Analyzing Malicious Traffic, A lab on repackaging executable files and forming a conclusion on malicious network data

DavidInfosec.com,

Let’s take a look at the “Okay Boomer” .pcap file

Introduction

Today’s blog post is about analyzing malicious traffic with network packet capture files. These files are also known as .pcap files, and they provide a historical snapshot of network data. 

If you choose to follow along with this lab, proceed with the understanding that packet captures can execute safely for a majority of times, but it is important to note that it is entirely possible to modify a packet capture to exploit a vulnurability in Wireshark, or, for the data in the capture to be executed if extracted and compiled.

See: https://security.stackexchange.com/questions/121713/is-there-any-chance-of-pc-getting-infected-when-you-analyse-pcap-malware-file

Resources

Gerald Auger’s YouTube Video used in reference to this lab:
https://www.youtube.com/watch?v=M8yoYmiL7rA&t=436s

Download wireshark:
https://www.wireshark.org/

Link to lab:
https://www.malware-traffic-analysis.net/2019/11/12/index.html

  • Check the ‘about me’ section on the malware traffic site to obtain the zip file password.
  • Extract the zip, and open the .pcap

Scenario

LAN segment data:

  • LAN segment range:  10.11.11.0/24 (10.11.11.0 through 10.11.11.255)
  • Domain:  okay-boomer.info
  • Domain controller:  10.11.11.11 - Okay-Boomer-DC
  • LAN segment gateway:  10.11.11.1
  • LAN segment broadcast address:  10.11.11.255

Your Task

We have several tasks in this lab, such as obtaining:

  • operating systems
  • MAC addresses
  • user account names
  • a SHA256 file hash / detection rate

Question One

1) What operating system and type of device is on 10.11.11.94?

To approach this answer, we turn to the packet capture, and go to the statistics section on wireshark, and select “endpoints”.

Endpoints context menu

After selecting Endpoints, we’re looking for the IP 10.11.11.94, so we would head to the IPv4 section, and look for that IP in the list.

Endpoint Local IP 10.11.11.94

Right click the entry, -> ‘Apply as filter’ -> ‘Selected’

Apply as filter -> Selected

The query in the search bar translates to ip.addr == 10.11.11.94 and allows for filtering all packets having to do with the specified IP.

Source Query 10.11.11.94

Optionally, you could write the query in the search bar, but Wireshark query language could be confusing for some who are just getting started, so selecting the packet through these context menus is a nice way to ease into things.

Select ‘Statistics’ at the top once again, and select ‘Protocol Hierarchy’. This will show us the protocol distribution statistics for the selected source IP.

Protocol Hierarchy

In this menu, there are lots of filters we could apply, but we’re specifically trying to locate the operating system and type of device, so we want unencrypted traffic. Select Hypertext Transfer Protocol and then select ‘Apply as filter’ -> ‘…and Selected’

Apply as filter -> …and Selected

Now we have filter the IP, 10.11.11.94 to specifically HTTP traffic.

Right click one of the packets, and click ‘Follow’, then ‘Follow TCP Stream’. We’re looking to follow the TCP traffic. The way TCP works, all the data is assembled on the receiving end, and this allows for all the packets of data to come together one one big picture.

Follow TCP Stream

As you can see, the TCP stream gives us lots of information. If we were to do this with an encrypted TLS packet, it would look unreadable. Because we selected an insecure protocol, we are able to see the data in plaintext, which will contribute to allowing us to answer the first question.

As a general rule:

  • red text is from the source.
  • blue text is the response from the server.

According to the TCP stream, the user appears to be running ChromeOS. This is evident by the User-Agent section, which entails:
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 12239.92.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.136 Safari/537.36

..CrOS... is our evidence.

Since it’s running on ChromeOS, we are going to assume this is a Chromebook.

ChromeOS

Now that we’ve answered our first question, we’re going to document it somewhere handy, and move on to the next question.

Question Two

2) What operating system and type of device is on 10.11.11.121?

Just as we worked the first question, we are going to approach this one with similar steps.

First, we need to clear our query. Click the X in the bar to clear.

X
  • Click ‘Statistics’ in the top bar in Wireshark.
  • Select ‘Endpoints’
  • Select ‘IPv4’
  • Select '10.11.11.121'
    • Right click the selection,
      • ‘Apply as filter’ -> ‘Selected’
  • Click ‘Statistics’ in the top bar in Wireshark.
  • Select ‘Protocol Hierarchy’
  • Right click ‘Hypertext Transfer Protocol’
    • ‘Apply as filter’ -> ‘…and Selected’

Now we’re going to repeat the steps to follow the TCP stream.

  • Right click a packet in Wireshark after applying these filters.
  • Follow TCP Stream

After doing all this, we approach our next answer.. the user appears to be running a 64-bit Linux OS:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36

Linux

Question 3

Based on the MAC address for 10.11.11.145, who is the manufacturer or vendor?

To find this MAC address, we’re going to do a similar approach as the previous two questions.

Statistics menu at the top.
Endpoints
Right click 10.11.11.145 and apply the filter ‘Selected’

Now, we’re going click on a source packet with the IP 10.11.11.145
A new menu should appear in Wireshark with different sections known as packet headers. We are looking for ‘Ethernet II’.

Ethernet II packet header

The reason we are looking for Ethernet II is because the MAC address of a device coincides with Layer 2 networking. This is physical addressing. Since the MAC address is denoted by a physical piece of hardware, we will find the manufacturer or vendor here as well.

Wireshark understands the MAC to come from hardware under the vendor of Motorola.

Wireshark was able to provide this information because as a general rule, the first 6 characters of a MAC can provide information on the vendor or manufacturer, and this capability of understanding that bc:ff:eb… is Motorola is built in to Wireshark.

If Wireshark wasn’t giving us the vendor, we could go to a vendor lookup website, such as https://wwwmacaddress.io which would entail this information for us.

OUI Vender lookup

Additionally, we can also see that the server is a Cisco device. This is most likely a router.

Question 4

Now we’re starting to get the idea of how to do this process! Rinse, repeat for this upcoming question:

What operating system and type of device is on 10.11.11.179?

Statistics
Endpoints
IPv4
10.11.11.179 -> Apply as filter -> Selected

Statistics
Protocol Hierarchy -> Hypertext Transfer Protocol -> Apply as filter -> ..and Selected
Right click any of the packets -> Follow TCP stream

It appears the operating system of10.11.11.179 is Mac OS X, and we can assume this is some sort of Apple device with an Intel CPU.

Mac OS X

Document your answer and move to question 5.

Question 5

What version of Windows is being used on the host at 10.11.11.195?

We’re going to switch it up for this question to speed things up. In the query bar, let’s use ip.src == 10.11.11.195 && http to filter out the Windows host and the HTTP requests.

Filter HTTP Requests

Hit enter, and then right click one of the packets -> view the TCP stream -> we can see this is a Windows NT operating system. Wait a minute. THAT’S OLD!

Windows NT is old
Windows NT

Write down your findings!

Question 6

What is the user account name used to log into the Windows host at 10.11.11.200?

Remember, we are in an Active Directory domain. We can assume this by the given domain controller at the start of the lab, Okay-Boomer-DC located at 10.11.11.11.

Kerberos is the authentication protocol used by Active Directory. We are going to use this knowledge to filter out Kerberos packets.

Apply the following filter:
ip.src == 10.11.11.200

If you forget the syntax, you can always restored to:

  • Statistics
  • Endpoints
  • Select the protocol, apply filter -> Selected

After applying this filter, we are going to go to the Protocol Hierarchy:

  • ‘Statistics’
  • ‘Protocol Hierarchy’
  • Select ‘Kerberos’ -> ‘Apply as filter’ -> ‘…and Selected’
Select Kerberos

From the filtered packets, we are going to double click one to open up the packet headers.

Let’s go to the Kerberos packet header:

  • expand Kerberos
  • expand as-req
  • expand req-body

What do we see? In addresses, we see GILBERT-WIN7-PC
Awesome! Now we know the account name of host 10.11.11.200

Document your findings.

Question 7

What operating system and type of device is on 10.11.11.217?

Speed run time! Let’s see how fast we can get this one.

  • Filter as per your preference with the Statistics menu, or the following syntax:
ip source 10.11.11.217 http filter
  • Right click one of the packets, follow the TCP stream

BOOM! We’re getting the hang of this. 10.11.11.217 appears to be an iPad.

Our answers are iPad andiOS 13.2.2

iPad HTTP iOS 13.2.2

Document your findings.

Question 8 & 9

What IP is the Windows host that downloaded a Windows executable file over HTTP

What is the URL that returned the Windows executable file?

This one comes across as a bit more tricky, however, not to fret. We’re going to refer to our handy documentation. Here’s a recap of what we know so far:

10.11.11.94 – ChromeOS, Chromebook
10.11.11.121 – Linux OS, 32/64 bit
10.11.11.145 – Motorola device, communicating to a Cisco device
10.11.11.179 – Mac OS X, Apple device with Intel CPU,
10.11.11.195 – Windows NT OS
10.11.11.200 – Gilbert’s Windows 7 workstation
10.11.11.217 – iPad

Out of the information available, we can eliminate all the hosts that have nothing to do with Windows. This leaves us to investigate two hosts:

10.11.11.200 – Gilbert’s Windows 7 workstation
10.11.11.195 – Windows NT OS

Let’s dig deeper into Gilbert for starters.

We are looking for an executable over HTTP. To find it, an interesting thing we can do is query for ip contains "This program"

The reason this works is because, according to Gerald Auger, Windows executables are portable excutables, or PE files. This is an exclusive format to Windows. At some point, Windows changed their architecture and because of this, old software running on a newer OS would fail. Because of all this, the error 'This Program Cannot Be Run in DOS Mode was baked into the newer architecture to produce a clean error message. This is all interesting stuff, and huge credits to Gerald Auger for explaining this in a simple manner.

For more information, here are some other resources:

https://medium.com/ax1al/a-brief-introduction-to-pe-format-6052914cc8dd

http://vb.net-informations.com/framework/portable-executable.htm

So, with that said, we can follow the TCP stream and we see the domain name hosting the malware is acjabogados.com

acjabogados.com

If you truly wanted to, you could rebuild this malware for further analysis by going to File -> Export Objects -> HTTP -> and then type the host name in the query, and save. (The file appears to have the .tiff extension, but you could rename to .exe and it would contain executable malicious code, so be weary!!)

acjabogados.com save as

For the rest of this blog, if you’re choosing to follow along, this is optional. This is for the safety of my readers– proceed with caution, as this involves recompiling the malware into a state where we can analyze it with VirusTotal and locate the SHA256 file hash.

Question 10, 11

I am using a Virtual Machine for this portion to eliminate any possibility of infection on my Windows host.

Proceed to File -> Export Objects -> HTTP -> and then type the host name in the query, and save to your desired location.

The file is named 40group.tiff.

In the details section, we can see more aliases this malicious file goes by:

other malware names, 40group.tiff, Santo Maris Oia, Santa Maris Oia.exe, g5dbof388.dll, DepAct.exe, A23R7GCA.exe
  • Query https://www.virustotal.com in your preferred search engine.
  • Click ‘Choose file’ on VirusTotal.
  • Select 40group.tiff in the saved location.
  • The detection rate appears to be 57/67
Detection rate 57/67

VirusTotal gives us a wealthy amount of information on this file.
The file hash is 8d5d36c8ffb0a9c81b145aa40c1ff3475702fb0b5f9e08e0577bdc405087e635.

Question 12, 13

What public IP addresses did that Windows host attempt to connect over TCP after the executable file was downloaded?

What is the host name and Windows user account name used on that IP address?

If we head back to Wireshark, we can wrap up the remaining questions regarding some information about the

We can follow the TCP stream after querying ip contains "This program" and this will give us the bigger picture of where the host attempted to connect to.

The public IP address that the Windows host appears to connect to is 188.95.248.71.

10.11.11.203 is the host who made the request for this malicious file. They are identified to be a malicious intruder with host/account name of acjabogados.com.

public IP 188.95.248.71
Host: acjabogados.com

Congratulations!

We finished the lab! This was a lot of fun to go through and I hope you learnt a thing or two by following along or simply reading through. I hope to do more content like this, and I’m open to any suggestions. Again, you can reach me anytime at [email protected] or my other socials.

As a general recap, this was our overall environment that were able to piece together through the analysis:

This packet capture, ‘Okay-Boomer’ was a historical network capture of an Active Directory environment, consisting of various hosts, from a Chromebook, a Linux host, a Motorola phone, a Mac OS host, an OLD Windows NT host, a user named Gilbert on a Windows 7 host, and an iPad.

It is likely that a malicious intruder penetrated into the Active Directory environment. It was either a local intruder, or someone who utilized lateral movement to make their way in. We would have to conduct further endpoint analysis to get a better idea. The user navigated to the malicious domain, acjabogados.com which executed a download of the malicious file, 40group.tff at public IP 188.95.248.71, resulting in executing a malicious payload granting further leverage on the environment.

Thanks again, and I hope to do another one of these soon.

~David D.

Works Cited

Ax1al. “A Brief Introduction to PE Format.” Medium, 1 Jan. 2022, medium.com/ax1al/a-brief-introduction-to-pe-format-6052914cc8dd.

I., Timber, G. and Ullrich, S., 2022. Is there any chance of PC getting infected when you analyse PCAP malware file?. [online] Information Security Stack Exchange. Available at: https://security.stackexchange.com/questions/121713/is-there-any-chance-of-pc-getting-infected-when-you-analyse-pcap-malware-file [Accessed 15 March 2022].

MAC Address Vendor Lookup: MAC/OUI/IAB/IEEE Vendor Manufacturer Search. macaddress.io.

Malware-Traffic-Analysis.Net – 2019-11-12 – Traffic Analysis Exercise – Okay-Boomer. malware-traffic-analysis.net/2019/11/12/index.html.

“SOC Analyst Skills – Wireshark Malicious Traffic Analysis.” YouTube, 1 June 2020, youtube.com/watch?v=M8yoYmiL7rA&t=436s.

VirusTotal. virustotal.com.

What Is Portable Executable (PE) File Format. vb.net-informations.com/framework/portable-executable.htm.

Wireshark · Go Deep. Wireshark.org.

Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *