catalogue
1. SCENARIO 2. QUESTIONS 3. Analysis:10.3.14.134 4. Analysis:10.3.14.131
1. SCENARIO
The pcap contains traffic from three different hosts. You also have IDS alerts to help you figure out what‘s going on.
Relevant Link:
http://www.malware-traffic-analysis.net/2017/02/11/index.html
2. QUESTIONS
0x1: BASIC TASKS
Document the date, start time and end time of the pcap in UTC (GMT). Document the IP address of the three hosts in the pcap. Document the mac address of the three hosts in the pcap. Document the type of computer (Windows, Mac, Android, etc) fore each of the three hosts in the pcap. Determine which host(s) were infected.
0x2: MORE ADVANCED TASKS:
Document the family (or families) of malware based on indicators from the pcap. Document the root cause for any infections noted in the pcap.
0x3: FINAL TASK:
Draft an incident report for the infected host(s). If more than one host is infected, draft a separate incident report for each host.
Relevant Link:
3. Analysis
0x1: 访问异常域名
1. DNS解析
unittogreas.top
2. 向可疑域名发起HTTP请求
http://unittogreas.top/search.php
该域名在Tracker中被标注为Ransomer Domain
------------------------------------------------------------------------ Count:1 Event#3.23810 2017-02-11 03:02:41 UTC ET DNS Query to a *.top domain - Likely Hostile 10.3.14.134 -> 10.3.14.2 IPVer=4 hlen=5 tos=0 dlen=61 ID=1417 flags=0 offset=0 ttl=128 chksum=1178 Protocol: 17 sport=51734 -> dport=53 len=41 chksum=6660 ------------------------------------------------------------------------ Count:1 Event#3.23811 2017-02-11 03:02:43 UTC ET INFO HTTP Request to a *.top domain 10.3.14.134 -> 104.155.4.180 IPVer=4 hlen=5 tos=0 dlen=325 ID=0 flags=0 offset=0 ttl=0 chksum=13276 Protocol: 6 sport=49249 -> dport=80 Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=62268 chksum=0
0x2: 下载可疑文件
从网络流分析的角度来看,这里可以做的事情有几件
1. 截取整个PE/ELF流,计算MD5 2. 根据每个[TCP segment of a ressembled PDU]的size,计算文件大小,如果是小文件,则很可能是一个恶意loader文件 3. 从HTTP头部的filename字段中分析得到文件名,如果是PE文件,且无后缀,则很可能是一个恶意文件 4. 根据network binary流判断出当前网络中正在进行什么类型的文件下载(例如该pcap包分析出EXE/DLL、以及JS/WSF文件下载)
0x3: C&C通信
1. Ransomware/Cerber Checkin M3 (4)
UDP: 33343032343164386336383030303931633730303030303134 UDP: 3334303234316438633638303465
Suricata的流量实时报警规则中关于该恶意勒索软件流量的检测
alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (4)"; dsize:25; content:"3"; depth:1; pcre:"/^[a-f0-9]{24}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023615; rev:1;)
2. ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
#alert udp $HOME_NET [!1720,!1722,!2222,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009205; classtype:trojan-activity; sid:2009205; rev:5;) #alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009206; classtype:trojan-activity; sid:2009206; rev:4;) #alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009207; classtype:trojan-activity; sid:2009207; rev:4;) #alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009208; classtype:trojan-activity; sid:2009208; rev:4;)
0x4: bitcoin相关通信
1. 查询指定钱包地址是否可用
勒索软件会在在运行时随机生成一个比特币钱包地址,用来接收勒索汇款,在生成后,会向blockchain进行查询是否该地址可用,如果已经被占用则重新继续生成一个新的
http://api.blockcypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1486782174891 {"error": "Address 17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt is unaccessible."}
2. 向blockchain发起请求,查询指定钱包地址是否收到勒索汇款
http://api.blockcypher.com/v1/btc/main/txs/0c58687c2057837da6c08a090b75a41defe11c9927d3e0228d71a2bff2b264fa?_=1486782175218 { "block_hash": "000000000000000001c2563a05c879d883aa1680d0a49a1e0148afcf5b5034bf", "block_height": 452418, "block_index": 8, "hash": "0c58687c2057837da6c08a090b75a41defe11c9927d3e0228d71a2bff2b264fa", "addresses": [ "17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt", "1NmrtQoXN1F4sSCRfCzCimYM4ncuj9tam7" ], "total": 31115000, "fees": 100000, "size": 192, "preference": "high", "relayed_by": "109.236.87.132:8333", "confirmed": "2017-02-10T14:43:06Z", "received": "2017-02-10T14:36:04.282Z", "ver": 1, "lock_time": 0, "double_spend": false, "vin_sz": 1, "vout_sz": 1, "confirmations": 2189, "confidence": 1, "inputs": [ { "prev_hash": "f1d398776872297adcddedaca37c9bf00ce3683c11233fa291a0d588375cc6df", "output_index": 0, "script": "483045022100d9ffd79b0ec63e474b0a7878f397f6f262f4f05a106270e3791f1e76fec3b03802202c2d4eacd271b10fed5fff06066a958b41f10da041a63810573ecfaeb2f55e8a01210276ddc5fb72799194e3bd52a96400304b9d22d61f1944b4ad9f7209d58be36496", "output_value": 31215000, "sequence": 4294967295, "addresses": [ "17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt" ], "script_type": "pay-to-pubkey-hash" } ], "outputs": [ { "value": 31115000, "script": "76a914eed6963ae01cd87e4d737aa03e6267d346b7de9288ac", "spent_by": "2c55aacdad6a8830ebfd56d5d01e143a7e3a3bb94fc9bff49181ce518152f5a0", "addresses": [ "1NmrtQoXN1F4sSCRfCzCimYM4ncuj9tam7" ], "script_type": "pay-to-pubkey-hash" } ] }
3. Cerber Payment Site
0x5: Tor网络相关通信
1. ET TROJAN Ransomware/Cerber Onion Domain Lookup
Count:1 Event#3.23826 2017-02-11 03:02:54 UTC ET TROJAN Ransomware/Cerber Onion Domain Lookup 10.3.14.134 -> 10.3.14.2 IPVer=4 hlen=5 tos=0 dlen=73 ID=3686 flags=0 offset=0 ttl=128 chksum=64432 Protocol: 17 sport=50205 -> dport=53 len=53 chksum=52268
勒索软件上线后,会通过Tor2web这类Tor代理或者直接在软件中集成Tor Client,向Tor网络中的黑客组织者报告勒索成功信息以及其他相关主机信息
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Brazilian Banker Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?role="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&bits="; http_uri; content:"&av="; http_uri; content:"&host="; http_uri; content:"&plugins="; http_uri; content:!"Referer|3a 20|"; http_header; reference:md5,580f82bbd46e8344231cf005; classtype:trojan-activity; sid:2023424; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ffoqr3ug7m726zou"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023425; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lfdachijzuwx4bc4"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023426; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ojmekzw4mujvqeju"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023427; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xrhwryizf5mui7a5"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023428; rev:1;)
Relevant Link:
https://ransomwaretracker.abuse.ch/tracker/
4. Analysis:10.3.14.131
0x1: 疑似SHELLCODE下载
1. ET SHELLCODE UTF-8/16 Encoded Shellcode
TCP返回包中带有‘\x5C‘开头的UTF Unicode数据流
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2;)
2. ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt"; flow:established,to_client; content:"String.FromCharCode("; nocase; pcre:"/String\x2EFromCharCode\x28[0-9]{1,3}/i"; reference:url,www.w3schools.com/jsref/jsref_fromCharCode.asp; reference:url,www.roseindia.net/javascript/method-fromcharcode.shtml; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; classtype:bad-unknown; sid:2011347; rev:2;)
0x2: 可疑HTTP URL访问
1. ET POLICY HTTP Request on Unusual Port Possibly Hostile
正常来说网站是开放在80、8080等端口的,如果一个URL开放在了非常用端口,则这种访问本身就很可疑
#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET POLICY HTTP Request on Unusual Port Possibly Hostile"; flow:established,to_server; flowbits:isnotset,et.httpproto; flowbits:set,et.httpproto; flowbits:set,ET.knowitsnothttpnow; flowbits:isnotset,ET.knowitsnothttpnow; threshold: type limit, count 1, seconds 30, track by_dst; reference:url,doc.emergingthreats.net/2006408; classtype:policy-violation; sid:2006408; rev:14;)
0x3: 可疑DNS解析
alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Spora Ransomware DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|spora|03|biz|00|"; nocase; distance:0; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2023887; rev:1;)
Relevant Link:
https://rules.emergingthreats.net/open/suricata/rules/ https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules https://ransomwaretracker.abuse.ch/ip/185.183.98.143/host/p27dokhpz2n7nvgr.1nmrtq.top/ https://www.pcrisk.com/removal-guides/10824-spora-ransomware
Copyright (c) 2017 LittleHann All rights reserved