Wednesday, August 10, 2016

LOCKY MALSPAM - Traffic Analysis and Indicators

This blog post is to walk through the Lab exercise from "" posted on Aug 2016 - "2016-08-08 - LOCKY MALSPAM".  And the focus is mainly on using Splunk as a SIEM tool to detect . Wireshark and Suricata are also used to further understand the pattern


ZIP archive of the traffic:   705.7 kB (705,748 bytes)

2016-08-08-Locky-malspam-traffic.pcap   (873,563 bytes)

ZIP archive of the email, malware, and artifacts:   249.9 kB (249,919 bytes)


The set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the separate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk

Navigate to the suricata folder  and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs


root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016_08_Locky_malspam/2016-08-08-Locky-malspam-traffic.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016_08_Locky_malspam/
<Notice> - This is Suricata version 3.1.1 RELEASE
 <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
<Notice> - Signal Received.  Stopping engine.
<Notice> - Pcap-file module read 1008 packets, 857411 bytes

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.

Once the traffic is loaded in Splunk. 

First, search for rare/uncommon http.hostname and then, also to understand the flow of events by unique host. In this instance, I have removed the known good traffic like google, facebook and twitter.  Its better to have a lookup file with known good http.hostname. (removing the noise). The highlighted traffic requires further triage.

index="suricata" sourcetype="pcap" source="*2016-06-03-traffic-analysis-exercise*" event_type=* NOT (http.hostname="*" OR http.hostname=* OR http.hostname="*" OR http.hostname="*" OR http.hostname="*")   | table timestamp src_ip dest_ip http.status http.hostname http.url | dedup http.hostname | sort timestamp

At this point, I know there is some odd looking traffic that requires further investigation. 

Image is the evidence screenshots taken during the triage

Http Traffic

 The above figure shows the HTTP traffic associated with the traffic
Files Downloaded

 Table showing the files downloaded during the traffic. 
At this point, i would check the actual pcap files for further information and collect further evidence to understand the impact.

Above image shows the list of http requests made
Image showing the payload recieved from the host :

Image showing the payload received from

Image showing the list of HTTP objects downloaded. The malicious swf files were downloaded from the host