2022 02 23 TRAFFIC ANALYSIS EXERCISE - 0xd0s/Pcap-Analysis GitHub Wiki

https://www.malware-traffic-analysis.net/2022/02/23/index.html

SCENARIO

LAN segment data:

LAN segment range:  172.16.0.0/24 (172.16.0.0 through 172.16.0.255)
Domain:  sunnystation.com
Domain controller:  172.16.0.52 - SUNNYSTATION-DC
File Server:  172.16.0.53 - SUNNYFILESERVER
LAN segment gateway:  172.16.0.1
LAN segment broadcast address:  172.16.0.255

TASK

What hosts/user account names are active on this network?
What type of malware are they infected with?

Hosts/Users

Hosts

IP	Hostname	User	Malware
172.16.0.131	DESKTOP-VD151O7	tricia.becker	xloader
172.16.0.149	DESKTOP-KPQ9FDB	nick.montgomery	emotet
172.16.0.170	DESKTOP-W5TFTQY	everett.french	emotet

IOCs

172.16.0.131

File downloaded: Ocklqc.jpg
- File type: DLL
- Hash: 8e231ce16b3613813371d2c76eef79f3658a2f88
- Flagged as Malicious by VT
Several get request from malicious domains.
xloader malware

172.16.0.170

Connections to malicious domain dalgahavuzu[.]com related to Emotet malware.

172.16.0.149

Downloaded file from ajaxmatters[.]com
- Filename: zbBYgukXYxzAF2hZc
- Hash: 14b57211308ac8ad2a63c965783d9ba1c2d1930d0cafd884374d143a481f9bf3
Hash is flagged as malicious on VirusTotal with vendors indicating it is related to Emotet.

Investigation

172.16.0.131

Looking at protocol hierarchy for 172.16.0.131 you can see that HTTP accounts for the highest percentage of bytes. 131_protocol_hierarchy

Digging into HTTP we can see right away that files are being downloaded from 156.96.154[.]210. Let's export the files to check the file type and hash.

As you can see in the below screen shots the file titled as Ocklqc.jpg is flagged as malicious by numerous vendors on VirusTotal. 131_http Ocklqc 131_VT

The Wireshark capture above also shows numerous GET requests. Below are a list of these GET request.

IP	Domain	Get Request
23.227.38.74	www.katchybugonsale.com	/uar3/?OXtd9L=cFNTMFX8k4Sl&WN68=YMSFGVfdS9ONGuAKqerSFa9naGdXyzjeSZBgl3Bk94ai8h1oihtuDN4qXdcs1YMbgxqWO7UijFru1VtwMrj0Yg==
72.167.191.69	www.privilegetroissecurity.com	/uar3/?WN68=wVxHuY5BHg7y43vUI54ltScM5FHYr3MvVK9tRiGpEzbIy71wclYGr86TQQDm3pXvN7rNGmSla0zZHvUrNEOd8Q==&OXtd9L=cFNTMFX8k4Sl
194.9.94.85	www.hentainftxxx.com	/uar3/?OXtd9L=cFNTMFX8k4Sl&WN68=7GGwHF32hRrdL34DIy4C++DYnMj/1d2v4JDqR5DLy9MEgQIZhCtufLoZXudHqPtA4E9sAhQJ5IzwCvVbNJKdoQ==
198.54.117.210	www.moonshot.properties	/uar3/?WN68=G7COZmwnrPee5EsQB6aSZw5LG2UW7KHIFA2umt3z9Jon7OXS6qAVkpOr+xKOV+zPMOEQaf63vM5y0TRfGLX9kw==&OXtd9L=cFNTMFX8k4Sl
120.55.51.124	www.nt-renewable.com	/uar3/?OXtd9L=cFNTMFX8k4Sl&WN68=8dr/spia4rwQa9udFLoUWLhDyWB6Y+ownAf/kRXxJwJVGebs5pP6NWs1hg+O5/59UnRkE2LClKUdc3S/D+UP/w==
216.58.193.147	www.elsiepupz.com	/uar3/?WN68=8mm7juO0roa0c+eoFXdeNMhxaLq+UOHK2Gb4HZKVJ5c/89uOKLCXn+ltWpT8D6eBozFxFRC8NwSE5MNPGjBvbw==&OXtd9L=cFNTMFX8k4Sl
198.185.159.144	www.jogoreviravolta.com	/uar3/?OXtd9L=cFNTMFX8k4Sl&WN68=HgytsQeQm5k0JsiX3+xHTPqNeoAsZVOwel7pX1mp3pbqNYluV8paLXKGPRTm0h2A1X7YRo+hCzAHabyaXGya1Q==
213.186.33.5	www.seo-python.com	/uar3/?WN68=ytaVTsUV2lhqQKL61ah7bbHTc8PUfHVAz52PWpuGTKIYDZecH7Q6UUGSzaPenE3Of8SqJWZQwpeASzStGycgxA==&OXtd9L=cFNTMFX8k4Sl
23.227.38.74	www.db-propertygroup.com	/uar3/?WN68=wLPqDi6WkwhBj433Ws1QWRAisb43Y4vnWD77yX4A6l/EM3iK/pFUTvPwCnDSQCKQYsapKIpkeyt25I1F4noK8Q==&OXtd9L=cFNTMFX8k4Sl
154.206.65.249	www.czzhudi.com	/uar3/?WN68=PHhlvnmfOw59M/FZc+cjVGc9E+FfGp0TERrr3iXeT60uB9RQS+IvYoe8rfvBvY2wGRGtZyZa6OrSqVXvPAs7JA==&OXtd9L=cFNTMFX8k4Sl
104.21.89.147	www.hydrocheats.com	/uar3/?OXtd9L=cFNTMFX8k4Sl&WN68=OeYQqIU9fkIjHq0iRTjpk5h8JewsY/FAEEGplD1myE1VivIRdy4CVvbuzuyXb7LJfyhf2G3tozH0TabGGRXNyg==
66.235.200.112	www.riskprotek.com	/uar3/?WN68=vaasl1HXy+nS4gMTb8cCc4ZxdXrfp3VJbllccGrazaG48wmyoenn5mm8iv5Y3umlrzKeRVe5owfjDaqVto7ySQ==&rDK=9rxt2VrP0VOLNd
198.54.117.215	www.campdiscount.info	/uar3/?rDK=9rxt2VrP0VOLNd&WN68=6RSomoeDKvu2oZGYnGQevtVkDkPAkn8CsZ1fJuCFoaRm9//tAr+u37U/QCD2qVC/dAHjd57BD2t/Oxw5fT4Nlw==
209.17.116.163	www.mystore.guide	/uar3/?WN68=AJisDJhbFc3cSa+wvCaKG4qBsq/WHsLY00hpfL+ug958E/QUX/nqsR+NhlSxgpTeQKNoKt6jus0BQP11eAYtlQ==&rDK=9rxt2VrP0VOLNd
104.16.12.194	www.theperfecttrainer.com	/uar3/?rDK=9rxt2VrP0VOLNd&WN68=I2l43oNVzWohwc97LSEXaWdVqxBOXBdEroFdfarp+DazR9mP3HsZrHA9P20czBHo7A9Q6BtLZHoFBMxs+Q0aUA==
216.172.184.77	www.globalsovereignbank.com	/uar3/?WN68=yYhzgZciQ0pBJ/8G1dSJukDWWYW4SQVbEV+RnWrDBs6A2klS4c6xvZXPWB28QBvYg5FyuTRLTP9+/gPb7Dyx9A==&rDK=9rxt2VrP0VOLNd
198.185.159.144	www.jogoreviravolta.com	/uar3/?OXtd9L=cFNTMFX8k4Sl&WN68=HgytsQeQm5k0JsiX3+xHTPqNeoAsZVOwel7pX1mp3pbqNYluV8paLXKGPRTm0h2A1X7YRo+hCzAHabyaXGya1Q==
23.227.38.74	www.db-propertygroup.com	/uar3/?WN68=wLPqDi6WkwhBj433Ws1QWRAisb43Y4vnWD77yX4A6l/EM3iK/pFUTvPwCnDSQCKQYsapKIpkeyt25I1F4noK8Q==&OXtd9L=cFNTMFX8k4Sl
216.58.193.147	www.xn--pckwb0cye6947ajzku8opzi.com	/uar3/?OXtd9L=cFNTMFX8k4Sl&WN68=zeqtNgG9qaggg50hsBYKfMtRhSgr1QCYqFreEa/f3NyBOVRw9vKCqHY5UvVd0GGKhtkXMCmx/YKDQN95OCuo4g==
154.206.65.249	www.czzhudi.com	/uar3/?WN68=PHhlvnmfOw59M/FZc+cjVGc9E+FfGp0TERrr3iXeT60uB9RQS+IvYoe8rfvBvY2wGRGtZyZa6OrSqVXvPAs7JA==&OXtd9L=cFNTMFX8k4Sl
104.21.89.147	www.hydrocheats.com	/uar3/?OXtd9L=cFNTMFX8k4Sl&WN68=OeYQqIU9fkIjHq0iRTjpk5h8JewsY/FAEEGplD1myE1VivIRdy4CVvbuzuyXb7LJfyhf2G3tozH0TabGGRXNyg==
3.130.253.23	www.keysine.com	/uar3/?Rx=3fqpvFxpqlVpsJr0&WN68=rUb9fjakxYTFD8z67QPd/z9ZU79kig+C682K4H/u+g+BDuvQEiej59oCwTmjTn3VIgEsDrJTMHhelfjdUr/lOQ==
173.231.37.114	www.chinadqwx.com	/uar3/?WN68=9m2BuYjy2P5QVnF55yTJRV/9LhiAAt/MT+Kbm8QIT+MHAFzaldcGnNZ3pWSYBbzkonlkIpTVKgvisutZzhPqOw==&Rx=3fqpvFxpqlVpsJr0
184.168.99.26	www.awridahmed.com	/uar3/?WN68=Rxa7roEa5tNLCQbNrgjP26TJ8hY95dmiy0vlywMBfbVg3NfijesNxg9KSG3foxjNI1f6qg1A75MBHEYl1CRNww==&Rx=3fqpvFxpqlVpsJr0
66.29.145.216	www.ban-click.com	/uar3/?OXtd9L=cFNTMFX8k4Sl&WN68=PJmt9gv9iGU9d8hCPuUD9qFGrc2TdJl2olRt+T3RNFHgmOi5kNyM4d9HjU8Ipcbb+g/FLincIuHx0S3I0xIWfw==

Several of these domains are related to xloader malware family. tria_ge

Between, the malicious file that was downloaded and these GET request from domains related to xloader malware I think we can reasonably conclude that his host is infected with the xloader malware.

172.16.0.170

Using the protocol hierarchy we can see what protocol is generating the most traffic. In this case it is TLS. There are a large number of TLS connections. To narrow this down farther I looked at the conversations related to the filter ip.addr == 172.16.0.170 && tls. By doing this we can see what endpoints are generating the largest amount of bytes. Screenshot from 2022-04-02 08-36-08

While digging into the TLS traffic for 172.16.0.170 I noticed a suspicious domain dalgahavuzu[.]com (178.211.56.194). Several vendors on VirusTotal have flagged dalgahavuzu[.]com as malicious. 170_emotet

172.16.0.149

A file from ajaxmatters[.]com/c7g8t/ was downloaded to 172.16.0.149. Filename is zbBYgukXYxzAF2hZc and is a DDL with hash 14b57211308ac8ad2a63c965783d9ba1c2d1930d0cafd884374d143a481f9bf3. This hash is flagged as malicious on VirusTotal with vendors indicating it is related to Emotet. 149_hashes