2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

BASIC QUESTIONS:
• What was the date and time of the infection?
• What is the MAC address of the infected Windows computer?
• What is the IP address of the infected Windows computer?
• What is the host name of the infected Windows computer?
• What type of malware was the computer infected with?

BASIC ANSWERS:
Q: What was the date and time of the infection?
A: The computer was infected on 2017-01-27 around 22:54 UTC.
Q: What is the MAC address of the infected Windows computer?
A: 5c:26:0a:02:a8:e4 (Dell_02:a8:e4)
Q: What is the IP address of the infected Windows computer?
A: 172.16.4.193
Q: What is the host name of the infected Windows computer?
A: Stewie-PC
Q: What type of malware was the computer infected with?
A: Ransomware

BASIC ANSWERS EXPLAINED:

Wireshark is my tool of choice to examine this type of traffic. As always, I recommend
you set up Wireshark in accordance with the following guide I've posted:
• http://www.malware-traffic-analysis.net/tutorials/wireshark/index.html

The first thing I do when I look at a pcap is filter on http.request. For these exercises,
that will show you a) the IP address of the infected host and b) the general time for the
activity.

Shown above: Filtering on http.request in Wireshark.

Page 1 of 12
2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

The pcap starts at 2017-01-27 at 22:53 UTC, and the infection traffic starts shortly
thereafter. You can see all the source IP addresses are 172.16.4.193 when filtering on
http.request.

To get the host name, and MAC address, you can examine the NetBIOS name service
(NBNS) traffic, or you can look at the DHCP traffic as shown in the images below.

Shown above: Examining the NBNS traffic in Wireshark.

Shown above: Examining the DHCP traffic in Wireshark.

As for knowing what type of malware the computer was infected with? I'd say the
majority of malware that I've seen in recent months is ransomware. Of course, that
would be a guess if you didn't look at the pcap first.

Page 2 of 12
2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

You can filter on the pcap with http.request again, and scroll through the traffic. Near
the end, you'll see several domains that are questionable, and you'd hopefully notice
they are ransomware, especially if you search on the domain prefix. Based on my
experience, anything that ends with .top is suspect.

Shown above: Several HTTP requests to a domain ending in .top.

The domain is: p27dokhpz2n7nvgr.1jw2lx.top. A Google search on that domain

quickly shows it's associated with ransomware.

Shown above: Results of a Google search for that .top domain.

ADVANCED QUESTIONS:
• What is the name of the malware that infected the user's computer?
• What exploit kit was used to infect the user's computer?
• What compromised website kicked off the infection chain of events?

Page 3 of 12
2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

ADVANCED ANSWERS:
Q: What is the name of the malware that infected the user's computer?
A: Cerber ransomware
Q: What exploit kit was used to infect the user's computer?
A: Rig exploit kit
Q: What compromised website kicked off the infection chain of events?
A: www.homeimprovement.com

ADANCED ANSWERS EXPLAINED:

To find the name of the ransomware, here's a trick you can use. Do a Google search
on the prefix for that .top domain. Search only for p27dokhpz2n7nvgr. You'll quickly
find it's related to Cerber ransomware, if you hadn't found out earlier.

Shown above: Hundreds of results from a Google search for p27dokhpz2n7nvgr.

As far as the exploit kit (EK)? Rig EK is currently the most prominent EK by far. If you
look at the Snort or EmergingThreats alerts on the traffic, you'll see several signature
hits for Rig EK.

I've submitted the pcap to VirusTotal, where you can see some of the alerts on the
pcap. As I write this, the alerts haven't shown up, because sometimes it takes a while
for them to show up after you submit a pcap. In the meanwhile I ran the pcap through
Snort and Suricata in my home lab.

Page 4 of 12
2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

Shown above: Some of the Rig EK alerts in Snort using the Snort subscriber ruleset.

Shown above: Rig EK alerts in Security Onion using Suricata and the ETPRO ruleset.

In the above alerts, you can find the IP address associated with Rig EK. Filter on that in
Wireshark as shown in the image below.

Shown above: Filtering on HTTP requests to the Rig EK IP address in Wireshark.

Page 5 of 12
2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

Follow the TCP stream for the first HTTP request to the Rig EK domain. The referrer
line in the HTTP request should reveal the compromised website that kicked off this
infection chain of events.

Shown above: Following the TCP stream and finding the referer.

As you can see in the image above, the referrer is a web page from
www.homeimprovement.com. That's the compromised website that had injected
code in the web pages that led to Rig EK.

MORE ADVANCED QUESTIONS:

• Before the Windows computer was infected, what did the user search for on Bing?
• Which campaign(s) used the exploit kit noted in the pcap?
• What are the indicators of compromise (IOCs) from the pcap?

MORE ADVANCED ANSWERS:

Q: Before the Windows computer was infected, what did the user search for on Bing?
A: home improvement remodeling your kitchen.
Which campaign(s) used the exploit kit noted in the pcap?
A: Both the Afraidgate and pseudoDarkleech campaigns.
What are the indicators of compromise (IOCs) from the pcap?
A: See the end of this section.

MORE ADANCED ANSWERS EXPLAINED:

Page 6 of 12
2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

If you'll notice in the pcap, Bing does not use encrypted HTTPS by default (unlike
Google, which does). Because the Bing traffic is HTTP instead of HTTPS, you can see
what terms were typed in the search bar.

The best way to find this is to look at the first HTTP request to that
homeimprovement.com page. In the referrer line of the HTTP header, you'll see the
Bing search URL with the terms. See the image below for details.

Shown above: The Bing search can be found in the HTTP headers here.

Campaigns are a different issue, and they're not easy to figure out for many people.
You can tell campaigns by the injected script they use in pages from the compromised
websites that kick off the infection chains. And you can also figure it out from the
payloads that are sent.

In this case, homeimprovement.com was compromised by two different campaigns

using Rig EK: Afraidgate and PseudoDarkleech. You can find more information about
those campaigns on my most recent blog posts about those campaigns.

Afraidgate usually sends a Godzilla Loader to download and infect computers with
Locky ransomware. PsuedoDarkleech usually sends Cerber ransomware.

First, let's look at the page from the compromised website. You'll have to extract that
from the pcap in order to examine it.

Step 1: Go to File  Export Objects  HTTP from the Wireshark menu.

Page 7 of 12
2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

Shown above: The menu path to get where you're going.

Step 2: In Wireshark's HTTP object list, scroll down to the first listing for
www.homeimprovement.com.

Select the first entry from homeimprovement.com, which should show text/html as the
content type. Then save it as something you can read in a text editor.

Page 8 of 12
2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

Shown above: Saving that page from the compromised website.

At line 123 in text file, you'll find injected script for the pseudoDarkleech campaign. The
script matches patterns I've constantly posted about in my blog.

Shown above: The injected pseudoDarkleech script.

So we'ver got the pseudoDarkleech-injected script in a page from the compromised

website, and we've got a Cerber payload sent by Rig EK, which is also associated with
the psuedoDarkleech campaign.

But there is something else. Scrolling through the all the EmergingThreats alerts in
Security Onion, I found alerts for Godzilla Loader, which is typically a payload from the
Afraidgate campaign that also uses Rig EK.

Page 9 of 12
2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

Shown above: ETPRO alerts for Godzilla Loader using Suricata in Securiy Onion.

Also, if you look at the HTTP requests for Rig EK, there are an awful lot of them. It's
about twice as many HTTP requests for Rig EK than I normally see. Looks like Rig EK
was hit twice in an infection chain from that same web page.

Shown above: 15 HTTP requests to the Rig EK domain shown in Wireshark.

When I looked through that page from the compromised website, I saw another line of
injected script that seemed unusual. I recognized the URL as an Afraidgate redirect.

Shown above: Injected script leading to an Afraidgate URL.

Page 10 of 12
2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

Shown above: The HTTP request to a gate domain that uses Afraid.org name servers.

The HTTP request to retrotip.visionurbana.com.ve returns 399 bytes of gzip-

compressed script. If you extract it from Wireshark, you'll find script that points to
another Rig EK landing page URL.

Shown above: Finding the returned script in Wireshark's HTTP object list.

Page 11 of 12
2017-01-28 TRAFFIC ANALYSIS EXERCISE - ANSWERS

Shown above: The extracted script returned by the Afraidgate URL. The Rig EK
landing page is highlighted in yellow.

INDICATORS OF COMPROMISE

The following are some indicators of compromise I found after reviewing the pcap:

• 104.28.18.74 port 80 - www.homeimprovement.com - compromised website

• 139.59.160.143 port 80 - retrotip.visionurbana.com.ve - Afraidgate redirect
• 194.87.234.129 port 80 - tyu.benme.com - Rig EK
• 5.188.223.104 port 80 - spotsbill.com - Godzilla Loader callback
• 198.105.121.50 port 80 - p27dokhpz2n7nvgr.1jw2lx.top - Cerber ransomware
decryptor page
• 90.2.1.0 to 90.2.1.31 (90.2.1.0/27) port 6892 - Cerber post-infection UDP traffic
• 90.3.1.0 to 90.3.1.31 (90.3.1.0/27) port 6892 - Cerber post-infection UDP traffic
• 91.239.24.0 to 91.239.25.255 (91.239.24.0/23) port 6892 - Cerber post-infection
UDP traffic

FINAL WORDS

If you're a beginner or novice to analyzing traffic, a lot of this might seem difficult. For
example, last year someone emailed me a very basic question like, "How can you tell
what IP address is used by the infected host?" If you're inexperienced, you might have
a lot of questions about how to figure out some (or all) of this.

My advice? It takes practice. Many of us never had any technical mentors when we
started out. Although I've had plenty of career mentors, I never had anyone to answer
most of my technical questions back when I first started doing traffic analysis.

Repeated exposure is how people eventually understand this traffic. It may not make
sense at first, but a determined person can hopefully figure things out.

Information like this is available for people to understand how exploit kits work (at least
my understanding of how they work). Hopefully, these traffic analysis exercises will
help people on their journey to better understand infection traffic.

Page 12 of 12