TekDefense PCAP Challenge Write-Up

Earlier this week TekDefense posted a cool network challenge. The instructions were basic: investigate an IDS alert by analyzing the provided PCAP, determine what happened, and share the findings.

I’ve done a couple of PCAP exercises from Brad Duncan here and here. Those analyses were related to incidents dealing with exploit kits so I thought this challenge would be a fun opportunity to practice analyzing other kinds of threats.

Overall, I feel confident with the high-level findings. But I struggled to piece together some (probably key) details, even after a lot of research. Also, I didn’t author any Yara or Snort rules. (This was a second part of TekDefense’s challenge; I ended up grabbing a Yara rule from an Akamai report.)

Any feedback or tips are welcome : )

So here here’s my write-up!

Continue reading →

More PCAP Analysis Practice

It’s time to tackle another PCAP analysis exercise from Brad Duncan. I’ve only done a couple of these (I posted one of my write ups here), and would like to put myself in a more technical DFIR analyst mindset—completing more of these exercises seems like a great way to do that.

I previously attempted some of Duncan’s more complex exercises (such as this one) and found myself stumped. So, my plan is to get some more practice on the basic exercises before attempting the more advanced analyses.

The following write-up is based on the 2014-12-08 Traffic Analysis Exercise. Rather than answer each practice question one by one as I did in my first write-up, I’ve attempted to write something that resembles a real-world report and also addresses as many of the questions as possible.

Lastly, I did not check my answers before making this post – I thought it would be a little more fun that way. After I have a chance to review the answers, I may update this post (especially if my errors were egregious!)

So here we go!

Continue reading →

Intelligence Technology and Tradecraft in 2015

With 2015 wrapped up, I wanted to reflect on some of the changes I noticed in the cyber threat intelligence (CTI) field over the course of the year. I originally had (overly) ambitious plans for this post, hoping to offer a sweeping and comprehensive review on threat intelligence. But alas. Time has expired–it’s already 2016! Instead, I decided to focus on two aspects of CTI that I’m passionate about: technology and tradecraft.  Continue reading →

A Quick Look at A Likely NewPOSThings Sample

Executive Summary

  • Nick Hoffman identified what is likely a new variant of NewPOSThings (MD5: 761d23e1e2f496f1a6a2385808afc6eb).
  • Based on static analysis, the malware likely conducts the same activity observed in earlier NewPOSThings variants wherein it searches for and dumps passwords associated with VNC applications (e.g., RealVNC, UltraVNC). The malware also contains the hard-coded C2 domain flowerstick[.]net.
  • An actor using the alias You Chung and email address brian45345[at]safe-mail.net registered nine domains–including flowerstick[.]net–between August 1 and September 13, 2015. These sites are almost certainly used as C2 nodes for POS and/or other malware. For example, one additional NewPOSThings sample (MD5 b6c1d46e25a43d9ae24c85c38c52d6a4) communicates to chiproses[.]net, which was registered to Chung on August 17.
  • It is assumed that actors using the malware are targeting small- to medium-sized businesses given the malware’s focus on VNC applications. Small businesses are generally more likely to use remote administration software for their POS terminals so that 3rd parties can manage the terminals.

Below is a Maltego graph showing the identified links between the malware, actor, and infrastructure.

Screen Shot 2015-10-25 at 2.59.58 PM

Continue reading →

Write It, Or It Didn’t Happen

BLUF: As intelligence analysts, our customers demand that we know a lot about a lot. However, research from Chris Sanders shows that humans’ working memories are very limited; we can only juggles small volumes of information at once. Even long-term memory can be stressed by the volume of knowledge that analysts must maintain. These cognitive limitations highlight the fundamental importance of capturing knowledge in written reports. If no one writes it down, does the knowledge really exist? Playing on the expression “PCAP, or it didn’t happen,” I offer the expression “write it, or it didn’t happen.

Continue reading →

Using threat_note To Track Campaigns: Returning to PIVY and PlugX Infrastructure

BLUF: I’m starting to find the sweet spot for threat_note in my at-home research workflow. By taking advantage of threat_note’s VirusTotal integration, I was able to discover some new infrastructure associated with the the activity I documented in my August 8 post on Poison Ivy.

Continue reading →

What Analysts Can Learn From Shadowserver’s “Italian Connection” Report

BLUF: The  “Italian Connection” report from The Shadowserver Foundation is exemplary for its adherence to solid analytic tradecraft. The tradecraft is evident in the authors’ writing style, transparent methodologies, and use of structured analytic techniques. As analysts, we can learn from this report by similarly following the analytic standards that it demonstrates.

Continue reading →

Threat Analysis: Poison Ivy and Links to an Extended PlugX Campaign

Key Points & Assessment:

  • Japan CERT identified a new Poison Ivy RAT variant (SHA1 44073031790e5ba419374dc55f6ac1cba688b06c) with updated C2 functionality.
  • The malware was created in September 2014 and uploaded to Virus Total in January 2015. It uses the dynamic DNS-provided C2 getstrings[.]jumpingcrab[.]com. This domain has resolved to at least 3 IP addresses:,, and
  • I identified several decoy documents (see Maltego graph) that deliver the PlugX malware and call-out to one of two IP addresses mentioned above. These documents were reportedly used in a campaign identified by SOPHOS that spanned from September 2014 to February 2015. India was one target of the campaign.
  • Given the infrastructure and timing overlaps, the Poison Ivy sample discussed in this post was likely just one payload involved in a broader campaign targeting India, the Tibetan community, and others, that spanned from approximately September 2014 to February 2015.
  • The Poison Ivy sample in this case thus appears to be tied to attacks by one or more adversaries acting on behalf of Chinese interests.

Continue reading →