Reference

https://www.malware-traffic-analysis.net/2020/11/13/index.html

Executive Summary

On 2020-11-13, at approximately 00:26:54 UTC, a Windows host used by Craig Alda was infected with IcedID malware.

Victim Details

  • Username: craig.alda (frame #4939)
  • Hostname: DESKTOP-JH1UZAE (frame #7234)
  • IP Address: 192.168.200.8 (frame #40)
  • MAC Address: 00:08:02:1c:47:ae (frame #40)
  • Serial Number: n/a

Indicators of Compromise

Malicious Traffic

  • src.ip, src.port, dst.ip, dst.port, http.request.method, http.request uri
  • src.ip, src.port, dst.ip, dst.port, http.request.method, http.request uri
  • src.ip, src.port, dst.ip, dst.port, http.request.method, http.request uri

File Hashes

  • SHA-256 Hash: ddcf95d87542f2df67aff8941fcd92c71cc704698b00923791e21285f82bb01a
  • File Size: 132 Kilobytes
  • File Location (URL, UNC, etc.): http://205.185.113.20/files/3.dll
  • File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
  • File Description: Windows DLL

Notes
Elaborate on the alerts that were raised, lessons learned, recommendations, etc.

Analysis

Setup

wget "https://www.malware-traffic-analysis.net/2020/11/13/2020-11-13-traffic-analysis-exercise.pcap.zip" 

unzip 2020-11-13-traffic-analysis-exercise.pcap.zip
cp 2020-11-13-traffic-analysis-exercise.pcap traffic.pcap

How many alerts are raised when the PCAP is fed to the Suricata IDS?

suricata -r traffic.pcap
cat fast.log | less -S
cat fast.log | wc -l

348

How many unique alerts are raised?

cat fast.log | awk -F'\\[\\*\\*\\] ' '{print $2}' | sort | uniq -c

      3 [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection 
    132 [1:2011540:7] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) 
      1 [1:2016141:7] ET INFO Executable Download from dotted-quad Host 
      1 [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 
    127 [1:2016778:8] ET DNS Query to a *.pw domain - Likely Hostile 
      2 [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP 
      1 [1:2021076:2] ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response 
      1 [1:2022050:3] ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 
      1 [1:2022051:2] ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 
      1 [1:2022053:2] ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2 
      1 [1:2027250:4] ET INFO Dotted Quad Host DLL Request 
     77 [1:2033713:4] ET MALWARE Cobalt Strike Beacon Observed

Based on the alerts raised, what do you think happened?
A Command and Control (C2) was established after someone visited a domain hosting malware.

What are the first three unique alerts raised?

cat fast.log | awk -F '\\[\\*\\*\\] ' | head -n1

[1:2027250:4] ET INFO Dotted Quad Host DLL Request 
[1:2022050:3] ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 
[1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP

What is the rule criteria for the first alert raised?

cat /var/lib/suricata/rules/suricata.rules | grep 2027250

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host DLL Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.dll; flowbits:unset,http.dottedquadhost; http.request_line; content:".dll HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027250; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Minor, updated_at 2020_04_08;)

Do any packets match the criteria of the alert raised?

tshark -r traffic.pcap -Y "http.request.full_uri matches .dll" -T fields -e frame.number -e eth.src -e ip.src -e http.request.method -e http.request.full_uri

40	00:08:02:1c:47:ae	192.168.200.8 GET	http://205.185.113.20/files/3.dll

Yes. Frame #40 contains a HTTP GET request for a .dll from an IP address (instead of a domain name; users normally don’t know or remember the IP addresses of web servers they visit).

How did the victim know to contact the attacker?

tshark -r traffic.pcap -Y "frame contains 205.185.113.20" -T fields -e frame.number -e ip.src -e ip.dst -e ip.proto

4	192.168.200.8	205.185.113.20	6
38	205.185.113.20	192.168.200.8	6
40	192.168.200.8	205.185.113.20	6

The PCAP does not include traffic showing how the victim learned about the attacker.

What is the victim’s username and hostname? tshark -r traffic.pcap -Y “kerberos.msg.type == 10 or kerberos.msg.type == 13” -T fields -e frame.number -e ip.src -e ip.dst -e kerberos.name_string

4939	192.168.200.2	192.168.200.8	craig.alda,cifs,Quiethub-DC.quiethub.net
4948	192.168.200.2	192.168.200.8	craig.alda,krbtgt,QUIETHUB.NET
7234	192.168.200.2	192.168.200.8	DESKTOP-JH1UZAE$,DESKTOP-JH1UZAE$
7271	192.168.200.2	192.168.200.8	DESKTOP-JH1UZAE$,cifs,Quiethub-DC.quiethub.net,quiethub.net
7280	192.168.200.2	192.168.200.8	DESKTOP-JH1UZAE$,krbtgt,QUIETHUB.NET
9014	192.168.200.2	192.168.200.8	DESKTOP-JH1UZAE$,cifs,QUIETHUB-DC

Username: craig.alda
Hostname: DESKTOP-JH1UZAE

What files were downloaded via HTTP?

tshark -r traffic.pcap -q --export-objects http,http && ls -alh

-rw-r--r-- 1 remnux remnux 132K Feb 27 10:08  3.dll
-rw-r--r-- 1 remnux remnux  471 Feb 27 10:08  MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom
-rw-r--r-- 1 remnux remnux 6.5K Feb 27 10:08 'submit(10).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux  148 Feb 27 10:08 'submit(11).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux   84 Feb 27 10:08 'submit(12).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux   36 Feb 27 10:08 'submit(13).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux  516 Feb 27 10:08 'submit(1).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux  212 Feb 27 10:08 'submit(2).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux  244 Feb 27 10:08 'submit(3).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux   68 Feb 27 10:08 'submit(4).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux   68 Feb 27 10:08 'submit(5).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux  996 Feb 27 10:08 'submit(6).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux 1.5K Feb 27 10:08 'submit(7).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux 4.4K Feb 27 10:08 'submit(8).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux 4.4K Feb 27 10:08 'submit(9).php%3fid=123429392'
-rw-r--r-- 1 remnux remnux  228 Feb 27 10:08 'submit.php%3fid=123429392'
-rw-r--r-- 1 remnux remnux   96 Feb 27 10:08 'updates(1).rss'
-rw-r--r-- 1 remnux remnux   80 Feb 27 10:08 'updates(2).rss'
-rw-r--r-- 1 remnux remnux  74K Feb 27 10:08 'updates(3).rss'
-rw-r--r-- 1 remnux remnux  74K Feb 27 10:08 'updates(4).rss'
-rw-r--r-- 1 remnux remnux  74K Feb 27 10:08 'updates(5).rss'
-rw-r--r-- 1 remnux remnux   80 Feb 27 10:08 'updates(6).rss'
-rw-r--r-- 1 remnux remnux   80 Feb 27 10:08 'updates(7).rss'
-rw-r--r-- 1 remnux remnux  74K Feb 27 10:08 'updates(8).rss'
-rw-r--r-- 1 remnux remnux   48 Feb 27 10:08 'updates(9).rss'
-rw-r--r-- 1 remnux remnux   48 Feb 27 10:08  updates.rss
-rw-r--r-- 1 remnux remnux 718K Feb 27 10:08  winnit.exe

What were the types of files downloaded?

for FILE in $(ls); do file $FILE; done

2 PE32 executable (GUI) Intel 80386, for MS Windows. 26 “data.”

Were the files executed?
TBD.