Network forensics is something we should practice as much as possible to become faster at detecting supicious activies in our networks. This website http://malware-traffic-analysis.net/ shares network traffic captures where we can find different kinds of infections and malicious activies. I find these examples quite good to improve our skills to find evil behaviours... Also, we could be witness of new vectors attack and new evasion techniques...

Today, we are going to do the last exercise: 

Malware infection

In the post mentioned before, it was said that a malware was found in a corporate computer. We can get more information about that sample from diferent malware analysis.

SHA256
d16ad130daed5d4f3a7368ce73b87a8f84404873cbfc90cc77e967a83c947cd2

Network traffic analysis

To figure out what happend, we have to work with the traffic capture published at such blog post: 2015-11-24-traffic-analysis-exercise.pcap. The first thing I´m going to do is to use tcpreplay in order to replicate the same traffic that was captured in an interface where my Suricata is listening with the latest ETPRO ruleset loaded.


After all the traffic has been replicated and analyzed, we can see on our alerts Dashboard that a computer could be affected by an Exploit Kit. Also, there are some CnC alerts...


The first Angler EK alerts came from the website neuhaus-hourakus.avelinoortiz[.]com


The order of the visits for that specific domain were:

  1. neuhaus-hourakus.avelinoortiz[.]com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29
  2. neuhaus-hourakus.avelinoortiz[.]com/who.olp?save=&effect=VFv9cHM&you=LmzXy&picture=J0sYyqN&why=Dv0ZsHPosOWnZsEC9KJ9myAYKZSGT
  3. neuhaus-hourakus.avelinoortiz[.]com/literature.disco?audience=5Hr&trip=&election=txK1BgKFW&piece=aRLmxzX&normal=QGOT&understand=IWOBe&theory=so8bghs&discover=y47E5&tell=gSIQ&opportunity=ZWe&available=z
  4. neuhaus-hourakus.avelinoortiz[.]com/yes.wbxml?unite=tXu9a5tJI&writer=J7y8dCR8F&describe=LzQOS9&for=&note=C26Z8129ea&number=gcsXv8v&next=2unI-c8
We can see that this domain has been rated as malicious by some webfiltering vendors. 


I´ve also uploaded the PCAP to Virustotal (look at Details section). Virustotal is awesome because the traffic is inspected by Snort-VTR and Suricata-ETPRO ruleset. Also Virustotal analizes all the requests and if something is detected by some Antivirus, Virustotal will warn us... We can see from the Virustotal report, that one of the first Suricata alerts related to the EK corresponds to a flash file which is related to an Exploit.


It seems we´ve found where the user could have been infected, but... Why did the user end up at that website? If we look at the first Suricata event and we look closely at the Referer field, we can see that the web page that was visited before the landing page, had a Javascript.


Digging into that Javascript, we can find an iframe which loads the EK landing page (1) and the website which loaded the Javascript (2).


If we keep analyzing back with Wireshark, we can locate the URI which called the Javascript. It seems that it could be an advertisement (1) which loaded the Javascript (2).


And... Why did this user visit www.shotgunworld[.]com? If we look at the Referer field in the follow TCP Stream, we can see that the user was redirected to that website by Google. The user could have been doing Google searches...


If we dig a little bit deeper into the connections which were made before the Google redirection, we can see that the user was interested in guns.  He did two searches in Google:

1. http://www.google[.]com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0ahUKEwimz-OWuqnJAhWJrD4KHZcYBLsQFggcMAA&url=http%3A%2F%2Fwww.cabelas.com%2Fcategory%2FShotguns%2F105537780.uts&usg=AFQjCNHKLe8zX3xPg6B1t17pycMEn7CRFw&bvm=bv.108194040,d.dmo

which redirects to http://www.cabelas.com/category/Shotguns/105537780.uts which seems not to be infected.

2. http://www.google[.]com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0ahUKEwiKnu-0uqnJAhUIWD4KHal9DUcQFggcMAA&url=http%3A%2F%2Fwww.shotgunworld.com%2F&usg=AFQjCNEURWbI-lwIgSRkGqiR9ALrodRMUw&bvm=bv.108194040,d.dmo

which loads the EK landing page: neuhaus-hourakus.avelinoortiz[.]com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29

And... What  about the landing page? I´ve followed with the analysis and I´ve found that it had code heavily obfuscated inside the HTML code.


I´ve extracted it from the PCAP by using Wireshark and we can see the results at Virustotal.  I´ve also uploaded it to Pastebin.  As it was said, this Javascript has been heavily obfuscated and trying to deobfuscate it would be time comsuming, but if you want to try yourself, you are really welcome. I would like to share some good blog posts where you can find more info about the Angler Exploit obfuscation: Websense, Fuzzysecurity

Since we´ve not deobfuscated the Angler landing page code, we can not be 100% sure that it is related to the malware found in the computer, but I think we could assume that... After the host visited such URL, the computer started requesting suspicious URL related to botnet 


Even the computer started requesting domain names that didn't get resolved...


Those domains could have been tried to be created by some domain generation algorithm (DGA). This could be a indicator that this computer had started to belong to a Botnet.

Conclusion 

After being notified that a piece of malware has been detected on a corporate computer, we´ve analyzed the traffic capture provided and we´ve detected the following:

  1. The user was doing Google searches related to guns.
  2. After visiting some guns shops, he ended up in that web site: www.shotgunworld[.]com
  3. This one had an advertisment which loaded a Javascript.
  4. That Javascript had a iframe which loaded the Angler EK landing page.
  5. It seems the EK was successfull and the computer began to be part of a botnet.