BLUF: I downloaded a PCAP from this exercise provided by @malware_traffic. I’m a Wireshark and PCAP n00b, but wanted to see how far I could get with an analysis I’m not used to doing. I think I did pretty well (I was pleased I was able to get one of the Level 3 questions), but got hung up on identifying the exact infection chain and series of redirects.
Below are the questions that were included in the exercise. I typed my answers as I proceeded through the questions. As I moved through the analysis and did some additional research, I did revise answers to questions that I initially had trouble with. My summarized findings and associated confidence levels are at the end of this post.
Here are my responses!
LEVEL 1 QUESTIONS:
- What is the IP address of the Windows VM that gets infected?
Okay. Following no particular method here, and just scrolling through the packets, I see a handshake request initiated by 172.16.165.165. This should be the client, me thinks.
- What is the host name of the Windows VM that gets infected?
I’m assuming I should easily be able to find the hostname in this same packet. But alas, I can not. Where the hell is this thing?
- What is the MAC address of the infected VM?
I found the MAC address in the same initial handshake request: f0:19:af:02:9b:f1.
- What is the IP address of the compromised web site?
Still scrolling through, I start to see a lot of transactions with a WordPress site hosted at 220.127.116.11. I’m going with that.
- What is the domain name of the compromised web site?
The domain name at 18.104.22.168 is ciniholland[.]nl.
- What is the IP address and domain name that delivered the exploit kit and malware?
I think this question is asking “where is the exploit kit located?” After filtering my PCAP to only look at HTTP transactions, it looks like a lot of nastiness gets served up from 22.214.171.124 (stand[.]trustandprobaterealty[.]com). So if I understand the question correctly, I think this is the IP/domain that is delivering the EK and malware.
However, prior to the client talking to 126.96.36.199, I also see some traffic to 188.8.131.52. Traffic to this location was referred by ciniholland[.]nl so it looks like this might serve as the initial redirect from the compromised site to the EK landing page. So, 184.108.40.206 (24corp-shop[.]com) could be the answer to this question.
I also see a request from YouTube (GET /embed/hqgSewjl8hk), but I’m not sure what’s going on with this. We’ll see if this plays into the infection chain when I check the answers.
LEVEL 2 QUESTIONS:
One thing I’m noticing as I examine the exported objects is that in addition to visiting ciniholland[.]nl, which I believe to be the compromised site, it appears that the user has also visited adultbiz[.]in, which looks suspicious. Right now, I don’t know how this is playing into the infection chain.
These HTTP objects also help me to put that YouTube request I saw earlier into context. My guess now is that there were icons for YouTube, Twitter, and Facebook on the site. I’m going to put that YouTube request into the “benign” bucket.
- What is the redirect URL that points to the exploit kit (EK) landing page?
So: I’m having trouble with this one. I’m pretty sure that the compromised site is ciniholland[.]nl. This leads me to examine the various requests prior to all of the HTTP GET gibberish from 220.127.116.11 (GET /?PHPSSESID=…). The last request I see prior to the jump to 18.104.22.168 (24corp-shop[.]com), and then finally to 22.214.171.124 (stand[.]trustandprobaterealty[.]com), is for /favicon.ico.
Initially, I’m not very confident that this is in fact the URL that kicks off the series of redirects to the EK landing page. I also see a request for 24corp-shop[.]com/source/notfound.gif before the real badness begins. Maybe this is the URL that answers the question.
- Beside the landing page (which contains the CVE-2013-2551 IE exploit), what other exploit(s) sent by the EK?
Those HTTP objects are coming in handy! It looks like there are exploits for Adobe Flash and Oracle Java being served up.
However, I’m not sure how to determine what CVE’s these are targeting. I’m guessing that one could probably determine what CVE’s are being targeted by looking at the specific content in the packet (I tried looking at one of the Flash payloads). But again, I’m not sure how to make this determination. Some quick Google searching didn’t point me in the right direction.
- How many times was the payload delivered?
Exported HTTP objects helping me again (I hope)! I interpret “payload” to mean each individual exploit. Based on this definition, I count a total of seven times (3 IE, 2 Flash, and 2 Java).
- Submit the pcap to VirusTotal and find out what snort alerts triggered. What are the EK names are shown in the Suricata alerts?
The URI structure is detected as the RIG or Goon exploit kit.
LEVEL 3 QUESTIONS:
- Checking my website, what have I (and others) been calling this exploit kit?
I’m guessing that the HTTP parameter “PHPSSESID=,” might be unique to the exploit kit. I ran the search, site:malware-traffic.net “PHPSSESID=” to see if there were any results… Success! It looks like this EK is identified as RIG.
As I mentioned above, I feel I might be on the right trail to identifying the specific redirect URL and exploit files. But I clearly need to do some more work to confidently answer these questions. At this point, I’m pretty happy with the progress I’ve made. I’m going to check my answers, and then see how to arrive at the answers for the remaining questions.
- What file or page from the compromised website has the malicious script with the URL for the redirect?
- Extract the exploit file(s). What is(are) the md5 file hash(es)?
- VirusTotal doesn’t show all the VRT rules under the “Snort alerts” section for the pcap analysis. If you run your own version of Snort with the VRT ruleset as a registered user (or a subscriber), what VRT rules fire?
Findings in Summary
- [High confidence] The user visited the compromised WordPress site ciniholland[.]nl (126.96.36.199 is). By visiting this compromised site, the user was ultimately redirected to a final exploit kit landing page located at stand[.]trustandprobaterealty[.]com (188.8.131.52).
- [Low confidence] The infection chain was initiated by a malicious favicon that first redirected the user to 24corp-shop[.]com, and then to stand[.]trustandprobaterealty[.]com, the location of EK landing page.
- [Low confidence] The site adultbiz[.]in may also have been involved in the infection chain.
- [High confidence] The EK attempted to deliver IE, Flash, and Java exploits. I do not know what specific CVE’s the exploits were targeting.
- [High confidence] The EK can be identified as RIG.
Checking My Answers
And here they are!
It looks like I did pretty well on the Level 1 questions, although I was unable to determine the hostname of the machine. For the Level 2 questions, the the redirect URL is 24corp-shop[.]com, not the favicon hosted at ciniholland[.]nl. Although I didn’t answer correctly, I’m glad that I identified 24corp-shop[.]com as playing a role in the infection chain. Additionally, I correctly answered the questions about the exploit payloads, and the number of times that they were delivered. Nice.
For the Level 3 questions, I didn’t fare as well; it looks like I could have relied on more through examination of the HTTP exports to arrive at my answers.
Once I fully absorb the techniques described in the answers, I think I’l be ready for the next exercise!
EDIT 5/11/2015: after more thoroughly reviewing the answers, it’s clear that my default Wireshark configuration wasn’t making my analysis easier. In addition to great exercises, Brad Duncan also provides an excellent Wireshark set-up/configuration tutorial. This is already making it significantly easier to conduct analysis.