More PCAP Analysis Practice

It’s time to tackle another PCAP analysis exercise from Brad Duncan. I’ve only done a couple of these (I posted one of my write ups here), and would like to put myself in a more technical DFIR analyst mindset—completing more of these exercises seems like a great way to do that.

I previously attempted some of Duncan’s more complex exercises (such as this one) and found myself stumped. So, my plan is to get some more practice on the basic exercises before attempting the more advanced analyses.

The following write-up is based on the 2014-12-08 Traffic Analysis Exercise. Rather than answer each practice question one by one as I did in my first write-up, I’ve attempted to write something that resembles a real-world report and also addresses as many of the questions as possible.

Lastly, I did not check my answers before making this post – I thought it would be a little more fun that way. After I have a chance to review the answers, I may update this post (especially if my errors were egregious!)

So here we go!

Incident Summary

On December 8, 2014 at 18:18 UTC, a user browsed to the legitimate, but compromised website excelforum.com (69.167.155.134:80). Upon visiting the site, the user was silently redirected to maggnitia.com (94.242.216.69:80) and then to digiwebname.in (205.234.186.111:80) which served as a landing page for an unknown exploit kit (EK). The EK served malicious code targeting vulnerabilities in Adobe Flash, Oracle Java, and Microsoft Silverlight, and delivered an unknown malware payload to the user. The malware made HTTP GET requests using what is possibly a unique User Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_25. 

Incident & Infection Chain Details

A user browsed to the website excelforum.com (69.167.155.134:80) using an Internet Explorer 8.0 web browser on December 8, 2014 at 18:18 UTC. Additional user details are as follows:

  • User source IP address: 192.168.204.137
  • User MAC address: 00:0c:29:9d:b8:6d
  • User hostname: Vmware_9d:b8:6d

The legitimate website contained malicious embedded javascript that redirected the user to the following URL at maggnitia.com (94.242.216.69:80):

http://magggnitia.com/?Q2WP=p4VpeSdhe5ba&nw3=9n6MZfU9I_1Ydl8y&9M5to=_8w6t8o4W_abrev&GgiMa=8Hfr8Tlcgkd0sfV&t6Mry=I6n2

Below is a screen shot of the the code that was embedded on excelforum.com. Screen Shot 2016-02-14 at 10.22.14 AMThe embedded code also triggered a second silent redirect from maggnitia.com (94.242.216.69:80) to a URL at digiwebname.in (205.234.186.111:80), which served as the landing page for an unknown exploit kit.

http://digiwebname.in/6ktpi5xo/PoHWLGZwrjXeGDG3P-I5

Below is a screenshot of the HTML code found on the EK landing page. Some of the unobfuscated plain text on the page comes from Dante’s Inferno although we have made no determination as to whether or not this detail is significant.

Screen Shot 2016-02-28 at 7.14.58 PM

The EK delivered exploits for vulnerabilities in Adobe Flash, Oracle Java, and Microsoft Silverlight. The exploits used the following filenames:

  • hyepksam259.swf (Adobe Flash)
  • syvwkahx581.jar (Oracle Java)
  • dszohrfb90.xap (Microsoft Silverlight)

An unknown malware payload was then sent to the user’s machine. The malware generated numerous HTTP GET requests to digiwebname.in (205.234.186.111:80) with the User Agent Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_25. It is possible that this User Agent is unique and specific to the malware.

Screen Shot 2016-02-28 at 8.47.15 PM