Malware Traffic Analysis — Burnincandle Walkthrough

This is a walkthrough for the Malware Traffic Analysis packet capture exercise called BURNINCANDLE. The exercise requires the use of Wireshark and OSINT for enrichment purposes. It’s been months since I’ve done a packet capture analysis. I’ve enjoyed diving into packet captures again!

Below, we are provided with the domain network segmentation:

LAN segment range: 10.0.19.0/24 (10.0.19.0 through 10.0.19.255)
Domain: burnincandle.com
Domain controller: 10.0.19.9 — BURNINCANDLE-DC
LAN segment gateway: 10.0.19.1
LAN segment broadcast address: 10.0.19.255

One of the most common services to exploit is web traffic, especially TCP port 80 (HTTP), so it’s a good first place to look.

In Wireshark, I filter on the http protocol, specifically GET requests from the internal hosts, with the filter http.request.

The first packet contains traffic observed from an internal host to a URL with a .top domain extension. According to Wikipedia, .top domain extensions “are often used malware and phishing, and is included in the list of banned TLDs for some antimalware vendors such as Malwarebytes.” This already makes this suspicious, so let’s query this URL in VirusTotal to see what turns up.

17 scanning engines on VirusTotal detected this domain as malicious, well beyond the threshold of chalking it up to false positive detections. Now that we have a URL, let’s also document the associated IP address.

This IP has only been reported a couple of times on AbuseIPDB, but it’s still an external IP involved in a network compromise.

There were no other suspicious domains or URLs visited over HTTP, so let’s investigate HTTPS traffic, TCP port 443.

The server in the highlighted packet is hosting “Antnoscience”, which is a bit non-sensical for a website name, so it’s worth enriching.

13 scanning engines on VirusTotal detected this domain as malicious. It’s good to know it is malicious, but more information is still needed. Let’s Google search this domain (in quotes).

Immediately, we see that this domain is directly associated with IceID malware, which is a well-known banking trojan. Visiting the page from The DFIR Report, the domain and corresponding IP address from Wireshark have been observed in IceID Command and Control tactics.

Now that we developed a bit more context, attributing the compromise to a specific threat, not just that there was a compromise involving malware, more specific defensive countermeasures can be implemented to help prevent this from happening again.

I hope you have enjoyed this walkthrough!