Walkthrough: Infection at the Japanese office (Courtesy of Malware-Traffic-Analysis)
This is a walkthrough for the Malware-Traffic-Analysis.net case called Infection at the Japanese office. The link to the page at MTA is here, which includes a prefaced incident description (also shown below), PCAP file, and corresponding Snort and Suricata alerts as text files. I use Wireshark for the packet capture analysis.
These are great exercises in identifying indicators of compromise, and indicators of attack.
SCENARIO
You work as a security analyst for a company with locations world-wide, and it recently opened a field office in Japan.
On Tuesday 2017–06–27, you notice several high-priority alerts from two different Intrusion Detection Systems (IDS). One IDS is running Snort using the Snort subscription ruleset, and the other is running Suricata using the EmergingThreats Pro ruleset.
The results indicate a Windows computer was infected at your company’s Japan field office. You are tasked to investigate! You have the pcap, a text file containing the Snort alerts, and a text file containing the Suricata alerts.
What is the MAC address, IP address, and host name of the infected Windows computer?
The IP address of the infected host, in this case, is easy to detect, if you filter just the web traffic, using either:
(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)http.request
From the main screen, the source IP is 192.168.1[.]96. In the lower details pane, you can find the MAC address by expanding Ethernet > Source, and it shows 00:15:c5:de:c7:3b as the MAC address field value (in parenthesis).
To locate the hostname, we want to filter DHCP (UDP port 67) traffic. In the filter display box, filter as:
udp.port eq 67This retrieves DHCP traffic. With the infected host IP address selected, expand Dynamic Host Configuration Protocol > Option: (12) Host Name, where it shows FlashGordon-PC as the Host Name.
What is the date and time (in UTC) the computer was infected?
Again, it helps to filter just on web traffic. Doing so gives us a better idea of what is going on here.
If you have already investigated the TCP stream of the GET request file, we know that the packet with the gerv.gun file is when the initial infection happened. The time is located on the far left-hand side of the main screen, indicating 2017–06–27 13:38 as the date and time, omitting the seconds. This was also the same date given in the scenario description, including the day as Tuesday. We could also look this up on any calendar.
Based on the Snort and Suricata alerts, what was the computer infected with?
The alerts indicate that the computer was infected with a Pushdo malware variant.
Based on indicators from first HTTP GET request, determine how the computer was infected.
Two indicators to look for here are the Host (matied.com) and the GET request (gerv.gun). This is also known as matied.com/gerv.gun. Some Google searching of this URI, in quotes (this prevents the browser from loading the actual page in your browser), points us to Malspam as the delivery method for the malware payload.
Based on the previous answer, what is the SHA256 hash for the file that probably infected the computer?
For Linux users, we can find the SHA256 hash value from the command line. First, we want to save the gerv.gun file. To do this, click on File > Export Objects > HTTP…, and filter on gerv. Save it.
Keep in mind, this file is a Windows executable (.exe):
In the terminal, change directory to the file location, then input the command:
sha256sum gerv.gun
It outputs the SHA256 sum, which is c19c2ddc2d0aa5a0f5d646242be9b176ddddc637584dfec19b3c656a5b4015de
The pcap contains 3 Windows executable files sent over HTTP. Export them from the pcap. What are the SHA256 file hashes of the those 3 files?
We already have the SHA256 hash for one file (gerv.gun), now we need the 2 others.
Again, click File > Export Objects > HTTP…, and filter on exe.
This returns trow.exe and wp.exe as the two other executables. Save the trow.exe file that is 1,448 bytes.
In the terminal, output the hash value for these two files. I’ve also included the hash value for the first file.
SHA256 of gerv.gun: c19c2ddc2d0aa5a0f5d646242be9b176ddddc637584dfec19b3c656a5b4015de
SHA256 of wp.exe: 79d503165d32176842fe386d96c04fb70f6ce1c8a485837957849297e625ea48
SHA26 of trow.exe: 6b5b32f6df7751991cdeca8b9447658b0a9f18084d7847fc5f187081acabc994
