This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 2016 - "2016-08-11 - Nutino EK". And the focus is mainly on using Splunk as a SIEM tool to detect . Wireshark and Suricata are also used to further understand the pattern
ZIP archive of the pcaps: 2016-08-11-EITest-Neutrino-EK-sends-CrypMIC.pcap.zip 203.3 kB (203,324 bytes)
ZIP archive of the malware: 2016-08-11-EITest-Neutrino-EK-sends-CrypMIC-malware-and-artifacts.zip 100.6 kB (100,621 bytes)
The set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the separate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk
Navigate to the suricata folder and run the following command.
Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs
root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-11-EITest-Neutrino-EK-sends-CrypMIC/2016-08-11-EITest-Neutrino-EK-sends-CrypMIC.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-11-EITest-Neutrino-EK-sends-CrypMIC/
<Notice> - This is Suricata version 3.1.1 RELEASE
<Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
<Notice> - Signal Received. Stopping engine.
<Notice> - Pcap-file module read 492 packets, 430481 bytes
Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.
Once the traffic is loaded in Splunk.
First, search for rare/uncommon http.hostname and then, also to understand the flow of events by unique host. In this instance, I have removed the known good traffic like google, facebook and twitter. Its better to have a lookup file with known good http.hostname. (removing the noise). The highlighted traffic requires further triage.
index="suricata" sourcetype="pcap" source="*2016-08-05-EITest-Neutrino-EK-sends-CrypMIC*" event_type=* NOT (http.hostname="*google.com" OR http.hostname=*facebook.net OR http.hostname="*bing.com" OR http.hostname="*facebook.com" OR http.hostname="*twitter.com") | table timestamp src_ip dest_ip http.status http.hostname http.url | dedup http.hostname | sort timestamp
At this point, I know there is some odd looking traffic that requires further investigation.
Below are some of the evidence screenshots taken during the triage
The above figure shows the HTTP traffic associated with the traffic
Shown Above - HTTP Traffic and files downloaded in high level
Table showing the files downloaded during the traffic. Note the shockwave and flash files.
At this point, i would check the actual pcap files for further information and collect further information.
Above image shows the list of http requests made as seen from wireshark
Image showing the payload received from the host : 126.96.36.199 - uljaaseen.cjgregory.co.uk
Associated IPs and Domains