In this exercise, I investigate an incident wherein a user got compromised through a malicious email. My goal is to figure out how the computer got infected and document my findings.

This malware exercise was obtained from malware-traffic-analysis.net. It contains packet capture of the incident, the incident artefacts, the incident logs and four associated emails.

This blog post is sectioned under the various headings to aid clarity and understanding: Preparation, Initialization, Analysis with Kibana, Analysis with Sguil, Observation of Suspicious Emails, Analysis with Wireshark, Log Inspection, Malware Artefact Inspection and Summary.

Let's Dive in!

Preparation

I begin by downloading the malware exercise. Then, I extract the password-protected pcap file to the Downloads folder of my virtual machine and rename it "malware". Afterwards, I check the status of the security tools in Security Onion from the terminal by entering the command, sudo so-status.The terminal outputs the status of these tools as shown below: To make sure that Kibana and Logstash statuses are ok, I enter the command sudo so-kibana-start and then sudo so-logstash-start.After this, I once again confirm the status of the tool by entering sudo so-status command.

Initialization

To commence the malware analysis, I print my current working directory with the command pwd move to the Downloads folder with the command cd Downloads/ and list its contents with ls command. Afterwards, I import the downloaded malware pcap by entering the command sudo so-import-pcap malware.pcap as shown below:

When the import is complete, the terminal print out a hyperlink to view packets within the time range of my import in Kibana.

I copy this link and paste it into an open tab on the chrome browser. With that, Kibana loads up. I supply my login credentials when prompted and then the data within the set time in the hyperlink I copied from the terminal is displayed.

Analysis with Kibana

The Kibana overview displays some useful information, such as the Total Number of Logs, Total Log Count Over Time, All Sensors Log Types, Services by Destination Country, NIDS log count, NIDS alert Summary and all Logs.

The NIDS Alert summary describes the alert as a Trojan activity, ET Trojan Win23/Bancos.AMM CnC Beacon. In addition, it provides the source and destination Ip address associated with the malicious activity as shown below:

Win32 is a Microsoft Windows APIs used for developing 32-bit applications. So the machine associated with this malicious traffic is a windows system.

Bancos is the name of the malware family that this malicious traffic is categorized.

CnC stands for Command and Control; an intermediary server that attackers use to communicate to the compromised system. The communication between the compromised system and the attacker's CnC server usually resembles normal network traffic activity via HTTP, HTTPS or DNS

Beacon is a recurrent connection established between two IP addresses. In this case, the IP addresses are of the compromised host and the CnC server.

To gain more insight on this suspicious traffic, I research the alert message ET Trojan Win23/Bancos.AMM CnC Beacon by pasting it in my Search Engine. Microsoft Security Intelligence describes it has is a family of password-stealing trojans that target specific online banking Web sites commonly located in Brazil. The page also contains information about its aliases, known objectives and behaviour, targetted industry, payload, etc. You can read more here

The two IP addresses associated with the malicious traffic (Source IP: 192.168.137.113 and Destination IP: 69.49.115.400 are recorded. To further this analysis, I go to the NIDS Alert Data dashboard by clicking NIDS.

The NIDS Alert dashboard reveals the alert count as 6, the source and destination ports as 49311 and 80 respectively, severity as 1 and the time of the first alert as Aug 5, 2015 @ 16:04:36:000. I click the alert _id value and then pivot to CapME to observe the transcript of the first event.

The part marked 1 is the pcap file related to this attack. The area marked 2 shows the timestamp as shown below.

In the part marked 3, the POST/accord/point.php HTTP/1.0 requests that server/ remote host, australiano2015.combr accepts the data enclosed in the application/x-www-form-urlencoded.

The source connection type, keep-alive indicates a persistent connection.

The User-agent gives information about the agent requesting the HTTP POST. This information includes the name of the application/product, application version, operating system, platform details and extensions, respectively.

The source ID/name of the affected host is observed to be PERTRUIDE.

The HTTP 200 OK is a status code that indicates that the request was successful.

Port 80 which is the destination port of the malicious traffic in NIDS alerts is known for HTTP Traffic. Hence, to further the investigation with Kibana, I click the HTTP entry under Zeek Hunting heading. In the HTTP dashboard, I observe the HTTP - MIME Types listed in the Tag Cloud. Also, the HTTP Sites for the websites from the transcript that I read earlier.

Analysis with Sguil

Sguil displays the 6 alerts and we can find similar details about them as we did with Kibana. I select the Show Packets Data and Show Rule checkboxes to see details of the alert. The details describe the alert as Trojan activity, the content as POST, method as HTTP among other things.

I right-click on the alert ID and check the transcript of the first traffic. The transcript displays transactions between the remote server (SRC) and the target host (DST). Again we find the user-agent information, connection type, ID of the compromised host and other information as we did on Kibana earlier.

From Sguil, I pivot to Wireshark to observe more details about the malicious traffic. With the packet selected in the packet details area, I expand the Hypertext Transfer Protocol application layer data. There, I observe the host name austriliano.com.br and request URI, /accord/point.php.

I further investigate the HTTP traffic by using http.request display filter to filter for POST requests using http.request.method=="POST". A second POST request method is observed from the same set of IPs. The host austriliano.com.br, requests the URI /w.php.

Observation of Suspicious Emails

The four emails provided in this exercise are each examined for malicious content. The email screenshot attached below is observed to contain a spoofed sender address.

The first highlight contains the real address of the email sender, shopd.animatursyes.com. The second highlight however provides a spoofed email address, Facebook.com<accounts@passport.com> which is the email address shown upon opening the email by the victim, along with the recipient address. Therefore the recipient is fooled into thinking that this email address came from the trusted source, Facebook.com<accounts@passport.com>. The third highlight contains a malicious/phishing link, http://www.ica.ufmg.br/rha/images.php

Analysis with WireShark

I use Wireshark to open the cap file, malware.pcap to search for the network traffic that contains the malicious link in the spoofed email, http://www.ica.ufmg.br/rha/images.php. To narrow down my search, I filter for tcp streams that contain the keyword images by entering tcp contains images in the Wireshark filter search bar.

I right-click on the packet and select follow, and then tcp streams to see the details of the traffic. Tcp stream reveals an HTTP/1.1 302 Found response code which indicates a URL redirection. The malicious link in the spoofed email, http://www.ica.ufmg.br/rha/images.php. redirects to an HTTPS URL provided in the header field Location: https://downloadpdf.demojoomla.com/Download.rar

The Roshal Archive file /Download.rar in the malicious link above indicates that an archived filed named Download is downloaded when the HTTP redirect takes place.

To identify all the traffic involved with this redirect link, I filter for them with tcp contains downloadpdf.demojoomla.com. In addition to the already identified traffic with the 302 redirect, I find three more. They are shown below:

Log Inspection

I examine the logs for URLs associated with the HTTP redirect traffic. It is the first item marked below:

Malware Artefacts Inspection

In the malware artefacts downloaded from the exercise, I search for the Download.rar file and decompress it. Inside of it, I find a visual basic executable file, Download.vbe.

I search the internet for a VBE to VBS converter and use the one here to convert the Visual Basic executable to a Visual Basic script. The script contains a link to an archive file https://downloadpdf.demojoomla.com/Gravar.zip

In addition, the script contains instructions on a windows executable file name dmw.exe

I search the log files for the URL associated with https://downloadpdf.demojoomla.com/Gravar.zip, it is the second highlight of the log shot above. Then I search the malware artefact for this archived file. Its content is the Microsoft Windows executable file, dmw.exe I upload this file and Virustotal and get the following results.

Summary

Infected computer's hostname: PERTRUIDE-PC Infected computer's IP address: 192.168.137.113 Infected computer's MAC address: 00:1e:4f:6c:ba:05 Infected computer's operating system: Windows 7

The date, time, subject line, and sender of the malicious email that caused the infection are as follows:

Date/Time: Tuesday 2015-08-04 20:16:47 +0000 (UTC) Subject: Voce recebeu comentario de voz em sua foto - 3192132 From: "Facebook.com" <accounts@passport.com> (spoofed sender) To: degrando.rustlyn@world-of-widgets.com

Information on any malware associated with the infection:

The alert message is:

ET TROJAN Win32/Bancos.AMM CnC Beacon ETPRO TROJAN Trojan-Banker.Win32.CdePro Variant CnC Beacon MALWARE-CNC Win.Trojan.Bancos variant outbound connection*

Based on Microsoft Security Intelligence, the malware belongs to a family of password-stealing trojans that target specific online banking Web sites commonly located in Brazil.

Timeline of events leading to the infection.

2015-08-04 20:16 UTC - Degrando receives a malicious email. 2015-08-05 16:01 UTC - Malicious link in the email is clicked 2015-08-05 SOC Sguil alerts SOC 05 Aug 2015 17:04 UTC+1 – The malicious link in the email takes the user to the malicious site http://www.ica.ufmg.br/rha/images/pdf.php 05 Aug 2015 17:01 UTC+1 – Link redirects from the malicious site http://downloadpdf.demojoomla.com/Download.rar 05 Aug 2015 17:03 UTC+1 – Link redirect from the malicious site above tohttp://downloadpdf.demojoomla.com/Gravar.rar 05 Aug 2015 16:04 UTC+1 – Callback traffic to australiano2015.com.br

Infected Traffic:

2015-08-05 16:04 UTC - 69.49.115.40 port 80 - ``australiano2015.com.br - POST /w.php2015-08-05 16:04 UTC - 69.49.115.40 port 80 -australiano2015.com.br - POST /accord/point.php2015-08-05 16:02 UTC - 67.212.169.218 port 443 -downloadpdf.demojoomla.com - GET /Gravar.zip2015-08-05 16:01 UTC - 67.212.169.218 port 443 -downloadpdf.demojoomla.com - GET /Download.rar2015-08-05 16:01 UTC - 150.164.130.253 port 80 -ica.ufmg.br - GET /rha/images/pdf.php```

Associated Malware

1. Download.rar archive downloaded from the link in the email

2. Download.vbe was extracted malware from the zip file, Download.rar

3. Gravar.zip archive was downloaded by the VBE file, Download.vbe

4. dmw.exe malware executable was extracted from the zip file, Gravar.zip