In this lines you will find my findings about the exercise launched by Brad Duncan (@malware_traffic).
The exercise consist in analyze a network capture (pcap) from an infected computer and give response to the following questions:
- Date and time of the activity.
- The infected computer’s IP address.
- The infected computer’s MAC address.
- The infected computer’s host name.
- The infected computer’s operating system.
- Domains and IP addresses of any infection traffic.
- The root cause (what is the likely cause of the infection noted in the pcap).
The web page with the full information about this exercise is here: http://malware-traffic-analysis.net/2015/09/23/index.html
So, let me share with you my comments and findings:
Summary covering the incident.
On Tuesday 2015-09-22 at 17:32 UTC the Windows computer with the name PENDJIEK-PC was powered on. Immediately, the computer gets in contact with a malicious web server in Internet. This malicious web site has been identified as being used by cybercriminals to steal banking information, to carry out criminal tasks and it is also used to install some versions of the CryptoLocker ransomware.
The infected computer.
Host name: PENDJIEK-PC.
MAC address: 00:50:8b:01:db:2f (Hewlett-_01:db:2f).
OS: Windows 7.
Indicators of compromise.
126.96.36.199 port 80 (HTTP) – classicalbitu.com – ZeuS C&C.
- 2015-09-22 – 17:32:14 – The computer was powered on. An IP address was requested by DHCP.
- 2015-09-22 – 17:32:17 – The DHCP assigns the IP 10.54.112.205.
- 2015-09-22 – 17:32:34 – The computer do an automatic routine to verify internet connectivity . The test was successful.
- 2015-09-22 – 17:41:15 – The computer try to resolve the IP address of the Zeus C&C Web server. The resolucion was successful.
- 2015-09-22 – 17:41:16 – The computer download an (.jpg) image called config.jpg with hidden instructions.
- 2015-09-22 – 17:41:25 – The computer starts to exchange encrypted (or obfuscated) information with the malicious Web site.
Traffic review and responses.
Date and time of the activity: the activities were between the 17:32:14 hrs. and 17:57:28 hrs. on Tuesday 2015-09-22.
The IP, MAC address and host name of the infected computer.
The infected computer’s operating system (Windows 7).
Domains and IP addresses of any infection traffic. 188.8.131.52 80 HTTP classicalbitu.com
Web traffic analysis.
IP address location (made with Wireshark map function).
Image downloaded (potentially with hidden instructions).
Original image (includes metadata).
Image metadata analysis (extract).
According Symantec, this kind of malware is primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized.
I think this capture does not include the initial infection process and only reflects the traffic of a computer already infected. This is my opinion, what do you think?
Have a great day.