SecurityOnion VS CyberDefenders :EP2
Malware Traffic Analysis 2
This time, we will solve Malware Traffic Analysis 2 using SecurityOnion.
Packet Import
aoshi@aoshi-Standard-PC:~/Downloads$ sudo so-import-pcap mta2.pcap
[sudo] password for aoshi:
Processing Import: /home/aoshi/Downloads/mta2.pcap
- verifying file
- assigning unique identifier to import: 546b26789a5539ec62b3ed449aabd917
- analyzing traffic with Suricata
- analyzing traffic with Zeek
- saving PCAP data spanning dates 2014-11-23 through 2014-11-23
Cleaning up:
Import complete!
You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
https://192.168.1.30/#/hunt?q=import.id:546b26789a5539ec62b3ed449aabd917%20%7C%20groupby%20event.module%20event.dataset&t=2014%2F11%2F23%2000%3A00%3A00%20AM%20-%202014%2F11%2F24%2000%3A00%3A00%20AM&z=UTC
or you can manually set your Time Range to be (in UTC):
From: 2014-11-23 To: 2014-11-24
Please note that it may take 30 seconds or more for events to appear in Hunt.
aoshi@aoshi-Standard-PC:~/Downloads$
No.1
Q:What is the IP address of the Windows VM that gets infected?
A:172.16.165.132
explanation
Investigate with NetworkMiner.
It asks for the IP of the Windows host, so open the host where the Windows icon is displayed and check the IP. Therefore, the answer is 172.16.165.132.
No.2
Q:What is the MAC address of the infected VM?
A:00:0C:29:C5:B7:A1
explanation
Continue to investigate with NetworkMiner.
No. 2 asks for the MAC address, so the part marked MAC is the MAC address, so the value is the answer. Therefore, the answer is 00:0C:29:C5:B7:A1.
No.3
Q:What are the IP address and port number that delivered the exploit kit and malware?
A:37.143.15.180:51439
explanation
Investigate with SecurityOnionConsole.
No. 3 asks for the IP address and port of the server delivering ExploitKit and malware, so filter the SOC filter bar with “event.dataset: alert | groupby event.module” to find Exploit-based and malware alerts. Next, examine alerts whose destination IP is a Windows IP. Therefore, the answer is 37.143.15.180:51439.
No.4
Q:What are the two FQDN's that delivered the exploit kit? comma-separated in alphabetical order.
A:g.trinketking.com,h.trinketking.com
explanation
Investigate with Zeek’s DNS logs.
Since the attacker’s IP was found in No.3, we look for the FQDN based on that IP, and set the attacker’s IP in dns.answers.name.keyword.
Two domains are listed in Query.
Therefore, the answer is g.trinketking.com,h.trinketking.com.
No.5
Q5
Q:What is the IP address of the compromised web site?
A:192.30.138.146
explanation
Investigate with Zeek’s HTTP log.
To find the compromised web site, you can check the http referer header and see if you can find it. since we know the IP that delivered ExploitKit in No.3, we narrow down the http log to 37.143.15.180 and examine the referer header. Filtering by the identified FQDN gives us the IP. So the answer is 192.30.138.146.
No.6
Q6
Q:What is the FQDN of the compromised website?
A:hijinksensue.com
explanation
Since the FQDN is known from the investigation of No. 5, the FQDN found is the answer.
No.7
Q:What is the name exploit kit (EK) that delivered the malware? (two words)
A:Sweet Orange
explanation
Investigate with SecurityOnionConsole.
Filter by “event.dataset: alert | groupby event.module” to investigate alerts.
There is an alert with ExploitKit’s name on the alert. Therefore, the answer is Sweet Orange.
No.8
Q:What is the IP address of the redirect URL that points to the exploit kit landing page?
A:static.charlotteretirementcommunities.com/k?tstmp=3701802802
explanation
Investigate in Zeek HTTP logs.
Since we know the attacker’s IP from the investigation of No.7, we filter by that IP.
The VirtualHost and URI of the landing page are known. Therefore, the answer is static.charlotteretirementcommunities.com/k?tstmp=3701802802.
No.9
Q:What is the IP address of the redirect URL that points to the exploit kit landing page?
A:50.87.149.90
explanation
Investigate in Zeek HTTP logs.
Since we know the attacker’s IP from the investigation of No.7, that IP will be the answer. Therefore, the answer is 50.87.149.90.
No.10
Q:Extract the malware payload (PE file) from the PCAP. What is the MD5 hash?
A:1408275c2e2c8fe5e83227ba371ac6b3
explanation
We will investigate in Zeek’s File log.
Since we know the attacker’s IP from the investigation of No.3, we filter the destination IP by the attacker’s IP. 3 logs are narrowed down. the answer is the one with exe in file.extracted.filename. Therefore, the answer is 1408275c2e2c8fe5e83227ba371ac6b3.
No.11
Q:What is the CVE of the exploited vulnerability?
A:CVE-2014-6332
explanation
First, identify the CVEs used by this ExploitKit.
Google the CVEs used by the target Sweet Orange Exploit Kit.
From each site, the CVEs used by Sweet Orange are identified.
Therefore, the answer is CVE-2014-6332.
Reference URL
https://www.mcafee.com/enterprise/ja-jp/threat-center/threat-landscape-dashboard/exploit-kits-details.sweet-orange-exploit-kit.html
No.12
Q:What is the mime-type of the file that took the longest time (duration) to be analyzed using Zeek?
A:application/x-dosexec
explanation
The type listed in file.mime_type is the answer from the investigation of No. 10.
From the investigation of No. 10, the type listed in file.mime_type is the answer. Therefore, the answer is application/x-dosexec.
No.13
Q:What was the referrer for the visited URI that returned the file "f.txt"?
A:http://hijinksensue.com/assets/verts/hiveworks/ad1.html
explanation
Investigate in Zeek’s HTTP logs.
Search for f.txt. Examine the referrer of the 6 logs that were hit. The URLs listed in the referrer headers are the answers.
Therefore, the answer is http://hijinksensue.com/assets/verts/hiveworks/ad1.html.
No.14
Q:When was this PCAP captured?
A:23/11/2014
explanation
Investigate with capinfos.
The time listed in first packet time is the answer. Therefore, the answer is 23/11/2014.
aoshi@aoshi-Standard-PC:~/Downloads$ capinfos mta2.pcap
File name: mta2.pcap
File type: Wireshark/tcpdump/... - pcap
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: 65535 bytes
Number of packets: 4,682
File size: 2,908kB
Data size: 2,833kB
Capture duration: 144.707025 seconds
First packet time: 2014-11-23 00:58:40.439603
Last packet time: 2014-11-23 01:01:05.146628
Data byte rate: 19kBps
Data bit rate: 156kbps
Average packet size: 605.15 bytes
Average packet rate: 32 packets/s
SHA256: ecaf7cfa63aaa1897039e5fc1ad1fdecb947970ca5be619861c88c44889ee14c
RIPEMD160: 7688d7606eed8c32856b992a3e863992098fbbdd
SHA1: db1d634096a2766bb05165c554ab470280ffed01
Strict time order: True
Number of interfaces in file: 1
Interface #0 info:
Encapsulation = Ethernet (1 - ether)
Capture length = 65535
Time precision = microseconds (6)
Time ticks per second = 1000000
Number of stat entries = 0
Number of packets = 4682
aoshi@aoshi-Standard-PC:~/Downloads$
No.15
Q:When was the PE file compiled?
A:21/11/2014
explanation
Since the hash value is known from the investigation of No.10, a search is performed on VT with the hash value.
CreationTime in Details is the answer. Therefore, the answer is 21/11/2014.
No.16
Q:What is the name of the SSL certificate issuer that appeared only once? (one word)
A:Cybertrust
explanation
Investigate with Zeek’s SSL logs.
One count of Issuer is the answer. Therefore, the answer is Cybertrust.
No.17
Q:What were the two protection methods enabled during the compilation of the present PE file? Format: comma-separated in alphabetical order
A:DEP,SEH
explanation
Investigate from the SOC File log.
Since the target exe file is known from the investigation of No.10, filter "event.dataset:file AND file.mime_type: “application/x-dosexec” | groupby file.mime_type source.ip Do.
From the target log, check the packet with Action>Pcap. Download the pcap with the download icon. Then use Wireshark to restore it.
Then use checksec to investigate.
NX (DEP : Data Execution Prevention) and SEH (Structured Exception Handling) are Yes, so that is the answer. Therefore, the answers are DEP and SEH.
Reference URL
https://github.com/Wenzel/checksec.py
コメント
コメントを投稿