Sunday, March 15, 2020

Malware Traffic Analysis "MondoGreek" Exercise Write-Up


Below is my incident report for the most recent malware traffic analysis exercise ( https://www.malware-traffic-analysis.net/2020/03/14/index.html). I won't bore you with a long introduction, let's jump straight into the contents of the report.

Victim machine
IP Address: 10.3.11[.]194
MAC: b8:ca:3a:ec:3b:8f
Host Name: laptop-sqsa42o$
User Account: otis.witherspoon

Environment
LAN segment range:  10.3.11[.]0/24 (10.3.11[.]0 through 10.3.11[.]255)
Domain:  mondogreek.com
Domain controller:  10.3.11[.]3 - Mondogreek-DC
LAN segment gateway:  10.3.11[.]1
LAN segment broadcast address:  10.3.11[.]255

Analysis

On 11 March 2020, at 21:24:36 UTC, a Windows client under the user account Otis Witherspoon was compromised by what appears to be Trickbot malware.

The infection kicked off when the user at IP address 10.3.11.194 made a GET request to http://bolton-tech[.]com. This request contained an executable which turned out to be a Windows PE named "YAS20.exe".

Figure 1
- Infection traffic (TCP):
50.87.248[.]17 port 80 - bolton-tech[.]com - GET /YAS20.exe

Associated with the download of this executable, there is an alert for a WinHTTPRequest, which could possibly mean malicious macros are being downloaded via a maldoc.

Figure 2

Follow-on alerts associated with this binary consisted of:

50.87.248[.]17 port 80
• ET POLICY Binary Download Smaller than 1 MB Likely Hostile
• ET POLICY PE EXE or DLL Windows file download HTTP
• ET CURRENT_EVENTS WinHttpRequest Downloading EXE

Following the above traffic, the infected machine connects over TLS to the below hosts over port 443:
185.141.27[.]238
 45.148.120[.]143
51.245.164[.]244

185.141.27[.]238 port 443
• ET CNC Feodo Tracker Reported CnC Server group 8

45.148.120[.]153 port 443
• ET CNC Feodo Tracker Reported CnC Server group 18

51.254.164[.]244 port 443
 • ET CNC Feodo Tracker Reported CnC Server group 19

During the above traffic, a GET request is made to checkip.amazonaws.com to get the public IP address of the infected machine.  Immediately following that check, two more Windows PE's are downloaded from an additional malicious site.

- Infection traffic (TCP):
64.44.133[.]131 port 8082 GET /images/imgpaper.png
64.44.133[.]131 port 8082 GET /images/cursor.png

Upon further inspection, the PNG image files appear to be executables as the tell-tale "MZ" header is present in the 200 reply.

Figure 3

Figure 4 


The network traffic following the request of the two binaries appears to be normal Trickbot traffic. Social media and browser account information including passwords are exfiltrated from the infected machine via POST requests to 203.176.135[.]102 also listening on port 8082. Additionally, system discovery commands are also exfiltrated from the network.

Figure 5 

Figure 6

Indicators/Files From Infection

File: YAS20.exe
SHA256: 02db3c6b9aff73bf8a11c41107c836b6c800c919c5d3d1304f336aee03f79f4c
Information: This file was not able to be successfully run in a sandbox.

File: imgpaper.png.exe
SHA256: 8aa9c596dd3eb7560bc7416ba181e858f1174fcbcb5432050f3f9a663ed1ffa2
Sandbox Description: Trickbot installer
Information: This file uses cmstplua for privilege escalation
Ref: https://app.any.run/tasks/e5044b8b-8e1d-4442-8447-5c73f9628bb5/

File: cursor.png.exe
SHA256: 68798ccf8e2a5f9682a4e011bec288ad9b3f900244f82c6ae5e8ca538725f92e
Sandbox Description: Trickbot installer
Information: This file uses cmstplua for privilege escalation
Ref:  https://app.any.run/tasks/2bb8d90a-7217-45bf-b889-3d63f2633247

JPCert's Log Analysis Training

6 Aug 2020 About a week or so ago, JPCert released their Log Analysis training slides and corresponding CSV files for each hands-on exercise...