('hxxp://altech.com/multi-media-devices', '2016-04-02 23:18:50')
[+] VT Mal URLs: ('hxxp://altech.com/multi-media-development-services', '2016-04-02 21:57:59')
[+] VT Mal URLs: ('hxxp://altech.com/managed-network-services', '2016-04-02 20:30:11')
[+] VT Mal URLs: ('hxxp://altech.com/node/937', '2016-04-02 17:42:04')
[+] VT Mal URLs: ('hxxp://altech.com/insurance-telematics', '2016-04-02 16:46:26')
[+] VT Mal URLs: ('hxxp://altech.com/fleet-services', '2016-04-02 15:45:17')
[+] VT Mal URLs: ('hxxp://altech.com/electronic-component-distribution', '2016-04-02 14:12:23')
[+] VT Mal URLs: ('hxxp://altech.com/digital-radio-communications', '2016-04-02 12:48:33')
[+] VT Mal URLs: ('hxxp://altech.com/products-and-services', '2016-04-02 11:26:52')
[+] VT Mal URLs: ('hxxp://altech.com/sens-releases', '2016-04-02 10:03:11')
[+] VT Mal URLs: ('hxxp://altech.com/presentations', '2016-04-02 08:04:54')
[+] VT Mal URLs: ('hxxp://altech.com/annual-reports', '2016-04-02 06:29:46')
[+] VT Mal URLs: ('hxxp://altech.com/milestones', '2016-04-02 04:53:15')
[+] VT Mal URLs: ('hxxp://altech.com/about/group-structure', '2016-04-02 03:27:28')
[+] VT Mal URLs: ('hxxp://altech.com/corporate-governance', '2016-04-02 02:06:35')
[+] VT Mal URLs: ('hxxp://altech.com/vision-and-mission', '2016-04-02 00:39:58')
[+] VT Mal URLs: ('hxxp://altech.com/corporate-profile-0', '2016-04-01 23:15:52')
[+] VT Mal URLs: ('hxxp://altech.com/offline.html', '2016-04-01 22:25:54')
[+] VT Mal URLs: ('hxxp://altech.com/gtm.js', '2016-04-01 07:18:02')
[+] VT Mal URLs: ('hxxp://altech.com/gtm.start', '2016-04-01 06:00:54')
[+] VT Mal URLs: ('hxxp://altech.com/0.85', '2016-04-01 04:44:09')

Monday, August 22, 2016

EITEST RIG EK - GOOTKIT

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 18th 2016 .  And the focus is mainly on using pre-built Splunk tool to detect  and observe the behavior. Suricata is used as the NIDS engine with ET signatures.  Wireshark is used to further observer the payload. I have also used thug to analyse and pass on the domain analysis output to Splunk.

http://www.malware-traffic-analysis.net/2016/08/18/index.html
ASSOCIATED FILES:

2016-08-18-EITest-Rig-EK-sends-Gootkit.pcap

Set-up

The set-up is to run the like Suricata (IDS), Wireshark and honeypot inside the separate instance for analysis and used a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Example of successful output:-
22/8/2016 -- 06:55:19 - <Notice> - This is Suricata version 3.1.1 RELEASE
22/8/2016 -- 06:55:26 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
22/8/2016 -- 06:55:26 - <Notice> - Signal Received.  Stopping engine.
22/8/2016 -- 06:55:27 - <Notice> - Pcap-file module read 374 packets, 302575 bytes

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events. Once the traffic is loaded into Splunk and viewed inside  the suricata dashbaord, i can straightawaypot some domains and files downloaded that looks out-of-normal.

Alerts raised by the NIDS


High level Traffic information with types of files

Http Traffic
The below screenshot showing the http traffic happened during the infection

HTTP Traffic with sequence of events


Files Downloaded
Screenshots shows the fiels downloaded and its type

DNS Traffic


URL/ Domain Analysis with honeypot and feeding the json events into Splunk. 
Below screenshot shows the traffic for RIG EK


Below screenshot shows the traffic for the Gate


Friday, August 19, 2016

EITest-Rig-EK & pseudoDarkleech-Neutrino-EK Traffic Analysis

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 17th 2016 .  And the focus is mainly on using pre-built Splunk tool to detect  and observe the behavior. Suricata is used as the NIDS engine with ET signatures.  Wireshark is used to further observer the payload. Along with wget to download the html page of the compromised/redirect site to witness and deobfuscate the code.

http://www.malware-traffic-analysis.net/2016/08/17/index.html

ASSOCIATED FILES:

 2016-08-17-pcaps-for-ISC-diary.zip

Set-up

The set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the separate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk

There were 2 pcap files in the zip, i use mergecap to merge all 2 files making it easier for analysis in splunk.

 mergecap -v input_file1.pcap inputfile2.pcap -w outputfile.pcap
Navigate to the suricata folder and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Example:-
root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-17\ -\ PCAPS\ AND\ MALWARE\ FOR\ AN\ ISC\ DIARY/2016-08-17-pcaps-for-ISC-diary/2016-08-17-EITest-Rig-EK-sends-possible-Vawtrak-traffic.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-17\ -\ PCAPS\ AND\ MALWARE\ FOR\ AN\ ISC\ DIARY/2016-08-17-pcaps-for-ISC-diary
19/8/2016 -- 07:04:48 - <Notice> - This is Suricata version 3.1.1 RELEASE
19/8/2016 -- 07:04:54 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
19/8/2016 -- 07:04:54 - <Notice> - Signal Received.  Stopping engine.
19/8/2016 -- 07:04:54 - <Notice> - Pcap-file module read 1985 packets, 1513868 bytes

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events. \Once the traffic is loaded into Splunk and viewed inside  the suricata dashbaord, i can straightawaypot some domains and files downloaded that looks out-of-normal.

Http Traffic
The below screenshot showing the http traffic happened during the infection


HTTP Traffic with sequence of events


Files Downloaded
Below screenshot shows the fkash(swf) and html files downloaded
DNS Traffic


TLS Traffic










Virus total submission for the "Vawtrak.exe" file






























Virustotal lookup for the dll file - 2016-08-17-pseudoDarkleech-Neutrino-EK-payload-CrypMIC





















Malicious URLs within the HTML page










Wednesday, August 17, 2016

ZEPTO VARIANT LOCKY MALSPAM

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 15th 2016 .  And the focus is mainly on using pre-built Splunk tool to detect  and observe the behavior. Suricata is used as the NIDS engine with ET signatures.  Wireshark is used to further observer the payload. Along with wget to download the html page of the compromised/redirect site to witness and deobfuscate the code.

Source - http://www.malware-traffic-analysis.net/2016/08/15/index.html
ASSOCIATED FILES:

  ZIP archive of today's data:  2016-08-15-locky-malspam-data.zip

Set-up

The set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the separate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk


Navigate to the suricata folder and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Example:-
root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-15\ -\ ZEPTO\ VARIANT\ LOCKY\ MALSPAM/2016-08-15-locky-malspam-data/2016-08-15-traffic-from-Locky-malspam.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-15\ -\ ZEPTO\ VARIANT\ LOCKY\ MALSPAM/2016-08-15-locky-malspam-data/
17/8/2016 -- 18:12:48 - <Notice> - This is Suricata version 3.1.1 RELEASE
17/8/2016 -- 18:12:54 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
17/8/2016 -- 18:12:54 - <Notice> - Signal Received.  Stopping engine.
17/8/2016 -- 18:12:55 - <Notice> - Pcap-file module read 686 packets, 568729 bytes
Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.


Once the traffic is loaded into Splunk and viewed inside  the suricata dashbaord, i can straightaway spot some domains and files downloaded that looks out-of-normal.

Http Traffic
The below screenshot shows the http traffic happened during the infection

HTTP Traffic with sequence of events


Files Downloaded
Below screenshot shows the fkash(swf) and html files downloaded


DNS Traffic
No DNS/TLS/SMTP traffic observed within the pcap file

sample analysis will be updates shortly...