2015-06-30 - TRAFFIC ANALYSIS EXERCISE - ANSWERS
- ZIP of the traffic: 2015-06-30-traffic-analysis-exercise.pcap.zip
- ZIP file of the associated malware/artifacts: 2015-06-30-traffic-analysis-exercise-malware.zip
- I've included a zip archive of the EK landing page, flash exploit, deobfuscated malware payload, and follow-up malware from the infected host.
- Post-infection malware found on the infected host was: C:\Users\username\thugbfmm.exe - 50.7 MB (50,675,712 bytes)
- The zip archive is password-protected with the standard password. If you don't know it, email me at firstname.lastname@example.org and ask.
- Analysis of deobfuscated malware payload on hybrid-analysis.com: link
- Analysis of the post-infection malware from the infected host on hybrid-analysis.com: link
- The following tutorial shows how I set up my column display in Wireshark for some of the answers:
ANSWERS AND HINTS
See the image below for answers:
Filtering on http.request will give you a quick rundown. Click on the image below for a full-size view:
Signature hits from the Talos (Sourcefire VRT) ruleset also identify the exploit kit:
Using the Wireshark filter shown in the image below helps identify some of the post-infection traffic from the infected host:
Filter on udp, and you'll find an interesting reverse DNS lookup (PTR), and you'll also see NetBIOS traffic to an external host.
Looking at the EK traffic, you'll find the payload is obfuscated, as we've seen before with this and other EKs:
You can extract the EK landing page, Flash exploit, and obfuscated malware payload as noted in the next two images:
The Python script shown below can be used to deobfuscate the EK malware payload: