z3f1r0

Network Analysis - Malware Compromise

  • z3f1r0

To complete this challenge is suggested the use of Wireshark, Tshark or TCPDump.

Scenario

A SOC Analyst at Umbrella Corporation is going through SIEM alerts and sees the alert for connections to a known malicious domain. The traffic is coming from Sara’s computer, an Accountant who receives a large volume of emails from customers daily. Looking at the email gateway logs for Sara’s mailbox there is nothing immediately suspicious, with emails coming from customers. Sara is contacted via her phone and she states a customer sent her an invoice that had a document with a macro, she opened the email and the program crashed. The SOC Team retrieved a PCAP for further analysis.

Challenge Submission

What’s the private IP of the infected host?

10.11.27.101

I opened pcap file with Wireshark. The evidence of an high amount of packets trasferred from a particular endpoint is obvious.

Wireshark –> Statistics –> Endpoint

Alt text

What’s the malware binary that the macro document is trying to retrieve?

spet10.spr

I Followed TCP Stream of infected host’s suspicious packet which performed a GET Request. We can see in the TCP Stream window that spet10.spr is a binary file. It starts with MZ characters, the initials for Mark Zbikowski, one of the principal architects of MS-DOS and the Windows/DOS executable.

Alt text

From what domain HTTP requests with GET /images/ are coming from?

cochrimato.com

To retrive this information I opened File –> Export Objects –> HTTP… and found HTTP domain where GET Request coming from.

Alt text

The SOC Team found Dridex, a follow-up malware from Ursnif infection, to be the culprit. The customer who sent her the macro file is compromised. What’s the full URL ending in .rar where Ursnif retrieves the follow-up malware from?

http://95.181.198.231/oiioiashdqbwe.rar

I filtered by http.content_type == "application/rar"and I found it.

Alt text

What is the Dridex post-infection traffic IP addresses beginning with 185.?

185.244.150.230

How we can see from the above image, there are two IP addresses beginning with 185.. The post-infection IP address we are searching is 185.244.150.230.

Search