Wednesday, August 17, 2016

ZEPTO VARIANT LOCKY MALSPAM

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 15th 2016 .  And the focus is mainly on using pre-built Splunk tool to detect  and observe the behavior. Suricata is used as the NIDS engine with ET signatures.  Wireshark is used to further observer the payload. Along with wget to download the html page of the compromised/redirect site to witness and deobfuscate the code.

Source - http://www.malware-traffic-analysis.net/2016/08/15/index.html
ASSOCIATED FILES:

  ZIP archive of today's data:  2016-08-15-locky-malspam-data.zip

Set-up

The set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the separate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk


Navigate to the suricata folder and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Example:-
root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-15\ -\ ZEPTO\ VARIANT\ LOCKY\ MALSPAM/2016-08-15-locky-malspam-data/2016-08-15-traffic-from-Locky-malspam.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-15\ -\ ZEPTO\ VARIANT\ LOCKY\ MALSPAM/2016-08-15-locky-malspam-data/
17/8/2016 -- 18:12:48 - <Notice> - This is Suricata version 3.1.1 RELEASE
17/8/2016 -- 18:12:54 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
17/8/2016 -- 18:12:54 - <Notice> - Signal Received.  Stopping engine.
17/8/2016 -- 18:12:55 - <Notice> - Pcap-file module read 686 packets, 568729 bytes
Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.


Once the traffic is loaded into Splunk and viewed inside  the suricata dashbaord, i can straightaway spot some domains and files downloaded that looks out-of-normal.

Http Traffic
The below screenshot shows the http traffic happened during the infection

HTTP Traffic with sequence of events


Files Downloaded
Below screenshot shows the fkash(swf) and html files downloaded


DNS Traffic
No DNS/TLS/SMTP traffic observed within the pcap file

sample analysis will be updates shortly...