Sunday, March 15, 2020

Malware Traffic Analysis "MondoGreek" Exercise Write-Up

Below is my incident report for the most recent malware traffic analysis exercise ( I won't bore you with a long introduction, let's jump straight into the contents of the report.

Victim machine
IP Address: 10.3.11[.]194
MAC: b8:ca:3a:ec:3b:8f
Host Name: laptop-sqsa42o$
User Account: otis.witherspoon

LAN segment range:  10.3.11[.]0/24 (10.3.11[.]0 through 10.3.11[.]255)
Domain controller:  10.3.11[.]3 - Mondogreek-DC
LAN segment gateway:  10.3.11[.]1
LAN segment broadcast address:  10.3.11[.]255


On 11 March 2020, at 21:24:36 UTC, a Windows client under the user account Otis Witherspoon was compromised by what appears to be Trickbot malware.

The infection kicked off when the user at IP address made a GET request to http://bolton-tech[.]com. This request contained an executable which turned out to be a Windows PE named "YAS20.exe".

Figure 1
- Infection traffic (TCP):
50.87.248[.]17 port 80 - bolton-tech[.]com - GET /YAS20.exe

Associated with the download of this executable, there is an alert for a WinHTTPRequest, which could possibly mean malicious macros are being downloaded via a maldoc.

Figure 2

Follow-on alerts associated with this binary consisted of:

50.87.248[.]17 port 80
• ET POLICY Binary Download Smaller than 1 MB Likely Hostile
• ET POLICY PE EXE or DLL Windows file download HTTP
• ET CURRENT_EVENTS WinHttpRequest Downloading EXE

Following the above traffic, the infected machine connects over TLS to the below hosts over port 443:

185.141.27[.]238 port 443
• ET CNC Feodo Tracker Reported CnC Server group 8

45.148.120[.]153 port 443
• ET CNC Feodo Tracker Reported CnC Server group 18

51.254.164[.]244 port 443
 • ET CNC Feodo Tracker Reported CnC Server group 19

During the above traffic, a GET request is made to to get the public IP address of the infected machine.  Immediately following that check, two more Windows PE's are downloaded from an additional malicious site.

- Infection traffic (TCP):
64.44.133[.]131 port 8082 GET /images/imgpaper.png
64.44.133[.]131 port 8082 GET /images/cursor.png

Upon further inspection, the PNG image files appear to be executables as the tell-tale "MZ" header is present in the 200 reply.

Figure 3

Figure 4 

The network traffic following the request of the two binaries appears to be normal Trickbot traffic. Social media and browser account information including passwords are exfiltrated from the infected machine via POST requests to 203.176.135[.]102 also listening on port 8082. Additionally, system discovery commands are also exfiltrated from the network.

Figure 5 

Figure 6

Indicators/Files From Infection

File: YAS20.exe
SHA256: 02db3c6b9aff73bf8a11c41107c836b6c800c919c5d3d1304f336aee03f79f4c
Information: This file was not able to be successfully run in a sandbox.

File: imgpaper.png.exe
SHA256: 8aa9c596dd3eb7560bc7416ba181e858f1174fcbcb5432050f3f9a663ed1ffa2
Sandbox Description: Trickbot installer
Information: This file uses cmstplua for privilege escalation

File: cursor.png.exe
SHA256: 68798ccf8e2a5f9682a4e011bec288ad9b3f900244f82c6ae5e8ca538725f92e
Sandbox Description: Trickbot installer
Information: This file uses cmstplua for privilege escalation

Saturday, March 14, 2020

Authoring a Sigma Rule for CSI.Exe

I have continued down the rabbit hole with how to detect different .NET framework executable's.  In this blog post, I will cover a quick proof of concept and a soft detection rule via a Sigma rule. Not only does Sigma allow for the quick creation of rules across multiple SIEM environments, but the authors are also nice enough to let anyone submit their own newly created rules.

For those new to information security and looking to get their foot in the door, contributing amongst to projects amongst your peers is a great confidence builder. It took me weeks to get the guts to make my first pull request with a Sigma rule. My first rule breezed right through the pull request and was merged into the Sigma repository.

Continuing on from my last foray into csi.exe, I wanted to find some ways to detect malicious use of this binary without getting overwhelmed by ETW logs. This process also allowed me to see just what I was able to detect in my lab environment. I have moved to researching Reflective DLL injection, that will definitely be another blog post for another time, an eye opening experience indeed.

JPCert's Log Analysis Training

6 Aug 2020 About a week or so ago, JPCert released their Log Analysis training slides and corresponding CSV files for each hands-on exercise...