Wednesday, August 10, 2016

LOCKY MALSPAM - Traffic Analysis and Indicators

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 2016 - "2016-08-08 - LOCKY MALSPAM".  And the focus is mainly on using Splunk as a SIEM tool to detect . Wireshark and Suricata are also used to further understand the pattern


ASSOCIATED FILES:

ZIP archive of the traffic:  2016-08-08-Locky-malspam-traffic.pcap.zip   705.7 kB (705,748 bytes)

2016-08-08-Locky-malspam-traffic.pcap   (873,563 bytes)

ZIP archive of the email, malware, and artifacts:  2016-08-08-Locky-malspam-malware-and-artifacts.zip   249.9 kB (249,919 bytes)

Set-up

The set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the separate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk


Navigate to the suricata folder  and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Example,

root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016_08_Locky_malspam/2016-08-08-Locky-malspam-traffic.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016_08_Locky_malspam/
<Notice> - This is Suricata version 3.1.1 RELEASE
 <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
<Notice> - Signal Received.  Stopping engine.
<Notice> - Pcap-file module read 1008 packets, 857411 bytes

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.

Once the traffic is loaded in Splunk. 

First, search for rare/uncommon http.hostname and then, also to understand the flow of events by unique host. In this instance, I have removed the known good traffic like google, facebook and twitter.  Its better to have a lookup file with known good http.hostname. (removing the noise). The highlighted traffic requires further triage.

index="suricata" sourcetype="pcap" source="*2016-06-03-traffic-analysis-exercise*" event_type=* NOT (http.hostname="*google.com" OR http.hostname=*facebook.net OR http.hostname="*bing.com" OR http.hostname="*facebook.com" OR http.hostname="*twitter.com")   | table timestamp src_ip dest_ip http.status http.hostname http.url | dedup http.hostname | sort timestamp

At this point, I know there is some odd looking traffic that requires further investigation. 


Image is the evidence screenshots taken during the triage


Http Traffic

 The above figure shows the HTTP traffic associated with the traffic
Files Downloaded

 Table showing the files downloaded during the traffic. 
At this point, i would check the actual pcap files for further information and collect further evidence to understand the impact.

Above image shows the list of http requests made
Image showing the payload recieved from the host : 185.129.148.19

Image showing the payload received from keramago.web.fc2.com


Image showing the list of HTTP objects downloaded. The malicious swf files were downloaded from the host 185.129.148.19.