Wednesday, August 24, 2016

PSEUDO-DARKLEECH NEUTRINO EK - CRYPMIC RANSOMWARE

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 23th 2016 .  And the focus is mainly on using Splunk tool to detect  and observe the behavior. Suricata is used as the NIDS engine with ET signatures.  Wireshark is used to further observer the payload. And honey client THUG to analyse and pass on the output to Splunk.


http://www.malware-traffic-analysis.net/2016/08/23/index2.html
ASSOCIATED FILES:

2016-08-23-pseudoDarkleech-Neutrino-EK-sends-CrypMIC.pcap

Set-up

The set-up is to run the like Suricata (IDS), Wireshark and honeypot inside the separate instance for analysis and used a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk

http://www.brainfold.net/2015/08/suricata-installation-configuration-to_6.html

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events. Once the traffic is loaded into Splunk and viewed inside  the suricata dashbaord, i can straightawaypot some domains and files downloaded that looks out-of-normal.

Alerts raised by the NIDS


High level Traffic information with types of files


The below screenshot showing the http traffic happened during the infection

HTTP Traffic with sequence of events

Files Downloaded
Screenshots shows the files downloaded and its type

Iframe injection





















Threat Intelligence for the indicator shows the following hits



____________________     Results found for: 66.8.77.86     ____________________
No results found in the RTex DNS
No results found in the FNet URL
[+] VT ASN: 16637
[+] VT Country: ZA
[+] VT AS Owner: No results found
[+] VT pDNS: ('2015-08-24 00:00:00', 'alcom.co.za')
[+] VT pDNS: ('2013-11-05 00:00:00', 'altech.co.za')
[+] VT pDNS: ('2015-01-04 00:00:00', 'altech.com')
[+] VT pDNS: ('2015-05-30 00:00:00', 'altronpower.com')
[+] VT pDNS: ('2015-05-30 00:00:00', 'altrontmt.com')
[+] VT pDNS: ('2015-01-16 00:00:00', 'ard.co.za')
[+] VT pDNS: ('2016-01-01 00:00:00', 'arhytera.co.za')
[+] VT pDNS: ('2014-09-16 00:00:00', 'atcaltdevl01.ltc.co.za')
[+] VT pDNS: ('2014-10-14 00:00:00', 'atcaltechl01.techconcepts.co.za')
[+] VT pDNS: ('2016-07-15 00:00:00', 'avengwater.com')
[+] VT pDNS: ('2015-08-24 00:00:00', 'duraset.co.za')
[+] VT pDNS: ('2015-08-24 00:00:00', 'fleetcall.co.za')
[+] VT pDNS: ('2015-09-17 00:00:00', 'grinaker-lta.com')
[+] VT pDNS: ('2015-07-01 00:00:00', 'ltc.co.za')
[+] VT pDNS: ('2016-03-02 00:00:00', 'mailmarshall.co.za')
[+] VT pDNS: ('2015-11-13 00:00:00', 'q-balancer.co.za')
[+] VT pDNS: ('2014-03-09 00:00:00', 'svr.netstar.altech.co.za')
[+] VT pDNS: ('2015-06-30 00:00:00', 'techconcepts.co.za')
[+] VT pDNS: ('2015-08-24 00:00:00', 'technologyconcepts.co.za')
[+] VT pDNS: ('2015-01-08 00:00:00', 'traffic.netstar.altech.co.za')
[+] VT pDNS: ('2016-02-15 00:00:00', 'traffic.netstar.dev.atcsp.co.za')
[+] VT pDNS: ('2014-01-08 00:00:00', 'www[.]alcom.co.za')
[+] VT pDNS: ('2014-01-08 00:00:00', 'www[.]alcommatomo.co.za')
[+] VT pDNS: ('2014-01-04 00:00:00', 'www[.]altech.co.za')
[+] VT pDNS: ('2013-12-09 00:00:00', 'www[.]altech.com')
[+] VT pDNS: ('2013-12-24 00:00:00', 'www[.]altechisis.com')
[+] VT pDNS: ('2015-10-05 00:00:00', 'www[.]altron.co.za')
[+] VT pDNS: ('2015-10-08 00:00:00', 'www[.]altron.com')
[+] VT pDNS: ('2015-10-15 00:00:00', 'www[.]altronprofile.co.za')
[+] VT pDNS: ('2015-08-27 00:00:00', 'www[.]altronprofile.com')
[+] VT pDNS: ('2015-01-12 00:00:00', 'www[.]altrontmt.com')
[+] VT pDNS: ('2014-07-09 00:00:00', 'www[.]anfs.co.za')
[+] VT pDNS: ('2015-01-21 00:00:00', 'www[.]ard.co.za')
[+] VT pDNS: ('2016-07-12 00:00:00', 'www[.]arhytera.co.za')
[+] VT pDNS: ('2014-01-17 00:00:00', 'www[.]arrow.altech.co.za')
[+] VT pDNS: ('2015-12-29 00:00:00', 'www[.]brightplus.co.za')
[+] VT pDNS: ('2014-03-19 00:00:00', 'www[.]clarins.co.za')
[+] VT pDNS: ('2016-01-06 00:00:00', 'www[.]collab.altech.co.za')
[+] VT pDNS: ('2014-07-15 00:00:00', 'www[.]dse.co.za')
[+] VT pDNS: ('2016-03-03 00:00:00', 'www[.]enterprisesolutions.altech.co.za')
[+] VT pDNS: ('2015-02-11 00:00:00', 'www[.]fleetcall.co.za')
[+] VT pDNS: ('2014-01-09 00:00:00', 'www[.]netstar.altech.co.za')
[+] VT pDNS: ('2013-07-13 00:00:00', 'www[.]netstar.co.za')
[+] VT pDNS: ('2016-02-17 00:00:00', 'www[.]radioholdings.co.za')
[+] VT pDNS: ('2014-07-15 00:00:00', 'www[.]techconcepts.co.za')
[+] VT Malware: ('2016-03-29 10:37:06', 'ca222d4a9ef3a8e8308d8cc6cd65ef5f9b52adcbbf7a23f1eabd504915cab4a8')
[+] VT Mal URLs: ('hxxp://www[.]altech.com/', '2016-06-20 04:55:05')
[+] VT Mal URLs: ('hxxp://altech.com/', '2016-06-17 10:52:52')
[+] VT Mal URLs: ('hxxp://altech.com/disclaimer', '2016-04-13 03:46:39')
[+] VT Mal URLs: ('hxxp://altech.com/sitemap', '2016-04-04 14:48:46')
[+] VT Mal URLs: ('hxxp://altech.com/news/42v-quad-synchronous-step-down-dcdc-converter-delivers-93-efficiency-operates-3v-42v-inputs', '2016-04-04 13:23:28')
[+] VT Mal URLs: ('hxxp://altech.com/news/altech-netstar-changes-stolen-vehicle-recovery-game', '2016-04-04 11:55:10')
[+] VT Mal URLs: ('hxxp://altech.com/sustainability-overview', '2016-04-04 10:29:22')
[+] VT Mal URLs: ('hxxp://altech.com/node/add', '2016-04-04 08:22:47')
[+] VT Mal URLs: ('hxxp://altech.com/enquiries', '2016-04-04 06:40:57')
[+] VT Mal URLs: ('hxxp://altech.com/customer-care', '2016-04-04 05:13:17')
[+] VT Mal URLs: ('hxxp://altech.com/contacts', '2016-04-04 03:45:49')
[+] VT Mal URLs: ('hxxp://altech.com/sustainability-contacts', '2016-04-04 02:18:40')
[+] VT Mal URLs: ('hxxp://altech.com/sustainability-reports', '2016-04-04 01:01:02')
[+] VT Mal URLs: ('hxxp://altech.com/human-capital', '2016-04-03 23:37:17')
[+] VT Mal URLs: ('hxxp://altech.com/environment', '2016-04-03 22:13:44')
[+] VT Mal URLs: ('hxxp://altech.com/b-bbee', '2016-04-03 20:45:35')
[+] VT Mal URLs: ('hxxp://altech.com/csi', '2016-04-03 19:16:03')
[+] VT Mal URLs: ('hxxp://altech.com/overview', '2016-04-03 17:52:54')
[+] VT Mal URLs: ('hxxp://altech.com/altech-blog', '2016-04-03 16:26:55')
[+] VT Mal URLs: ('hxxp://altech.com/media-contacts', '2016-04-03 15:05:24')
[+] VT Mal URLs: ('hxxp://altech.com/media', '2016-04-03 13:43:09')
[+] VT Mal URLs: ('hxxp://altech.com/lets-talk-tmt', '2016-04-03 12:24:40')
[+] VT Mal URLs: ('hxxp://altech.com/news/news-events', '2016-04-03 11:02:23')
[+] VT Mal URLs: ('hxxp://altech.com/vehicle-tracking-and-recovery', '2016-04-03 09:27:47')
[+] VT Mal URLs: ('hxxp://altech.com/voip', '2016-04-03 07:57:46')
[+] VT Mal URLs: ('hxxp://altech.com/turnkey-communication-systems', '2016-04-03 06:27:19')
[+] VT Mal URLs: ('hxxp://altech.com/telecoms-managed-services', '2016-04-03 05:05:01')
[+] VT Mal URLs: ('hxxp://altech.com/multi-media-product-support', '2016-04-03 03:39:07')
[+] VT Mal URLs: ('hxxp://altech.com/multi-media-manufacturing', '2016-04-03 02:07:25')
[+] VT Mal URLs: ('hxxp://altech.com/multi-media-managed-services', '2016-04-03 00:39:38')
[+] VT Mal URLs: ('hxxp://altech.com/multi-media-devices', '2016-04-02 23:18:50')
[+] VT Mal URLs: ('hxxp://altech.com/multi-media-development-services', '2016-04-02 21:57:59')
[+] VT Mal URLs: ('hxxp://altech.com/managed-network-services', '2016-04-02 20:30:11')
[+] VT Mal URLs: ('hxxp://altech.com/node/937', '2016-04-02 17:42:04')
[+] VT Mal URLs: ('hxxp://altech.com/insurance-telematics', '2016-04-02 16:46:26')
[+] VT Mal URLs: ('hxxp://altech.com/fleet-services', '2016-04-02 15:45:17')
[+] VT Mal URLs: ('hxxp://altech.com/electronic-component-distribution', '2016-04-02 14:12:23')
[+] VT Mal URLs: ('hxxp://altech.com/digital-radio-communications', '2016-04-02 12:48:33')
[+] VT Mal URLs: ('hxxp://altech.com/products-and-services', '2016-04-02 11:26:52')
[+] VT Mal URLs: ('hxxp://altech.com/sens-releases', '2016-04-02 10:03:11')
[+] VT Mal URLs: ('hxxp://altech.com/presentations', '2016-04-02 08:04:54')
[+] VT Mal URLs: ('hxxp://altech.com/annual-reports', '2016-04-02 06:29:46')
[+] VT Mal URLs: ('hxxp://altech.com/milestones', '2016-04-02 04:53:15')
[+] VT Mal URLs: ('hxxp://altech.com/about/group-structure', '2016-04-02 03:27:28')
[+] VT Mal URLs: ('hxxp://altech.com/corporate-governance', '2016-04-02 02:06:35')
[+] VT Mal URLs: ('hxxp://altech.com/vision-and-mission', '2016-04-02 00:39:58')
[+] VT Mal URLs: ('hxxp://altech.com/corporate-profile-0', '2016-04-01 23:15:52')
[+] VT Mal URLs: ('hxxp://altech.com/offline.html', '2016-04-01 22:25:54')
[+] VT Mal URLs: ('hxxp://altech.com/gtm.js', '2016-04-01 07:18:02')
[+] VT Mal URLs: ('hxxp://altech.com/gtm.start', '2016-04-01 06:00:54')
[+] VT Mal URLs: ('hxxp://altech.com/0.85', '2016-04-01 04:44:09')