Malware Traffic Analysis Exercise - DYNACCOUNTIC
This challenge is from MALWARE-TRAFFIC-ANALYSIS.NET. Download the PCAP ZIP yourself here. Check their about page for the password.
Scenario
Someone at Dynaccountic has infected their Windows computer. Your manager has tasked you to write an incident report.
Here’s a brief outline of associated network traffic:
- LAN segment: 10.10.10.0/24 (10.10.10.0 through 10.10.10.255)
- Broadcast address: 10.10.10.255
- Domain controller: 10.10.10.3 (DYNACCOUNTIC-DC)
- Domain: dynaccountic.com
Task
The incident report should include:
- Date/Time of the infection
- Who was infected (IP address, host name, MAC address, and user account name)
- What malware is involved
- The likely source of this infection
- Indicators associated with this infection (IP addresses, domains, URLs, and file hashes, if any)
Incident Report
SUMMARY:
On 2018-04-11 at 20:14:26 UTC, a Windows computer used by winford.batiste was infected with Trickbot malware. This infection probably originated from an malicious, spam email. The infected computer was sent to our help desk to be wiped and re-imaged. The user changed all of his associated passwords.
DETAILS:
Infected user’s IP address: 10.10.10.209 Infected user’s MAC addres: 00:30:67:f1:2d:63 Infected user’s host name: BATISTE-PC Infected user’s account name: winford.batiste
INDICATORS:
- 95.110.193.132:80 - caveaudelteatro.it - GET /ser0410.bin - Trickbot binary download
- 78.47.139.102:80 - myexternalip.com - GET /raw - check IP
- 82.214.141.134:449 - SSL/TLS traffic
- 86.61.160.50:447 - SSL/TLS traffic
- Malware File
- Name: ser0410.bin
- SHA256 Hash: c2c1e2c22f67dda6553cbcc173694b68677b77319243684925e8dc3f78b3dbf8
- File size: 364,544 bytes
- File description: Trickbot binary, from caveaudelteatro.it
Details
I used Wireshark to examine the PCAP file. There are a lot of TCP connections between 95.110.193.132 and 10.10.10.209. Following the stream, there is a suspicious HTTP GET request for a binary file located here: caveaudelteatro.it/ser0410.bin. I also noticed a suspicious call to myexternalip.com. I went to File->Export Objects->HTTP to download the bin.
| Packet | Hostname | Content Type | Size | Filename |
|---|---|---|---|---|
| 420 | www.msftncsi.com | text/plain | 14 bytes | ncsi.txt |
| 1035 | caveaudelteatro.it | application/octet-stream | 364 kB | ser0410.bin |
| 1053 | myexternalip.com | text/plain | 16 bytes | raw |
I saved the file, checked its type, and grabbed its SHA256 hash to run through VirusTotal.
root@kali:~# file ser0410.bin
ser0410.bin: PE32 executable (GUI) Intel 80386, for MS Windows
root@kali:~# shasum -a 256 ser0410.bin
c2c1e2c22f67dda6553cbcc173694b68677b77319243684925e8dc3f78b3dbf8 ser0410.bin
Comments on VirusTotal for this hash say that this is Trickbot malware, likely delivered by an invoice scam email.
I filtered by http.request or ssl.handshake.type==1 and confirmed that after the binary is downloaded, the computer’s IP is checked with a GET request to myexternalip.com. And after the external IP determination, 10.10.10.209 communicated over TLSv1 to 82.214.141.134 and 86.61.160.50 on ports 449 and 447, respectively.
I checked the NetBIOS Name Service (NBNS) protocol by filtering with nbns and found BATISTE-PC to be at 10.10.10.209, with MAC address 00:30:67:f1:2d:63. To find the user account name, I looked at this Wireshark Guide which told be to filter on kerberos.CNameString.
I ended up filtering on ip.addr == 10.10.10.209 and kerberos.CNameString, and selecting the CNameString in the body of a packet and selected Apply as Column. Along with BATISTE-PC$ and batiste-pc$, I found our user winford.batiste.