Packet Capture Analysis - Ursnif or How I Learned to Stop Worrying and Love Snort

How I Learned to Stop Worrying and Love Snort

July 5, 2018 - 4 minute read -
Security

Introduction

Here’s a short write up of a pcap analysis I did a few weeks ago, it was over a couple of hours so I may have certainly missed some things so let me know if you see anything else. I have linked to the pcap below so you can take a look yourself.

The tools I used are here:

Note: all of these tools are open source or free!

Scenario from Malware Traffic Analysis:

On Tuesday 2017-06-27, you notice several high-priority alerts from two different Intrusion Detection Systems (IDS). One IDS is running Snort using the Snort subscription ruleset, and the other is running Suricata using the EmergingThreats Pro ruleset. The results indicate a Windows computer was infected at your company’s Japan field office. You are tasked to investigate! You have the pcap, a text file containing the Snort alerts, and a text file containing the Suricata alerts.

Traffic starts at June 27th 2017 14:38:32. The machine is infected with a trojan after visiting a malicious website, presumably after clicking a malicious link or opening an attachment in an email.

Following this a number of malicious domains are visited in the space of less than 10 minutes, files are downloads and C&C activity can be observed, data exchanged with these servers via SSL (TLS) but a few are HTTP which allows for confirmation of infection via a POST request from the host with an identifier cookie to the compromise server.

A number of the domains visited download executables which are then used to further infect the machine and being more malicious activity, these include:

  • Sending email over SMTP, probably spamming to infect more machines.

  • Downloading more malicious files.

  • Visiting domins that use malicious javascript code.

  • SMB scanning activity

Host Machine

Machine Name: FlashGordon-PC

Machine Make: Dell

Machine IP: 192.168.1.96

Initiating Malicious Domains

matied[.]com

lounge-haarstudio[.]nl

vantagepointtechnologies[.]com

rts21.co[.]jp

Files Downloaded gerv.gun - unable to download from pcap. MD5 (trow.exe) = fb75d4f81be51074bb4147e781e5b402 MD5 (wp.exe) = 4da48f6423d5f7d75de281a674c2e620 MD5 (t64.bin) = 69e5e0a17f197cae3723adfc5f894d49

Evidence and Analysis

DNS resolution to matied[.]com - Connection to 119.28.70.207 First observation is a WinHTTP Request, probably a powershell script from some sort of malspam or delivered via MITM. There is a TCP handshake followed by a get request to download a .gun file:

GET - gerv.gun Octet stream - file download large amounts of ‘bad’ TCP traffic from packet 71 onwards, with padding and random strings

The .gun probably has an executable hidden within as a way of obfuscating in an attempt to avoid signature detection by the AV. This is a dropper which will then trigger the download of the malicious payload.

POST to 119.28.70.207
auth/ajax/847598782/?min=data
/auth/min/828949448/

DNS resolution to lounge-haarstudio[.]nl - Connection to 145.131.10.21 A GET request is sent to download another malicious file.

GET - lounge-haarstudio[.]nl/oud/trow.exe Octet stream - binary file download Keep Alive PSH and ACK confirms data downloaded Virustotal detects this file as malicious - Trojan.Cutwail

Running ‘strings’, the following suspicious .dlls are called:

kernel32.dll    
KERNEL32.dll    
USER32.dll    
GDI32.dll    
ADVAPI32.dll    
SHELL32.dll    
ole32.dll    
WinSCard.dll    
COMCTL32.dll    
pdh.dll    
RPCRT4.dll
gdiplus.dll
WINHTTP.dll    
WTSAPI32.dll

There are some interesting strings towards the end of the file also:

‘This program cannot be executed in DOS mode'
LC_TIME    
LC_NUMERIC    
LC_MONETARY    
LC_CTYPE    
LC_COLLATE
LC_ALL   
!”#$%&’()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!”#$%&’()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

This file is then used to download files via octet stream from a large number of domains, some of the downloads fail with 403 or 503 errors. A full list will be sent with this file.

DNS resolution to vantagepointtechnologies[.]com-Connection to 143.95.151.192

GET request for ‘wp.exe’ Via ms-download

This is a Windows32 bit executable file, this looks to be related to a series of ransomware variants, however this file does not appear to behave in that way as the machine continues to operate, instead it behaves much more like a dropper.

Virustotal detects this file as malicious - Trojan.Ursnif

Strings and DLLs that could be malicious:

‘This program cannot be executed in DOS mode’
user32.dll
kernel32.dll
shell32.dll
azroles.dll
advapi32.dll
aappgnui.dll
aernel32.dll

This is most likely the last stage of the dropper and the machine will now phone home to the C&C Server.

POST to www.pohlfood[.]com-Connection to 96.82.200.1

Detected by Packettotal.com as potentially malicious malicious and potentially Pushdo.S C&C. The POST provides a cookie which presumably lets the C&C know this is a legitimate infection and not a researcher looking at the site.

There are a very large number of Pushdo communication events, a number of which are conducted over SSL (TLS) that are presumably controls being sent to the malware from the C&C server to contact other malicious domains and attempt to spread the infection to other machines. One such domain is www.kid67ap2i5b5d4ekvcg[.]com

POST to tryns[.]com-Connection to 62.210.140.158
C&C communication, again using cookies to identify as a new infected host.

DNS resolution to rts21[.]co[.]jp - Connection to 59.106.164.230
Detected by Hybrid Analysis as malicious.
GET t64.bin

Another malicious file requested after the suspected initial infection. This file could be used to gain persistence.

SMB Requests sent to DHCP server.

This could be the malware scanning for SMB shares to exploit for lateral movement.

OpenDNS Queries

These are observed after the initial infection and as the host is using 192.168.1.1 as it’s primary DNS we can assume that this is behaviour can be attributed to the malware.

SMTP connections

Potential command buffer overflow exploit attempted a number of times to attempt to admin privilege escalation.

There are also a number of calls to SMTP services which the malware uses to continue the SPAM campaign and spread itself further.

Javascript Exploits

Snort can detect a number of Javascript obfuscation and non-alphanumeric attacks can be detected, for example 104.28.1.196 attempts WAF bypass.