Monday, August 15, 2016

NEUTRINO EK - Malware-traffic-analysis - EITEST

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 2016 - "2016-08-11 - Nutino EK".  And the focus is mainly on using Splunk as a SIEM tool to detect . Wireshark and Suricata are also used to further understand the pattern


ASSOCIATED FILES:

    ZIP archive of the pcaps:  2016-08-11-EITest-Neutrino-EK-sends-CrypMIC.pcap.zip   203.3 kB (203,324 bytes)

    ZIP archive of the malware:  2016-08-11-EITest-Neutrino-EK-sends-CrypMIC-malware-and-artifacts.zip   100.6 kB (100,621 bytes)


Set-up

The set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the separate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk


Navigate to the suricata folder  and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Example,

root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-11-EITest-Neutrino-EK-sends-CrypMIC/2016-08-11-EITest-Neutrino-EK-sends-CrypMIC.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-11-EITest-Neutrino-EK-sends-CrypMIC/

<Notice> - This is Suricata version 3.1.1 RELEASE
 <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
<Notice> - Signal Received.  Stopping engine.
<Notice> - Pcap-file module read 492 packets, 430481 bytes

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.

Once the traffic is loaded in Splunk.


First, search for rare/uncommon http.hostname and then, also to understand the flow of events by unique host. In this instance, I have removed the known good traffic like google, facebook and twitter.  Its better to have a lookup file with known good http.hostname. (removing the noise). The highlighted traffic requires further triage.

index="suricata" sourcetype="pcap" source="*2016-08-05-EITest-Neutrino-EK-sends-CrypMIC*" event_type=* NOT (http.hostname="*google.com" OR http.hostname=*facebook.net OR http.hostname="*bing.com" OR http.hostname="*facebook.com" OR http.hostname="*twitter.com")   | table timestamp src_ip dest_ip http.status http.hostname http.url | dedup http.hostname | sort timestamp


At this point, I know there is some odd looking traffic that requires further investigation.
Below are some of the evidence screenshots taken during the triage

Http Traffic

 The above figure shows the HTTP traffic associated with the traffic

Shown Above - HTTP Traffic and files downloaded in high level

Files Downloaded

Table showing the files downloaded during the traffic. Note the shockwave and flash files.

Alerts Generated by Suricata

At this point, i would check the actual pcap files for further information and collect further information. 

Above image shows the list of http requests made as seen from wireshark


Image showing the payload received from the host : 107.6.177.2 - uljaaseen.cjgregory.co.uk

Associated IPs and Domains