CloudShark developer and packet guru Tom Peterson gives us another example from malware-traffic-analysis.net to learn how to best use CloudShark and our Threat Assessment add-on to get to the root of malicious activity. Let’s join him now for his latest exercise.
The exercise: Two Malicious E-mails, Two PCAPs to Analyze
In this exercise, we need to find out what happened when some users downloaded some suspicious attachments and executed the attachments contained therein. In the real world, we’d turn this into an incident report, and the author at malware-traffic-analysis has us do just that by the end of the exercise:
https://www.malware-traffic-analysis.net/2017/12/15/index.html
The exercise contains two .eml files containing the e-mail and the attachment sent that the user ran on their machine. Then we have the network packet captures of the malicious activity that happened after the malware was executed.
Getting a look at the attachments
By using the munpack command, we can extract the attachments out of the e-mails. With the attachments themselves we can submit them to the malware analysis service reverse.it.
Reverse.it will run the uploaded file and generate a report with a number of indicators to try and determine if the file is malicious or not. These indicators include running the file through a number of Antivirus engines, a description of what the software does, and an analysis of the network traffic generated by running the PCAPs. There are even screenshots from the VM of what is displayed to the user!
Below we’ll examine each of the emails and the capture associated with whatever activity was triggered by the malware.
E-mail 1
Here is a link to the capture on CloudShark:
https://www.cloudshark.org/captures/f375d30b36e4
What is the infected machine?
If we’re looking for a Windows PC, we can look for NetBIOS traffic that advertises the machine to the rest of the network. From this packet we can learn the following information about the infected host:
- IP Address: 10.1.1.97
- Mac Address: 00:22:15:d4:9a:e7
- Host Name: CHRIS-LYONS-PC
How did the malware get executed?
The e-mail for this PCAP looks to be a phishing attempt involving a fake malicious invoice:
From: "Le Huong-accounts"<LeHuong-accounts@gmail.com>
To: chris.lyons@supercarcenterdetroit.com
Subject: Fw: Re: PI no. SO-P101092262891
Date: Thu, 14 Dec 2017 19:14:14 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_005C_01C2A9A6.5C2BA3BC"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-SF-RX-Return-Path: <LeHuong-accounts@gmail.com>
This is a multi-part message in MIME format.
------=_NextPart_000_005C_01C2A9A6.5C2BA3BC
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Dear all,
We've made balance payment for attached invoice on 14/12/2017.
Our below forwarder will contact your side for pickup arrangement:
EVO Logistics Pte Ltd
No 7, Airline Road, #05-08, Cargo Agent Building E, Singapore 819834.
PIC: lucy Tiew (Email: lucy@evvtlogistics.com.sg
There's no need to send the original Tax Invoice or Declaration Letter together
with the goods.
Thank you,
Huong LeWhat did the malware do?
CloudShark Threat Assessment triggered 115 High Severity threats in this 972 second capture! It looks like all of these threats are FormBook CnC Checkins and I’m seeing what are essentially two types, HTTP GET and HTTP PUT streams from the infected client.
After reviewing the results from reverse.it they confirm that this file infects the host with malware that can send information back to a CnC server about the infected machine. Writeups from Arbor Networks and FireEye describing the FormBook malware show what it is capable of. This includes key logging, clipboard monitoring, sending back screenshots, and receiving commands from the remote CnC server!
Looking at the HTTP Traffic that was flagged by the threat assessment we can find the following domains that the infected client sent data to:
- www.ellentscm.info www.jvfilmmakers.com
- www.sparkyoursukha.com www.jufa123.com
- www.seorowipe.com www.texowipu14.win
- www.kowollik.email www.gotrkx.com
- www.sosssou.com www.canamultimedia.com
- www.100placesbandb.com
- www.cerebrumfriend.info
- www.gatinhas.net
- www.xn--jjq193ajmav75c.com
While checking my answers with the ones posted at malware-traffic-analysis.net though I found two domains missing from my answers:
- www.yunshangcms.com (no response from the server)
- www.heapto.com (no response from the server)
What did I miss!
These are marked as not having a response from the server so how were these domains discovered in this PCAP? Turns out there is a great display filter for this:
(tcp.connection.syn and tcp.analysis.retransmission) or dns.qry.name
This will find us any retransmitted TCP SYN packets which we can use to find the IP address of servers that the infected client tried to send data to. It will also print out the DNS queries and responses so we can correlate that to a domain name. Here is the filtered PCAP and annotations showing where to find the retransmitted TCP SYN packets.
E-mail 2
Here is a link to the capture on CloudShark:
https://www.cloudshark.org/captures/2bd91c4854c1
Infected machine
Once again, we can use NetBIOS packets to gain some information about the infected machine.
- IP Address: 10.1.1.213
- Mac Address: 00:08:7c:39:da:12
- Host Name: DARNELL-PC
What did the malware do?
In the threat assessment for this capture we see a few low severity threats for a TeamViewer keep alive message. TeamViewer can be used for remote desktop access, remote support, and meetings but since we’re looking at a malware-traffic-analysis example I’m gonna guess this user isn’t aware that it is installed and running!
TeamViewer uses TCP port 5938, HTTP, and HTTPS so let’s take a look at that traffic. We can see in an HTTP Stream information such as the OS, username, and that the user looks to be an admin:
info={"os":"Windows 7 x64","pcuser":"DARNELL-PC\\darnell.castillo","cpu":"AMD FX(tm)-6120 Six-Core Processor ","ram":"16384mb","av":"AVG","admin":"YES","comment":"comment02"}
There is also an interesting TCP stream on port 5930 that looks to be TeamViewer complaining that it detected commercial use. Finally we can see one domain that the client goes to over TLS, forum.cryptopia.gdn.
The e-mail with this PCAP looks to be some type of Word Document advertising a Black Friday sale:
From: Black Friday Shopping Voucher <admin367847@airmail.cc> To: darnell@castillomotorsports.com Subject: Woosters Almost Sold Out! Black Friday Prices + Free Shipping For A Few More Hours! X-Priority: 1 (Highest) Message-ID: <6ede6c9288b5a0446cd1fb69b5b1c097@airmail.cc> X-Sender: admin367847@airmail.cc User-Agent: Roundcube Webmail/1.3.3 X-SF-RX-Return-Path: <admin367847@airmail.cc> --=_c9bbe4e27710ce37241bc7184c3d8292 Content-Type: multipart/alternative; boundary="=_8df98824e724aa6c089df330e8c98df0" --=_8df98824e724aa6c089df330e8c98df0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Black Friday Sale. 50% Discount on all shops! Starting now until Wednesday the 31th of Decembr we will be offering all users a 45% on Discount any in online shop. This means that if you haven't upgraded yet, here is your chance. USE THE COUPON FOR ANY PURCHASES IN ONLINE SHOP(AMAZON AND OTHER ONLINE SHOPS) Coupon: ATTACHED DARNELL@CASTILLOMOTORSPORTS.COM
Bit odd offering a Black Friday sale coupon on the 31th of Decembr [sic]. Even if we correct some of the typos the 31st of December wasn’t on a Wednesday in 2017 and in 2018 it will be on a Monday! Let’s see if this attachment gets flagged by any antivirus software.
Virustotal doesn’t seem to0 think too highly of this file. We don’t see too much in the reverse.it report for this attachment. I do see that it is tagged as “evasive” though. That could mean that the malware is capable of detecting that it is being run in a sandbox and won’t behave the same way it would on a real users machine.
What we do see though in the network related informative indicators though is a potential URL https://forum.cryptopia.gdn/sys.exe. There’s a match! That is the domain we saw the infected host contacting over TLS on TCP port 443. Hard to tell exactly what that file is since we can’t decrypt the TLS traffic but we should keep an eye out for this, the host contacted over HTTP, and TeamViewer related traffic for more machines infected with this!
Summary
These exercises were a little different since we had an e-mail with an attachment we could submit to VirusTotal or reverse.it. Having more pieces of data to analyze is nice but correlating all of these does take quite a bit of work. Luckily, having the packet captures make it that much easier.
Want articles like this delivered right to your inbox?
No spam, just good networking
