Tuesday, December 8, 2015

Angler EK - TeslaCrypt - Traffic Analysis and IOC - Splunk and Suricata (IDS)

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Nov 2015.  And the focus is mainly on using Splunk as a SIEM tool to detect the pattern. This post assumes some basic working knowledge of Splunk , Suricata and Wireshark.

Lab-Setup

My set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the virtual instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk


Navigate to the suricata folder  and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Example,

root@brainfold-blackbox:/opt# suricata -c /opt/suricata-3.1.1/suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/Angular-EK_TeslaCrypt/Angler\=EK-traffic.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/Angular-EK_TeslaCrypt/

Successful run will have the following information without any error.

<Notice> - This is Suricata version 3.1.1 RELEASE
<Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
<Notice> - Signal Received.  Stopping engine.
<Notice> - Pcap-file module read 3103 packets, 2155330 bytes

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.

Angler EK - TeslaCrypt

Initial request were made to ojituksenastevaihtelutyypill[.]my-payroll-site.org which is a compromised site. The user is then redirected to the landing site 24u4jf7s4regu6hn.htye943kjc38[.]com  where few html files with embedded iframe and javasript is download. After profiling the victim browser, add-ons and OS before connection  to C2. Various file downloads , http and DNS connections are outlined in the below screenshots. 

                            

Screenshot showing the Emerging Threats Signature


List of Signatures Triggered

index="suricata" sourcetype="pcap" source="*Angular-EK_TeslaCrypt*" event_type=alert alert.signature!="\*suricata\*" | stats count by alert.signature | RENAME alert.signature AS "Signatures_Trigerred"




List of Notable HTTP Traffic



index="suricata" sourcetype="pcap" source="*Angular-EK_TeslaCrypt*" fileinfo.filename=* NOT (http.hostname="*google*" OR http.hostname="*facebook*" OR http.hostname="*bing*" OR http.hostname="*youtube*" OR http.hostname="*microsoft*" OR fileinfo.filename="*.css" OR fileinfo.filename="*.eot" OR fileinfo.filename="*.woff" OR fileinfo.filename="/" OR fileinfo.filename="*.jpg" OR fileinfo.filename="*.png" OR fileinfo.filename="*.gif" OR fileinfo.filename="*.woff2") | stats count by http.http_content_type

 



In this lab instance, we have insufficient information coming into Splunk to see the packet level information. Wireshark can come to aide.


HTTP traffic in wireshark
 


Files Downloaded
index="suricata"  sourcetype="pcap" source="*$crimename$*" fileinfo.filename=* NOT (http.hostname="*google*" OR http.hostname="*facebook*" OR http.hostname="*bing*" OR http.hostname="*youtube*" OR http.hostname="*microsoft*" OR fileinfo.filename="*.js" OR fileinfo.filename="*.css" OR fileinfo.filename="*.eot" OR fileinfo.filename="*.woff" OR fileinfo.filename="/" OR fileinfo.filename="*.jpg" OR fileinfo.filename="*.png" OR fileinfo.filename="*.gif" OR fileinfo.filename="*.woff2")  | stats values(fileinfo.filename) AS "Files Downloaded" values(http.http_content_type) AS Content_type by http.hostname src_ip | RENAME http.hostname AS "Malicious Domain"

 

DNS Traffic :- DNS queries made during this scenario

 
 TLS Traffic
         


Further analysis can be done on the infected and compromised sites to understand the scripts downloaded using network miner or fiddler.