Monday, August 8, 2016

PSEUDO-DARKLEECH NEUTRINO EK - Traffic Analysis and Indicators

This blog post is to walk through the Lab exercise from "" posted on Aug 2016.  And the focus is mainly on using Splunk as a SIEM tool to detect the pattern. Once detected, Wireshark , fiddler (proxy) and jsdetox can be used to further observe the IOC's


Source -
ZIP archive of the pcaps:   380.4 kB (380,404 bytes)
2016-08-01-pseudoDarkleech-Neutrino-EK-sends-CrypMIC.pcap   (627,510 bytes)
ZIP archive of the malware:   290.9 kB (290,865 bytes)   (41,415 bytes)
2016-08-01-pseudoDarkleech-CrypMIC-decrypt-instructions.BMP   (3,276,854 bytes)
2016-08-01-pseudoDarkleech-CrypMIC-decrypt-instructions.HTML   (238,187 bytes)
2016-08-01-pseudoDarkleech-CrypMIC-decrypt-instructions.TXT   (1,654 bytes)
2016-08-01-pseudoDarkleech-Neutrino-EK-flash-exploit.swf   (76,929 bytes)
2016-08-01-pseudoDarkleech-Neutrino-EK-landing-page.txt   (2,470 bytes)
2016-08-01-pseudoDarkleech-Neutrino-EK-payload-CrypMIC.dll   (306,688 bytes)

The set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the seperate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk

Navigate to the suricata folder  and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs


root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/pseudoDarkleech-Neutrino-EK-sends-CrypMIC/2016-08-01-pseudoDarkleech-Neutrino-EK-sends-CrypMIC.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/pseudoDarkleech-Neutrino-EK-sends-CrypMIC/

<Notice> - This is Suricata version 3.1.1 RELEASE
 <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
<Notice> - Signal Received.  Stopping engine.
<Notice> - Pcap-file module read 668 packets, 616798 bytes

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.

Once the traffic is loaded in Splunk.

First, search-1 for rare/uncommon http.hostname and then, search-2 to understand the flow of events by unique host. In this instance, I have removed the known good traffic like google, facebook and twitter.  Its better to have a lookup file with known good http.hostname. (removing the noise). The highlighted traffic requires further triage.

Search-1 : index="suricata" sourcetype="pcap" source="*pseudoDarkleech-Neutrino-EK-sends-CrypMIC*" event_type=* | rare http.hostname

Image showing the rare http traffic

Search-2 : index="suricata" sourcetype="pcap" source="*pseudoDarkleech-Neutrino-EK-sends-CrypMIC*" event_type=*   | table timestamp src_ip dest_ip http.status http.hostname http.url | dedup http.hostname | sort timestamp

Image showing the http traffic with src, dest and status information

At this point, I know there is some odd looking traffic that requires further investigation.
Below are some of the evidence screenshots taken during the triage

   ET Signatures

Http Traffic

Further Analysis

Further analysis of the PCAP file shows the payload and other interesting information as shown in the screenshot below.