Friday, August 19, 2016

EITest-Rig-EK & pseudoDarkleech-Neutrino-EK Traffic Analysis

This blog post is to walk through the Lab exercise from "" posted on Aug 17th 2016 .  And the focus is mainly on using pre-built Splunk tool to detect  and observe the behavior. Suricata is used as the NIDS engine with ET signatures.  Wireshark is used to further observer the payload. Along with wget to download the html page of the compromised/redirect site to witness and deobfuscate the code.



The set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the separate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk

There were 2 pcap files in the zip, i use mergecap to merge all 2 files making it easier for analysis in splunk.

 mergecap -v input_file1.pcap inputfile2.pcap -w outputfile.pcap
Navigate to the suricata folder and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-17\ -\ PCAPS\ AND\ MALWARE\ FOR\ AN\ ISC\ DIARY/2016-08-17-pcaps-for-ISC-diary/2016-08-17-EITest-Rig-EK-sends-possible-Vawtrak-traffic.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-08-17\ -\ PCAPS\ AND\ MALWARE\ FOR\ AN\ ISC\ DIARY/2016-08-17-pcaps-for-ISC-diary
19/8/2016 -- 07:04:48 - <Notice> - This is Suricata version 3.1.1 RELEASE
19/8/2016 -- 07:04:54 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
19/8/2016 -- 07:04:54 - <Notice> - Signal Received.  Stopping engine.
19/8/2016 -- 07:04:54 - <Notice> - Pcap-file module read 1985 packets, 1513868 bytes

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events. \Once the traffic is loaded into Splunk and viewed inside  the suricata dashbaord, i can straightawaypot some domains and files downloaded that looks out-of-normal.

Http Traffic
The below screenshot showing the http traffic happened during the infection

HTTP Traffic with sequence of events

Files Downloaded
Below screenshot shows the fkash(swf) and html files downloaded
DNS Traffic

TLS Traffic

Virus total submission for the "Vawtrak.exe" file

Virustotal lookup for the dll file - 2016-08-17-pseudoDarkleech-Neutrino-EK-payload-CrypMIC

Malicious URLs within the HTML page