CyberDefenders - Series (Malware Traffic Analysis 3 - Packet Analysis)

 Introduction

The Digital Forensics & Incident Response (DFIR) field is one, where you must keep learning to stay current with the latest development and to keep your skills sharp. Therefore I've decided to start working on some challenges that are delivered through CyberDefenders. It's a great place to work on challenges and to keep developping yourself.

The Challenge

This blog describes the 'Malware Traffic Analysis 3' challenge, which can be found here

Tools used for this challenge:
Brim

Write-up

My write-ups follow a standard pattern, which is 'Question' and 'Methodology'. I choose this format, because it allows you to be able to follow along and try this challenge for yourself. I have choosen not to disclose the answer here, since it's also a competition and I don't want to spoil the integrity and fun of competing. 

Question 1
What is the IP address of the infected Windows host?

Methodology
I am getting the hang of these challenges the line of questions is often very similiair and if you have been following along you will notice the pattern. We will start with some basic information about the infected machine. I've loaded the pcap in my new favourite network analysis tool Brim and also in NetworkMiner and Wireshark. I like to go through the hosts in NetworkMiner to see if anything stands out and I also look at the alerts and file activity in Brim. Just to get an idea of the case and what type of files are in there. As a result you'll find there is only one Windows host and all file activity relates to one host which will be the answer for the first question. 

Question 2
What is the Exploit kit (EK) name? (two words)

Methodology
I think there are quite some ways to get to his answer. What I did was scan the directory of all the assembled files in the pcap with Microsoft Defender. That way I found some interesting files I then performed a search on the hash of the malicious files which should tell you the name of the exploit kit. However, beware one vendor might use name X for the exploit kit and another one Y. For this answer the exploit kit has multiple names starting with the same letter. 

Question 3
What is the FQDN that delivered the exploit kit?

Methodology
Using the available Threat Intelligence from question 2, you'll find that a certain IP-address is delivering the EK. If you search for that IP address in Brim you'll see the associated FQDN. In NetworkMiner it's automtically shown in the list of hosts as well. 

Question 4
What is the redirect URL that points to the exploit kit landing page?

Methodology
Using either the IP or the FQDN that is used to deliver the EK, you should be able to find 'referrer' traffic from that page. 

Question 5
What is the FQDN of the compromised website?

Methodology
This one is pretty straightforward especially if you're looking at the answer format, which says that the FQDN should start with an 'e' if you use the built-in query in Brim for 'HTTP Requests' the answer is right there.

Another method is searching for HTTP requests and count by host which should give you a hint into what domain has communicated a lot with our infected machine:

_path=http | count() by host| sort -r count

Question 6
Which TCP stream shows the malware payload being delivered? Provide stream number

Methodology
When you read the question, your first thought should be a TCP stream number.... Wireshark! The next step in figuring this one out is going back to the earlier question, specifically Question 3. Using Wireshark and the information from the earlier question you should be able to get the answer. If you don't know how to get TCP Stream numbers in Wireshark, click Analyze-Follow-TCP Stream. 

Question 7
What is the IP address of the C&C server?

Methodology
I used a trick to get this answer, I searched for connections established from the infected machine. Then I looked at the answer format which left me with only 3 IP addresses. This isn't the best way to solve it, but it works. 

Question 8
What is the expiration date of the SSL certificate?

Methodology
This was a fun one. I used the IP address from Question 7 to go to Brim and search for SSL related information I found several certificates. Then I copied the MD5 of the certificate and put it in VirusTotal. Next I downloaded the certificate saved it as a .cer file and you can then natively open it in Windows and see the expiration date. 

Question 9
Question doesn't exist so we go to Question 10 👀

Question 10
The malicious domain served a ZIP archive. What is the name of the DLL file included in this archive?

Methodology
Remember from the earlier challenges if you need to get information about a specific file type, Brim has got you covered, use the following search to get zip files in your dataset:

"files" mime_type="application/zip" 

Next step is getting the zip file you can either go to VirusTotal and use the hash from Brim to get it. Or use NetworkMiner and go to the directory of the associated IP address. Open the file in an unzip tool and you'll get the name of the DLL.

Question 11
Extract the malware payload, deobfuscate it, and remove the shellcode at the beginning. This should give you the actual payload (a DLL file) used for the infection. What's the MD5 hash of the payload?

Methodology
This one took me the most time, however using Google and doing lots of research I was able to figure this one out. What you need to do to solve this one is basically in the question. I suggest that you Google for the EK name and payload and there are several write-ups hints. In short what you need to do yourself is in Wireshark export the payload based on the domain you found in Question 3. Next you need to know that the payload is partly encrypted with a known key(Google is your friend), however you also need to remove some code at the beginning of the file. Using a tool like binwalk you can extract the DLL from the resulting file. 

Question 12
What were the two protection methods enabled during the compilation of the PE file? (comma-separated)

Methodology
The good news is you made it this far it's going to be easier from here on at least that's what I thought.  
I knew that pestudio will tell you if there's protection mechanisms in the PE file present, because they can be set in the File Optional Header in a PE file(official docs). 
If you open the DLL file you have as a result from Question 11 in something like pestudio. This tool automatically extracts protection methods that are part of the file header and shows them to you.



It's pretty obvious that SEH is one of the answer, and image isolation is the other one. However, I was unable to solve this, because the platform was looking for a very specific alternative word for image-isolation, which wasn't obvious to me and I couldn't find good docs on it either. So that was pretty disappointing, I had to use the hints to get the correct answer. 

Question 13
When was the DLL file compiled?

Methodology
Same as for Question 12 any PE analysis tool will tell you the compilation date/time. 

Question 14
A Flash file was used in conjunction with the redirect URL. What URL was used to retrieve this flash file?

Methodology
You can search for swf files in Brim and the answer will be there. 

Question 15
What is the CVE of the exploited vulnerability?

Methodology
If you want an alternative way of solving this question, just read up on the exploit kit that is being used in this attack.

Question 16
What was the web browser version used by the infected host?

Methodology
Fun question not something I've done or seen before, but if you start to think about it you should be able to answer this in multiple ways. One way is filtering for HTTP traffic of the infected host, because that should contain the user-agent which tells you the browser version you can do this in Wireshark for example with the following query:

http && ip.src == infected_host_ip_address

Question 17
What is the DNS query that had the highest RTT?

Methodology
Search for DNS requests in Brim and then you can count by RTT if you select the highest and use that value to search you'll see what DNS request was used. 

Question 18
What the name of the SSL certificate issuer that appeared the most? (one word)

Methodology
I used Brim to filter for SSL related data and then I did a count by the Issuer field and that will be question solved!

Conclusion 
This challenge was definitely challenging. I learnt some new things especially on manually deobfuscating malware which is fun and how to extract individual dll's from files. I was a bit disappointed with some of the answer formats, but overall a very good learning experience. I hope you liked it as well and if you have any tips/suggestions. Reach out to me on Twitter

Popular posts from this blog

Importing Windows Event Log files into Splunk

Write-up Magnet Weekly CTF

Everything you need to know about MailItemsAccessed and more