Wednesday, August 17, 2016

PSEUDO-DARKLEECH - Traffic analysis and Indicators

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 2016 .  And the focus is mainly on using Splunk  tool to detect  and observe the behavior. Suricata is used as the NIDS engine with ET signatures.  Wireshark is used to further observer the payload. Along with wget to download the html page of the compromised/redirect site to witness and de-obfuscate the code.

ASSOCIATED FILES:

   ZIP archive of the pcaps:  2016-08-16-pseudoDarkleech-campaign-traffic.zip

Set-up

The set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the separate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk


There were 3 pcap files in the zip, i use mergecap to merge all 3 files making it easier for analysis in splunk.

 mergecap -v 2016-08-16-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-after-blenheim-lodge.com.pcap 2016-08-16-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-after-convoyproperty.com.pcap 2016-08-16-pseudoDarkleech-Rig-EK-after-blenheim-lodge.com.pcap -w 2016-08-16-pseudoDarklech.pcap

Navigate to the suricata folder and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Example:-
root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-11-EITest-Neutrino-EK-sends-CrypMIC/2016-08-11-EITest-Neutrino-EK-sends-CrypMIC.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-11-EITest-Neutrino-EK-sends-CrypMIC/
17/8/2016 -- 07:12:50 - <Notice> - This is Suricata version 3.1.1 RELEASE
17/8/2016 -- 07:12:56 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
17/8/2016 -- 07:12:56 - <Notice> - Signal Received.  Stopping engine.
17/8/2016 -- 07:12:57 - <Notice> - Pcap-file module read 2071 packets, 1677627 bytes
Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.

Once the traffic is loaded into Splunk and viewed inside  the suricata dashbaord, i can straightaway spot some domains and files downloaded that looks out-of-normal.

Alerts:-
Suricata's ET engine had spotted this traffic as Evil Redirector and Rig EK



Http Traffic
The below screenshot shows the http traffic happened during the campaign

HTTP Traffic with sequence of events


Post infection traffic
Files Downloaded
Below screenshot shows the fkash(swf) and html files downloaded


DNS Traffic
No DNS/TLS/SMTP traffic observed within the pcap file

further, one can wget the compromised site to observe the injection point . swfdump to decompile the swf file.