Full Packet Fridays: Malware Traffic Analysis

For today’s post, I wanted to get back into some malicious traffic analysis. I created a quick script to randomize traffic analysis examples, and was provided the link to the Malware-Traffic-Analysis.net exercise on April 16, 2016. You can find more information about the challenge here.

The questions

The challenge asks the following questions of us:

  • The host name of the user’s Windows computer
  • The MAC address of the user’s Windows computer
  • A summary of what happened

The Alerts

There’s a whole lot of badness in our traffic alerts, all of which point to only a handful of places to look within the PCAP. Here’s a few key alerts:

Snippet of Suricata alerts showing successful PayPal phishes
Snippet of Suricata alerts showing Possible JavaScript Obfuscation
  • 54.231.98.99

Analysis

As with every MTA exercise, we begin by profiling our subject host. Once again, I can find a lot of information from our DHCP packets:

Screenshot of DHCP traffic from Wireshark
Screenshot of DHCP Inform packet from Wireshark
  • System Name: Manny-PC
  • MAC Address: 00:24:e8:83:a5:69
Screenshot of Wireshark filtered on IP address 91.194.91.203
Screenshot of Wireshark filtered on IP address 91.194.91.203 and http.host
Snippet of Suricata alert showing a password passed in cleartext
ip.addr==91.194.91.203 && http.host && tcp.port==49273
Screenshot of Wireshark filtered on IP address 91.194.91.203, http.host, and tcp.port 49273
Screenshot of POST information from tcp.stream 116
  • Password: onecooldude
Screenshot of HTML data for index.php
Boring, I know :)
Screenshot from Wireshark showing redirection to confirm.html
Image-less rendering of confirm.html

54.231.98.99

The second IP address was flagged for obfuscated JavaScript, but believe it or not, actually looks to be related to mailchimp[.]com:

Screenshot of Wireshark filttered on IP address 54.231.98.99
Snippet of data from tcp.stream 200

Be selective with your battles.