[ Response to the traffic analysis exercise: Finding the root cause ]

In this lines you will find my findings about the exercise launched by Brad Duncan (@malware_traffic).

The exercise consist in analyze a network capture (pcap) from an infected computer and give response to the following questions:

  • Date and time of the activity.
  • The infected computer’s IP address.
  • The infected computer’s MAC address.
  • The infected computer’s host name.
  • The infected computer’s operating system.
  • Domains and IP addresses of any infection traffic.
  • The root cause (what is the likely cause of the infection noted in the pcap).

The web page with the full information about this exercise is here: http://malware-traffic-analysis.net/2015/09/23/index.html

So, let me share with you my comments and findings:

Summary covering the incident.

On Tuesday 2015-09-22 at 17:32 UTC the Windows computer with the name PENDJIEK-PC was powered on. Immediately, the computer gets in contact with a malicious web server in Internet. This malicious web site has been identified as being used by cybercriminals to steal banking information, to carry out criminal tasks and it is also used to install some versions of the CryptoLocker ransomware.

The infected computer.

Host name: PENDJIEK-PC.
MAC address: 00:50:8b:01:db:2f (Hewlett-_01:db:2f).
OS: Windows 7.

Indicators of compromise.

193.23.181.155 port 80 (HTTP) – classicalbitu.com – ZeuS C&C.

Timeline.

  • 2015-09-22 – 17:32:14 – The computer was powered on. An IP address was requested by DHCP.
  • 2015-09-22 – 17:32:17 – The DHCP assigns the IP 10.54.112.205.
  • 2015-09-22 – 17:32:34 – The computer do an automatic routine to verify internet connectivity . The test was successful.
  • 2015-09-22 – 17:41:15 – The computer try to resolve the IP address of the Zeus C&C Web server. The resolucion was successful.
  • 2015-09-22 – 17:41:16 – The computer download an (.jpg) image called config.jpg with hidden instructions.
  • 2015-09-22 – 17:41:25 – The computer starts to exchange encrypted (or obfuscated) information with the malicious Web site.

Traffic review and responses.

Date and time of the activity: the activities were between the 17:32:14 hrs. and 17:57:28 hrs. on Tuesday 2015-09-22.

Date_Time

The IP, MAC address and host name of the infected computer.

IP_MAC_Hostname

IP_Hostname2

The infected computer’s operating system (Windows 7).

OS

OS1

Domains and IP addresses of any infection traffic. 193.23.181.155 80 HTTP classicalbitu.com

Malicious_Findings

https://www.networktotal.com/search.php?q=262f28f7641ca0a57f890daf1ccfdad9&pmd5=7ed0f7b85e293fce240e8fa5fe72a05d

Malicious_IP_Domain

Bad_Domain_Rep1

https://www.virustotal.com/es/url/b997896a2a954d9312ae94d98226f49cd0e091b0de235c1287256aa5fd6882cd/analysis/1443236683/

Bad_Domain_Rep2

http://www.urlvoid.com/scan/classicalbitu.com/

Bad_Domain_Rep3

Web traffic analysis.

Traffic_Exchange1

https://pcapperf.appspot.com/view?hash_str=7ed0f7b85e293fce240e8fa5fe72a05d

IP address location (made with Wireshark map function).

Map_Malicious_IP

Bonus:

Image downloaded (potentially with hidden instructions).

image1

image3

Original image (includes metadata).

Network servers in a data center. Swallow depth of Field
Network servers in a data center. Swallow depth of Field

Image metadata analysis (extract).

Metadata_Image_Sample1

Final words.

According Symantec, this kind of malware is primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized.

I think this capture does not include the initial infection process and only reflects the traffic of a computer already infected. This is my opinion, what do you think?

Greetings.
Have a great day.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s