2022 01 07 Traffic Analysis Exercise - 0xd0s/Pcap-Analysis GitHub Wiki

https://www.malware-traffic-analysis.net/2022/01/07/index.html

SCENARIO

LAN segment data:

LAN segment range:  192.168.1.0/24 (192.168.1.0 through 192.168.1.255)
Domain:  spoonwatch.net
Domain controller:  192.168.1.9 - SPOONWATCH-DC
LAN segment gateway:  192.168.1.1
LAN segment broadcast address:  192.168.1.255

TASK

Write an incident report based on the pcap and the alerts.

The incident report should contains 3 sections:

    Executive Summary: State in simple, direct terms what happened (when, who, what).
    Details: Details of the victim (hostname, IP address, MAC address, Windows user account name).
    Indicators of Compromise (IOCs): IP addresses, domains and URLs associated with the infection.  SHA256 hashes if any malware binaries can be extracted from the pcap.

192.168.1.216 started communicating with 2.56.57.108 around 1607 on 01/07/2022. This IP delivered DLL files that were obfuscated as jgp files. Eventually data was exfiltrated from internal IP 192.168.1.216. This appears to be a variant of Arkei malware.

Hostname: DESKTOP-GXNYNO2<20>
IP address: 192.168.1.216
Mac Adress: 9c:5c:8e:32:58:f9
Windows User Account Name: steve.smith

Malicious IP 2.56.57.108 (Arkei Variants)

• https://www.virustotal.com/gui/ip-address/2.56.57.108/community
  

DLL's obfuscated as jpg files

• These are legit files. However, the fact that they are appear as jgp files is suspicious.

Data exiltrated via zip file

Start by looking at the endpoints and sort by the largest amount of bytes. This will tell me who the talkers are and who is sending/receiving the most data.

We can see that 2.56.57.108 and 192.168.1.216 exchange the most data by a significant amount.We can do two things with this information.

1. Throw 2.56.57.108 into VirusTotal (VT) to see if the IP is flagged by any vendors
2. Look into the communication between 2.56.57.108 and 192.168.1.216 for anything suspicious.

As you can see below 2.56.57.108 is blacklisted by VT and associated with Arkei Variants.

I used the following link to research Arkei Variants. https://www.dshield.org/forums/diary/Arkei+Variants+From+Vidar+to+Mars+Stealer/28468/. According to this link we should expect to see obfuscated DLL files and data exfiltration

Below you can see the DLL's being obfuscated as jpg files. Below you can see a zip file was sent from 192.168.1.216 to 2.56.57.107 If we export the osk file and unzip we can see a password.txt among other files.

In summary, 192.168.1.216 was infected with an Arkei malware and had data exfiltrated.

In this section I am going to import the pcap into Security Onion to, hopefully, verify my findings. Below you can see the command to import the pcap and the link Security Onion provides to start investigating. After following the link so-import-pcap provides I can see the Hunt page in Security Onion. If we add rule.name to our search criteria we can see a rule match for "ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern." So this is indeed a variant of Arkei, specifically Oski Stealer. This verifies our findings above.