TRAFFIC ANALYSIS EXERCISE - Ransomer

catalogue

1. SCENARIO
2. QUESTIONS
3. Analysis:10.3.14.134
4. Analysis:10.3.14.131

1. SCENARIO

The pcap contains traffic from three different hosts.  You also have IDS alerts to help you figure out what‘s going on.

Relevant Link:

http://www.malware-traffic-analysis.net/2017/02/11/index.html

2. QUESTIONS

0x1: BASIC TASKS

Document the date, start time and end time of the pcap in UTC (GMT).
Document the IP address of the three hosts in the pcap.
Document the mac address of the three hosts in the pcap.
Document the type of computer (Windows, Mac, Android, etc) fore each of the three hosts in the pcap.
Determine which host(s) were infected.

0x2: MORE ADVANCED TASKS:

Document the family (or families) of malware based on indicators from the pcap.
Document the root cause for any infections noted in the pcap.

0x3: FINAL TASK:

Draft an incident report for the infected host(s).
If more than one host is infected, draft a separate incident report for each host.

Relevant Link:

3. Analysis

0x1: 访问异常域名

1. DNS解析

unittogreas.top

2. 向可疑域名发起HTTP请求

http://unittogreas.top/search.php

该域名在Tracker中被标注为Ransomer Domain

------------------------------------------------------------------------
Count:1 Event#3.23810 2017-02-11 03:02:41 UTC
ET DNS Query to a *.top domain - Likely Hostile
10.3.14.134 -> 10.3.14.2
IPVer=4 hlen=5 tos=0 dlen=61 ID=1417 flags=0 offset=0 ttl=128 chksum=1178
Protocol: 17 sport=51734 -> dport=53

len=41 chksum=6660
------------------------------------------------------------------------
Count:1 Event#3.23811 2017-02-11 03:02:43 UTC
ET INFO HTTP Request to a *.top domain
10.3.14.134 -> 104.155.4.180
IPVer=4 hlen=5 tos=0 dlen=325 ID=0 flags=0 offset=0 ttl=0 chksum=13276
Protocol: 6 sport=49249 -> dport=80

Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=62268 chksum=0

0x2: 下载可疑文件

从网络流分析的角度来看,这里可以做的事情有几件

1. 截取整个PE/ELF流,计算MD5
2. 根据每个[TCP segment of a ressembled PDU]的size,计算文件大小,如果是小文件,则很可能是一个恶意loader文件
3. 从HTTP头部的filename字段中分析得到文件名,如果是PE文件,且无后缀,则很可能是一个恶意文件
4. 根据network binary流判断出当前网络中正在进行什么类型的文件下载(例如该pcap包分析出EXE/DLL、以及JS/WSF文件下载)

0x3: C&C通信

1. Ransomware/Cerber Checkin M3 (4)

UDP: 33343032343164386336383030303931633730303030303134
UDP: 3334303234316438633638303465

Suricata的流量实时报警规则中关于该恶意勒索软件流量的检测

alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (4)"; dsize:25; content:"3"; depth:1; pcre:"/^[a-f0-9]{24}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023615; rev:1;)

2. ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)

#alert udp $HOME_NET [!1720,!1722,!2222,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009205; classtype:trojan-activity; sid:2009205; rev:5;)

#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009206; classtype:trojan-activity; sid:2009206; rev:4;)

#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009207; classtype:trojan-activity; sid:2009207; rev:4;)

#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009208; classtype:trojan-activity; sid:2009208; rev:4;)

0x4: bitcoin相关通信

1. 查询指定钱包地址是否可用

勒索软件会在在运行时随机生成一个比特币钱包地址,用来接收勒索汇款,在生成后,会向blockchain进行查询是否该地址可用,如果已经被占用则重新继续生成一个新的

http://api.blockcypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1486782174891

{"error": "Address 17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt is unaccessible."}

2. 向blockchain发起请求,查询指定钱包地址是否收到勒索汇款

http://api.blockcypher.com/v1/btc/main/txs/0c58687c2057837da6c08a090b75a41defe11c9927d3e0228d71a2bff2b264fa?_=1486782175218

{
  "block_hash": "000000000000000001c2563a05c879d883aa1680d0a49a1e0148afcf5b5034bf",
  "block_height": 452418,
  "block_index": 8,
  "hash": "0c58687c2057837da6c08a090b75a41defe11c9927d3e0228d71a2bff2b264fa",
  "addresses": [
    "17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt",
    "1NmrtQoXN1F4sSCRfCzCimYM4ncuj9tam7"
  ],
  "total": 31115000,
  "fees": 100000,
  "size": 192,
  "preference": "high",
  "relayed_by": "109.236.87.132:8333",
  "confirmed": "2017-02-10T14:43:06Z",
  "received": "2017-02-10T14:36:04.282Z",
  "ver": 1,
  "lock_time": 0,
  "double_spend": false,
  "vin_sz": 1,
  "vout_sz": 1,
  "confirmations": 2189,
  "confidence": 1,
  "inputs": [
    {
      "prev_hash": "f1d398776872297adcddedaca37c9bf00ce3683c11233fa291a0d588375cc6df",
      "output_index": 0,
      "script": "483045022100d9ffd79b0ec63e474b0a7878f397f6f262f4f05a106270e3791f1e76fec3b03802202c2d4eacd271b10fed5fff06066a958b41f10da041a63810573ecfaeb2f55e8a01210276ddc5fb72799194e3bd52a96400304b9d22d61f1944b4ad9f7209d58be36496",
      "output_value": 31215000,
      "sequence": 4294967295,
      "addresses": [
        "17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt"
      ],
      "script_type": "pay-to-pubkey-hash"
    }
  ],
  "outputs": [
    {
      "value": 31115000,
      "script": "76a914eed6963ae01cd87e4d737aa03e6267d346b7de9288ac",
      "spent_by": "2c55aacdad6a8830ebfd56d5d01e143a7e3a3bb94fc9bff49181ce518152f5a0",
      "addresses": [
        "1NmrtQoXN1F4sSCRfCzCimYM4ncuj9tam7"
      ],
      "script_type": "pay-to-pubkey-hash"
    }
  ]
}

3. Cerber Payment Site

0x5: Tor网络相关通信

1. ET TROJAN Ransomware/Cerber Onion Domain Lookup

Count:1 Event#3.23826 2017-02-11 03:02:54 UTC
ET TROJAN Ransomware/Cerber Onion Domain Lookup
10.3.14.134 -> 10.3.14.2
IPVer=4 hlen=5 tos=0 dlen=73 ID=3686 flags=0 offset=0 ttl=128 chksum=64432
Protocol: 17 sport=50205 -> dport=53

len=53 chksum=52268

勒索软件上线后,会通过Tor2web这类Tor代理或者直接在软件中集成Tor Client,向Tor网络中的黑客组织者报告勒索成功信息以及其他相关主机信息

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Brazilian Banker Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?role="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&bits="; http_uri; content:"&av="; http_uri; content:"&host="; http_uri; content:"&plugins="; http_uri; content:!"Referer|3a 20|"; http_header; reference:md5,580f82bbd46e8344231cf005; classtype:trojan-activity; sid:2023424; rev:2;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ffoqr3ug7m726zou"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023425; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lfdachijzuwx4bc4"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023426; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ojmekzw4mujvqeju"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023427; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xrhwryizf5mui7a5"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023428; rev:1;)

Relevant Link:

https://ransomwaretracker.abuse.ch/tracker/

4. Analysis:10.3.14.131

0x1: 疑似SHELLCODE下载

1. ET SHELLCODE UTF-8/16 Encoded Shellcode

TCP返回包中带有‘\x5C‘开头的UTF Unicode数据流

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2;)

2. ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt"; flow:established,to_client; content:"String.FromCharCode("; nocase; pcre:"/String\x2EFromCharCode\x28[0-9]{1,3}/i"; reference:url,www.w3schools.com/jsref/jsref_fromCharCode.asp; reference:url,www.roseindia.net/javascript/method-fromcharcode.shtml; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; classtype:bad-unknown; sid:2011347; rev:2;)

0x2: 可疑HTTP URL访问

1. ET POLICY HTTP Request on Unusual Port Possibly Hostile

正常来说网站是开放在80、8080等端口的,如果一个URL开放在了非常用端口,则这种访问本身就很可疑

#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET POLICY HTTP Request on Unusual Port Possibly Hostile"; flow:established,to_server; flowbits:isnotset,et.httpproto; flowbits:set,et.httpproto; flowbits:set,ET.knowitsnothttpnow; flowbits:isnotset,ET.knowitsnothttpnow; threshold: type limit, count 1, seconds 30, track by_dst; reference:url,doc.emergingthreats.net/2006408; classtype:policy-violation; sid:2006408; rev:14;)

0x3: 可疑DNS解析

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Spora Ransomware DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|spora|03|biz|00|"; nocase; distance:0; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2023887; rev:1;)

Relevant Link:

https://rules.emergingthreats.net/open/suricata/rules/
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules
https://ransomwaretracker.abuse.ch/ip/185.183.98.143/host/p27dokhpz2n7nvgr.1nmrtq.top/
https://www.pcrisk.com/removal-guides/10824-spora-ransomware

Copyright (c) 2017 LittleHann All rights reserved

时间: 2024-11-05 02:29:35

TRAFFIC ANALYSIS EXERCISE - Ransomer的相关文章

Cryptographic method and system

The present invention relates to the field of security of electronic data and/or communications. In one form, the invention relates to data security and/or privacy in a distributed and/or decentralised network environment. In another form, the invent

Peer-to-Peer (P2P) communication across middleboxes

Internet Draft                                                   B. FordDocument: draft-ford-midcom-p2p-01.txt                            M.I.T.Expires: April 27, 2004                                     P. Srisuresh                                  

Gartner: 2017年11大信息安全技术(解读版)

在2017年6月份举办的第23届Gartner安全与风险管理峰会上,Gartner的Fellow--Neil McDonald发布了2017年度的11个最新最酷的信息安全技术,比往年的10大技术多了一项. 以往都是通过互联网了解Gartner的各种信息和报告.这次,本人有幸亲临现场,参加峰会,自然有更多的感悟.参加峰会期间,获得的信息量实在太大,直到现在,虽然已经过去了2个多月,依然没有消化完. 回到主题,以往我都是聚焦于每年选出来的10大信息安全技术本身,但对这些技术是如何被Gartner选出

linux的网络监测工具

linux的性能网络监测工具(iostat/sar/mpstat)需要安装sysstat这个包. 工具一.iftop(查看网络带宽情,(必须从epel源安装) 1)  iftop需要的依赖包如下: flex byacc  libpcap ncurses ncurses-devel libpcap-devel 2) 下面是维基百科上的描述: iftop monitors to network traffic(网络流量) and displays a table of current bandwid

Google Hack的一些整理

这里是一些关于Google Hack方面的整理 黑客专用信息和资料搜索地址为: http://www.google.com/custom?hl=xx-hacker 这里是google关键字的用法,要设置它为中文,则是 http://www.google.com/custom?hl=zh-CN 英文则是http://www.google.com/custom?hl=en 常用的google关键字: foo1 foo2 (也就是关联,比如搜索xx公司 xx美女) operator:foo filet

【转帖】UFLDL Tutorial(the main ideas of Unsupervised Feature Learning and Deep Learning)

UFLDL Tutorial From Ufldl Jump to: navigation, search Description: This tutorial will teach you the main ideas of Unsupervised Feature Learning and Deep Learning.  By working through it, you will also get to implement several feature learning/deep le

MRTG 安装部署手册

本来准备上微软的SCOM 演示下system center2016的,顺便下一个windows 2016 RS1 5G的文件,2个小时过去了,还有2小时看样子绝对要过夜啊.然后搜了下其他开源的,发现了这货. Overview 然后找了老牌监控软件MRTG, 全程Multi Router Traffic Grapher,主要是通过监控网络设备上的SNMP或者其他SNMP的设备来进行绘图,但是路由只是一个开始,当然现在看起来也是一个结束 https://oss.oetiker.ch/mrtg/pub

IIS FTP Server Anonymous Writeable Reinforcement, WEBDAV Anonymous Writeable Reinforcement(undone)

目录 0. 引言 1. IIS 6.0 FTP匿名登录.匿名可写加固 2. IIS 7.0 FTP匿名登录.匿名可写加固 3. IIS 6.0 Anonymous PUT(WEBDAV匿名可写)加固 4. IIS 7.0 Anonymous PUT(WEBDAV匿名可写)加固 5. IIS ISAPI Filter(isapiFilters) 6. IIS Extension 7. IIS FTP匿名登录的自动化修复 8. IIS WEBDAV匿名访问的自动化修复 9. IIS 恶意Filter

backtrack工具菜完整解析

Information Gathering - 信息收集             NetWork Analysis - 网络分析             Dns Analysis - dns分析             Identify Live Hosts - 存活主机识别             IDS IPS Identification - IDS IPS识别             Network Scanners - 网络扫描             Network Traffic