SecurityOnion VS CyberDefenders :EP1
Notes
I am currently studying English, so there may be mistakes.
Malware Traffic Analysis 1
This time we will solve Malware Traffic Analysis 1 of CybderDefenders with SecurityOnion only.
First, we will use so-import-pcap to import Pcap into SecurityOnion.
From then on, SecurityOnion Console and Kibana will be used to answer questions.
Q1
Q What is the IP address of the Windows VM that gets infected?
A 172.16.165.165
The IP address of the client PC can be answered by checking Zeek’s DHCP logs.
Q2
Q What is the hostname of the Windows VM that gets infected?
A2 K34EN6W3N-PC
The hostname of the client PC can be answered by checking Zeek’s DHCP logs.
Q3
Q What is the MAC address of the infected VM?
A f0:19:af:02:9b:f1
The MAC address of the client PC can be answered by checking Zeek’s DHCP logs.
Q4
Q What is the IP address of the compromised web site?
A 82.150.140.30
After Q4, you can answer by doing the following
1.zeek’s file log shows some suspicious things in MIME Type.
application/java-archive
application/x-shockwave-flash
Since the above seemed suspicious, we investigated and found the following findings.
When I checked each of them with VT, I found that they are ExploitKit.
| MIME Type | MD5 | VT |
|---|---|---|
| application/java-archive | 1e34fdebbf655cebea78b45e43520ddf | https://www.virustotal.com/gui/file/178be0ed83a7a9020121dee1c305fd6ca3b74d15836835cfb1684da0b44190d3 |
| application/x-shockwave-flash | 7b3baa7d6bb3720f369219789e38d6ab | https://www.virustotal.com/gui/file/e2e33b802a0d939d07bd8291f23484c2f68ccc33dc0655eb4493e5d3aebc0747 |
I checked the ip from Zeek’s File log and found that it was sent from 37.200.69.143.
Using that information, check zeek’s http log
Checking Useragent revealed the following
| UserAgent | |
|---|---|
| Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) | Windows 7, probably IE |
Filter by UserAgent, file.resp_mime_types (ExploitKit found in file log) and check HTTP log.
Checking http.referrer, we found that it came from hxxp[:]//24corp-shop.com.
Presumably this URL is the landing page for EK.
Filter Zeek’s HTTP logs by VirtualHost and check http.referrer.
Checking http.referrer confirmed that it came from the hxxp[:]//www.ciniholland.nl/.
Again, to investigate what IP address this URL is, filter the Zeek HTTP logs by VirtualHost.
This www.ciniholland.nl was found to be 82.150.140.30, which gives us the IP address of the compromised IP.
Q5
Q What is the FQDN of the compromised website?
A ciniholland.nl
From the investigation of No. 4, we know the FQDN of the compromised Web site.
Therefore, the answer is ciniholland.nl.
Q6
Q What is the IP address of the server that delivered the exploit kit and malware?
A 37.200.69.143
The investigation of No. 4 reveals the EK distribution server, and the suricata alerts also confirm the EK alerts and the IP of the distribution server. Therefore, the answer is 37.200.69.143.
Q7
Q What is the FQDN that delivered the exploit kit and malware?
A stand.trustandprobaterealty.com
The answer can be derived by checking Zeek’s HTTP logs.
Since the IP of the server that delivered the EK is known from the investigation of No. 4, filter destination.ip in the HTTP log by the IP of the delivery server and check
Check VirtualHost to see the FQDN.
Q8
Q What is the redirect URL that points to the exploit kit (EK) landing page?
A http://24corp-shop.com/
I know the URL of the landing page from the No. 4 survey. Therefore, the answer is the http://24corp-shop.com/.
Q9
Q Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with “J”. Provide the full application name.
A Java
The answer is Java, since the Suricata alert confirms the EK alert for Java.
Q10
Q How many times was the payload delivered?
A 3
From Suricata’s Alert, we can see the rule ET EXPLOIT_KIT GoonEK encrypted binary (3).
This rule indicates that three encrypted binaries are delivered. Therefore, the answer is 3.
Q11
Probably a mistake.
There is no No. 11.
Q12
Q The compromised website has a malicious script with a URL. What is this URL?
A http://24corp-shop.com/
Since we know the EK landing page from the No. 4 survey, the answer is the http://24corp-shop.com/.
Also, if you check the target pcap from SOC, you will see that the script is embedded.
Q13
Q Extract the two exploit files. What are the MD5 file hashes? (comma-separated )
A 7b3baa7d6bb3720f369219789e38d6ab,1e34fdebbf655cebea78b45e43520ddf
The answer can be derived from the survey in No. 4.
Since application/java-archive and application/x-shockwave-flash are ExploitKit, the value listed in the MD5 field is the answer.
コメント
コメントを投稿