Scribd
Upload
2K views4 pages

Incident Activity Report

My attempt at writing an incident activity report for the malware activity observed in the pcap file at http://www.malware-traffic-analysis.net/2014/12/08/index.html

Uploaded by

0x776b7364
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
2K views4 pages

Incident Activity Report

My attempt at writing an incident activity report for the malware activity observed in the pcap file at http://www.malware-traffic-analysis.net/2014/12/08/index.html

Uploaded by

0x776b7364
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
You are on page 1/ 4

IncidentActivityReport

Date:20170601
Analyst:0x776b7364

EXECUTIVESUMMARY
On8December201423:18GMT,auseronthehost38NTRGDFQKRPC(192.168.204.137)accessed
www.excelforum.comviaaGooglesearch.Thispreviouslycompromisedwebsitecontaineda
maliciousscriptfilewhichcausedtheusersbrowsertoberedirectedtootherwebsitescontaining
maliciousactivecontentsuchasJavaandFlashfiles.Existingbrowserbasedvulnerabilitiespresenton
thehostcomputerenabledthewebsitetodownloadandexecuteprogramsonthecomputer.Thewhole
intrusionandinfectionsequencetookabouttwominutestocomplete.Basedontheprovidednetwork
trafficfile,privateorcompanyinformationcouldpotentiallyhavebeenexfiltrated.
Theorganisationshould:
Considerencouragingorforcinguserstousealternativebrowsers
Encourageuserstoinstallbrowseraddons/extensionssuchasNoScripttoprevent
potentiallymaliciousscriptsfromloadingautomatically
Ensurethatendpointprotectionsoftware(suchasantivirus)isinstalledanduptodate
ImplementapplicationwhitelistingonWindowsworkstations
Considerimplementingareverseproxyfilteringsolution(suchasF5orBlueCoat).
TECHNICALANALYSIS
TheNetworkMinertoolwasfirstusedtogetanoverallpictureofthecontentswithintheincludedpcap
file.FromNetworkMiner,Iobtainedthefollowinginformation:
Alargemajorityofthesessionsoriginatedfromthehost192.168.204.137.ThisWindowshost
hadthecorrespondinghostname38NTRGDFQKRPCandMACaddressof
00:0C:29:9D:B8:6D.
LateranalysiswoulddemonstratethatthishostisthehostaffectedbythemaliciousJavaScript
files.
TheParameterstabindicatedthattheuseragentparametervaluesforthehost
192.168.204.137islargelyMozilla/4.0(compatible;MSIE8.0;WindowsNT6.1;.This
indicatesthattheuserisusingtheIE8.0browseronWindows7toaccessthesites.Afurther
useragentwasobserved:Mozilla/4.0(Windows76.1)Java/1.6.0_25".Lateranalysiswould
showthatthisuseragentbelongedtothemalwarereachingouttomaliciousserversto
downloadbinarypayloads.
Wiresharkwasthenusedtoopenthepcapfileforanalysis.Thefollowingdisplayfilterwasusedto
isolateHTTPtrafficrelatedtotheaffectedhost:
(ip.src_host == 192.168.204.127 || ip.dst_host == 192.168.204.137) && http
Fromthedisplayfilterresults,Iconcludedthattheaffecteduserfirstenteredthesearchterm
http://www.excelforum.comintoGoogle[frame8],andthenclickedontheresultwhichredirected
himtothewebsitehttp://www.excelforum.com(69.167.155.134:80)[frame22].BasedontheDate
HTTPparameterintheHTTPresponse[frame309],thedateandtimeinwhichthiseventoccurredis8
December201423:18:42GMT.Thewebsiteincludeda<script>tagonline127whichhastheURL:
http://magggnitia.com/?
Q2WP=p4VpeSdhe5ba&nw3=9n6MZfU9I_1Ydl8y&9M5to=_8w6t8o4W_abrev&GgiMa=8Hfr8Tlcgk
d0sfV&t6Mry=I6n2
ThiscausestheaffectedusersbrowsertoperformaHTTPGETrequesttohttp://magggnitia.com
(94.242.216.69:80)[frame94].TheHTTPresponsewasaJavaScriptfilewhichcausedaredirecttothe
domaindigiwebname.in(205.234.186.111:80).ThisJavaScriptfilethoughobfuscatedhadthe
gNUmtrTcEFparametervalueofhttp://digiwebname.in/6ktpi5xo/PoHWLGZwrjXeGDG3P-I5.
ThepcapfilesupportedthehypothesisthattheusergotredirectedtothatURL[frame1300].This
eventoccurredon8December201423:20:09GMT.
TheresponseoftheHTTPrequesttothedigiwebname.indomainwasaHTMLfilecontaininganother
setofobfuscatedJavaScriptcode[frame1340].TheobfuscatedJavaScriptcodewasisolatedand
copiedtoaRemnuxinstallationforfurtheranalysis.AfterpatchingtheJavaScriptcode,andusing
RhinodebuggerandGoogleChromev8fordebuggingandanalysis,IdeterminedthatthisJavaScript
codeprofiledthebrowseranditsplugins,andthenusedtheresultstomakeHTTPGETrequeststo
downloadfurtherpayloads.TherelevantsubsequentHTTPGETrequestsanditscorrespondingframe
numbersareasfollows:
http://digiwebname.in/6ktpi5xo/3830948c194842760701040b0b0f095a010b000b0d5608
58060c0b060a060a5a;118800;94[frames1347and1360]

http://digiwebname.in/6ktpi5xo/7d0d7c94be7afa7a5b0d525f0558080d0557035f030109
0f0250085204510b0d;910[frames1414and1435]

http://digiwebname.in/6ktpi5xo/39e112e34c7d1c884055130a0309540a010a560a055055
08060d5d070200570a;4060531[frames1418and1444]

http://digiwebname.in/6ktpi5xo/55fdd7ebca026cab5447075f560c545b0706555f505555
5900015e525705575b[frames1977and1986]

TheseencryptedpayloadswereextractedtotheexaminingsystemusingWiresharksExportObjects
(HTTP)feature.ThefollowinglistisamappingfromURLtofilenametoSHA1hashofthepayloads:
http://digiwebname.in/6ktpi5xo/3830948c194842760701040b0b0f095a010b000b0d560858060
c0b060a060a5a;118800;94>hyepksam259.swf>
4e8bdc5611f8ef8e6473bd38cc625341832b7d3
http://digiwebname.in/6ktpi5xo/7d0d7c94be7afa7a5b0d525f0558080d0557035f0301090f02500
85204510b0d;910>buvyoem41.pdf>15add2fdcd6f4ee6a16ae2c8557aaba8bf2943d3
http://digiwebname.in/6ktpi5xo/39e112e34c7d1c884055130a0309540a010a560a05505508060d
5d070200570a;4060531>dszohrfb90.xap>90208b3c149a01de487a64f469042326050da3d0
http://digiwebname.in/6ktpi5xo/55fdd7ebca026cab5447075f560c545b0706555f505555590001
5e525705575b>syvwkahx581.jar>59c07162d0c10658eec2298f19febfcb8275b25d
TheSHA1hasheswasusedasasearchtermwithinVirusTotaltoconfirmthatallofthepayloadsare
malicious,andthattheyarerecognizedbymostantivirusvendors.TheVirusTotalanalysisfurther
identifiesthattheSWFandJARpayloadsexploitCVE20140569andCVE20120507respectively.
AsearchofthesetwoexploitsrevealsthatbothofthemareusedintheRIGandFiestaexploitkits
(EKs).AblogpostbyContextInformationSecurity[1]confirmsthatthepcapfilecapturedaFiesta
EKincidentduetotheuniquewayinwhichthemaliciousURLsweregeneratedandtheJavaScript
codewasobfuscated.
ThefilesreferencedaboveexploitedvulnerabilitiesinbrowserpluginssuchasAdobeFlash,Adobe
PDF,MicrosoftSilverlight,andJava.Someorallofthepluginswereexploitedtofurtherdownload
maliciousencryptedpayloadsinframes1596,1757,1961,2139,and2291(theseareshownashaving
theMIMEtypeapplication/octetstream).
IusedascriptprovidedbyContextInformationSecurity[2]todecodethesecondsetofobfuscated
JavaScriptcode,andobtainedthefollowingURLswhichwerenotpresentinthepcapfile:
http://digiwebname.in/6ktpi5xo/228759d200ad45b60a060c0c0702550b00010b0c015b54
0907060001060b560b(incompatibleFlashversion)

http://digiwebname.in/6ktpi5xo/69266c7425df8059030f0b0d0458060d040a010d020107
0f030d0a000551050d(incompatibleFlashversion)

http://digiwebname.in/6ktpi5xo/1b9a9eecb34c4c045b0c555a0b5e545a03510a5a0d0755
58045601570a57575a(missingorincompatibleJavaFX)

Presumably,theJavaScriptfiledeterminedthatcertainexploitsdonotmatchcertaininstalledbrowser
pluginsduetomissingorincompatibleversions,andhencethedownloadsforthesefilesarenot
triggered.Infutureincidents,suchURLsshouldbeaccessedbyasacrificialVirtualMachine(VM)
overadedicatedconnectioninordertoaccuratelyassesstheimpactofsuchmalwareonthe
organisationsenvironment.
Eachofthefileformatexploits(swf/pdf/xap/jar)droppedanencryptedbinaryontothelocalfilesystem.
Ascriptbyuser0x3a[3]wasusedtodecrypttheencryptedbinaries,andallthedecryptedbinaries
resultedinthesameSHA1hashofdc54148d7b01c4ef6fe0bb9f74cce09a4ff83809.TheVirusTotaland
MalwranalysisofthisbinaryconfirmedthatthisisaPEexecutablemalware.Inaddition,theMalwr
page[4]indicatedthatanoutgoingconnectiontothehost209.239.112.229:80wasobserved.This
correspondstoframes1792and1799inthepcapfile,anditislikelythatthemalwarehasexecutedand
isphoninghomeorexfiltratinginformation.Iwasunsuccessfulindeterminingtheplaintextfromthe
base64encodedPOSTrequest;furtheranalysisonthebinaryusingadebuggersuchasIDAProis
recommended.
RECOMMENDEDCLEANUPANDMITIGATIONSTRATEGIES
Thefollowingstepsshouldbeundertakenimmediately:
Theaffectedsystemshouldberemovedfromthenetwork,andacomprehensiveforensicsand
datarecoveryexercise(ifrequired)shouldbeperformed
TheOperatingSystemshouldbewiped,andifthemalwareinfectionissevere,thesystem
shouldbedecommissioned
Themaliciousbinaryfilesshouldbeblacklistedinthecentralizedantivirusconsole,andquick
scansusingtheupdatedsignaturesshouldbeperformedagainstsensitivesystems
NetworkandwebsitefiltersshouldbesettorestrictaccesstotheaffectedwebsitesandIP
addresses.
Thefollowingstepsshouldbeconsideredandundertakenintheshortterm:
DeployalternativebrowserssuchasMozillaFirefoxandGoogleChrometousers
Browseraddons/extensionswhichdisableautomaticloadingofscriptsandpluginsshouldbe
used
TheStandardOperatingEnvironment(SOE)shouldbereviewedandunnecessarysoftware
(suchasFlashorJava)shouldberemovedunlessrequiredforoperations.
Thefollowingstepsshouldbeconsideredandundertakeninthelongterm:
Windowsworkstationsshouldhaveapplicationwhitelistingenabled(suchasviaAppLocker)
Areverseproxyfilteringsolutionshouldbeimplementedtocheckthetargetwebsites
reputationandpresenceofmalwarethroughanalysisorblacklists.
REFERENCES
Thefollowingtoolswereusedinthegenerationofthisreport:
Wireshark,NetworkMiner,Unixfile,Remnux,GoogleChromev8,Rhinodebugger
Thefollowinglinkswerereferencedand/orusedinthegenerationofthisreport:
[1]:https://www.contextis.com/resources/blog/fiestaexploitkitanalysis/
[2]:https://www.contextis.com/documents/34/Fiesta_Decoder.zip
[3]:https://raw.githubusercontent.com/0x3a/tools/master/fiestapayloaddecrypter.py
[4]:
https://malwr.com/analysis/MmNiMTdhZTFhMGRmNDAwZjg2ZDhhMDZjODFjMGY3NjI/

You might also like