Network Analysis - Malware Compromise

January 31, 2022 · 3 min read · labs

Contents

Identifying the Infected Host
Finding the Malware Binary
Tracking HTTP Requests
Following the Infection Chain
Final Question

I recently completed another Blue Team Labs Online challenge focused on packet analysis using Wireshark. Wireshark is a packet sniffer and analysis tool that captures network traffic for offline analysis. If you’re new to Wireshark, I recommend this comprehensive guide.

Identifying the Infected Host

The first question asks for the private IP of the infected host. When you open the PCAP file, this information is immediately visible. A private IP address is assigned by your network router and allows devices on the same local network to communicate. The ranges are:

Class A: 10.0.0.0 to 10.255.255.255
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255

Finding the Malware Binary

This question proved more challenging. I found the answer by referencing Brad Duncan’s excellent Wireshark tutorial on Emotet. The key WireShark filter I used was:

(http.request or http.response or tls.handshake.type eq 1) and !(ssdp)

I then followed the TCP stream to identify the malware binary being retrieved by the macro document.

Tracking HTTP Requests

For identifying the domain making GET /images/ requests, I simply filtered through the packet list and scrolled until I found the relevant HTTP traffic.

Following the Infection Chain

The SOC team identified Dridex, a secondary malware deployed after an Ursnif infection. To find the URI ending in .rar where Ursnif retrieves its payload, I used the same WireShark filter from earlier and analyzed the resulting packets.

Final Question

The last question asked for Dridex post-infection traffic IP addresses beginning with 185. The answer was found by carefully reviewing the packet analysis—sometimes the most direct approach is the best.

What’s the private IP of the infected host?

This one is pretty self explanatory. As soon as you open the PCAP BTLO gives you, your meet with the IP address. A private IP address is the address your network router assigns to your device. Each device within the same network is assigned a unique private IP address (sometimes called a private network address), this is how devices on the same internal network talk to each other. Address ranges are Class A (10.0.0.0 to 10.255.255.255), Class B (172.16.0.0 to 172.31.255.255), Class C (192.168.0.0 to 192.168.255.255).

What’s the malware binary that the macro document is trying to retrieve?

Now this one I was a little stomp trying to figure out the answer but this is where Google comes in. I found an article that had a command that help me in my investigation. Thank you Brad Duncan at Palo Alto Networks for writing this guide: https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/ The command that I used was <(http.request or http.response or tls.handshake.type eq 1) and !(ssdp)> where I followed the TCP stream on the first one.

From what domain HTTP requests with GET /images/ are coming from?

For this one I didn’t use no special command for the answer. I literally just scrolled down the list until I seen a GET /images/ command in info.

The SOC Team found Dridex, a follow-up malware from Ursnif infection, to be the culprit. The customer who sent her the macro file is compromised. What’s the full URI ending in .rar where Ursnif retrieves the follow-up malware from?

For our second to last question I used the same command <(http.request or tls.handshake.type eq 1) and !(ssdp)> that I got from the Palo Alto article to help me with this one and opened the packet.

What is the Dridex post-infection traffic IP addresses beginning with 185.?

Last be not least how did I solve the final question? Will I just scrolled. The answer is in the question and no need to overthink this one.

Ladies and gentlemen I hope you enjoyed this read and learned something from my post!