Friday, August 19, 2016

EITest-Rig-EK & pseudoDarkleech-Neutrino-EK Traffic Analysis

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 17th 2016 .  And the focus is mainly on using pre-built Splunk tool to detect  and observe the behavior. Suricata is used as the NIDS engine with ET signatures.  Wireshark is used to further observer the payload. Along with wget to download the html page of the compromised/redirect site to witness and deobfuscate the code.

http://www.malware-traffic-analysis.net/2016/08/17/index.html

ASSOCIATED FILES:

 2016-08-17-pcaps-for-ISC-diary.zip

Set-up

The set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the separate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk

There were 2 pcap files in the zip, i use mergecap to merge all 2 files making it easier for analysis in splunk.

 mergecap -v input_file1.pcap inputfile2.pcap -w outputfile.pcap
Navigate to the suricata folder and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Example:-
root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-17\ -\ PCAPS\ AND\ MALWARE\ FOR\ AN\ ISC\ DIARY/2016-08-17-pcaps-for-ISC-diary/2016-08-17-EITest-Rig-EK-sends-possible-Vawtrak-traffic.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-17\ -\ PCAPS\ AND\ MALWARE\ FOR\ AN\ ISC\ DIARY/2016-08-17-pcaps-for-ISC-diary
19/8/2016 -- 07:04:48 - <Notice> - This is Suricata version 3.1.1 RELEASE
19/8/2016 -- 07:04:54 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
19/8/2016 -- 07:04:54 - <Notice> - Signal Received.  Stopping engine.
19/8/2016 -- 07:04:54 - <Notice> - Pcap-file module read 1985 packets, 1513868 bytes

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events. \Once the traffic is loaded into Splunk and viewed inside  the suricata dashbaord, i can straightawaypot some domains and files downloaded that looks out-of-normal.

Http Traffic
The below screenshot showing the http traffic happened during the infection


HTTP Traffic with sequence of events


Files Downloaded
Below screenshot shows the fkash(swf) and html files downloaded
DNS Traffic


TLS Traffic










Virus total submission for the "Vawtrak.exe" file






























Virustotal lookup for the dll file - 2016-08-17-pseudoDarkleech-Neutrino-EK-payload-CrypMIC





















Malicious URLs within the HTML page