Tuesday, March 1, 2016

TeslaCrypt Ransomware - Traffic Analysis and IOC - Splunk and Suricata (IDS)

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Feb 2016.  And the focus is mainly on using Splunk as a SIEM tool to detect the pattern within the log files. This post assumes some basic working knowledge of Splunk , Suricata and Wireshark.

Files can be downloaded from "malware-traffic-analysis.net":
PCAP of the traffic:  2016-02-28-traffic-analysis-exercise.pcap   16.2 MB
ZIP archive the above PCAP:  2016-02-28-traffic-analysis-exercise.pcap.zip   13.4 MB


I have the set-up to run the analysis tool like Suricata, Wireshark and Fidler inside the virtual instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the log-to splunk

Navigate to the suricata folder  and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs


root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c /opt/suricata-3.1.1/suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2015-02-Nuclear-EK/2015-02-15-traffic-analysis-exercise.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2015-02-Nuclear-EK/

Successful run will have the following information without any error.

<Notice> - This is Suricata version 3.1.1 RELEASE
<Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
<Notice> - Signal Received.  Stopping engine.
<Notice> - Pcap-file module read 3103 packets, 2155330 bytes

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.

The screenshots are part of single "view" dashboard purpose built for analysing the malicious pcap files (lab purposes).  To make it easily identifying , I am using a multi select token where I can search by campaign.
I will share the full xml code with searches in a separate post.

Screenshot showing the Emerging Threats Signature

Event by Category
index="suricata"  sourcetype="pcap" source="*$crimename$*"   | stats count by event_type

List of Signatures Triggered
index="suricata"  sourcetype="pcap" source="*$crimename$*" event_type=alert alert.signature!="\*suricata\*"  | stats count by alert.signature | RENAME alert.signature AS "Signatures_Trigerred"  | table "Signatures_Trigerred"

List of Notable HTTP Traffic

Two separate requests were made to misspluss[.]hu and www[.]mysecretdeals[.]nl. Followed by subsequent  file downloads and connection back to C2. But the former attempt from misspluss[.]hu does not seem to have succeeded (img.zolotcevasunya.info). While the later seem to have successfully communicating backto netmakevitelaoversttelsestidspunkt.timepassion[.]com and then to biocarbon[.]com[.]ec.

index="suricata"  sourcetype="pcap" source="*$crimename$*"  ("http.http_content_type"="text/html"  OR http.http_content_type="*application*") | stats count by http.hostname

index="suricata"  sourcetype="pcap" source="*$crimename$*"   event_type=http | iplocation src_ip | table timestamp pcap_cnt src_ip dest_ip dest_port  http.hostname http.http_content_type http.http_refer http.url

In this lab instance, we have insufficient information coming into Splunk to see the packet level information. Wireshark can come to aide.

HTTP traffic in wireshark

Files Downloaded
index="suricata"  sourcetype="pcap" source="*$crimename$*" fileinfo.filename=* NOT (http.hostname="*google*" OR http.hostname="*facebook*" OR http.hostname="*bing*" OR http.hostname="*youtube*" OR http.hostname="*microsoft*" OR fileinfo.filename="*.js" OR fileinfo.filename="*.css" OR fileinfo.filename="*.eot" OR fileinfo.filename="*.woff" OR fileinfo.filename="/" OR fileinfo.filename="*.jpg" OR fileinfo.filename="*.png" OR fileinfo.filename="*.gif" OR fileinfo.filename="*.woff2")  | stats values(fileinfo.filename) AS "Files Downloaded" values(http.http_content_type) AS Content_type by http.hostname src_ip | RENAME http.hostname AS "Malicious Domain"

DNS Traffic :- DNS queries made during this scenario

Further analysis can be done on the infected and compromised to scripts downloaded using network miner or fidler, which is beyond the scope of this post.