2020-06-12 - TRAFFIC ANALYSIS EXERCISE ANSWERS

Link to exercise: https://www.malware-traffic-analysis.net/2020/06/12/index.html

Links to some tutorials I've written that should help with this exercise:

• Customizing Wireshark - Changing Your Column Display

• Using Wireshark: Identifying Hosts and Users
• Using Wireshark - Display Filter Expressions
• Using Wireshark: Exporting Objects from a Pcap

ENVIRONMENT:
• LAN segment range: 10.06.12.0/24 (10.06.12.0 through 10.06.12.255)
• Domain: frank-n-ted.com
• Domain controller: 10.06.12.12 - Frank-n-Ted-DC
• LAN segment gateway: 10.06.12.1
• LAN segment broadcast address: 10.06.12.255

QUESTIONS:
Figure out what's going on.

ANSWERS:
What's going on? An infected Windows host, that's what!

First of all, there are two user accounts associated with two Windows clients:

IP address: 10.6.12.157
MAC address: 00:11:75:68:42:d3 (IntelCor_68:42:d3)
Host name: DESKTOP-86J4BX
User account name: ted.brokowski

IP IP address: 10.6.12.203
MAC address: 84:3a:4b:6d:fc:e2 (IntelCor_6d:fc:e2)
Host name: LAPTOP-5WKHX9YG
User account name: frank.brokowski

Page 1 of 4
2020-06-12 - TRAFFIC ANALYSIS EXERCISE ANSWERS
These computers are used by the infamous Frank and Ted Brokowski of
frank-n-ted.com. These two brothers would rather be watching a Youtube
video than figuring out what happened. But that's why you're here, right?

Which of the two hosts got infected? Maybe both.

At 17:45:45 UTC, 10.6.12.157 retrieves invoice-86495.doc from

cardboardspaceshiptoys.com, but that's redirected to an HTTPS URL.

However, this URL was submitted to Any.Run, and you can find the analysis
here: https://app.any.run/tasks/0f0da931-b346-40b9-8485-1e2b4569a425.

In the analysis, that URL reutrns a Word document that generated a follow-up
HTTPS URL to https://immortalshield.com/read.php but return traffic from
immortalshield.com shows a 404 PAGE NOT FOUND. We have HTTPS
activity between 10.6.12.157 and immortalshield.com in our pcap.

However, we see HTTP traffic from 10.6.12.203 to the following URLs:

• 205.185.125.104 - GET /pQBtWj

• 205.185.125.104 - GET /files/june11.dll

Shown above: Using our basic web filter in Wireshark.

Page 2 of 4
2020-06-12 - TRAFFIC ANALYSIS EXERCISE ANSWERS
Follow the TCP stream for the HTTP GET request ending with june11.dll, and
you'll see a Windows DLL or EXE.

Shown above: TCP stream showing an EXE or DLL returned from

205.185.125.104 for GET /files/june11.dll.

If you export this file from the pcap, you'll find it's detected by at least 19
vendors in VirusTotal as malware.

Less than two minutes after the HTTP requests to 205.185.125.104, several
HTTP POST requests from 10.6.12.203 go to snnmnkxdhflwgthqismb.com.

• 5.101.51.151 port 80 - snnmnkxdhflwgthqismb.com - POST /post.php

This is HTTP post-infection traffic for ZLoader malware.

Page 3 of 4
2020-06-12 - TRAFFIC ANALYSIS EXERCISE ANSWERS

Shown above: Use your basic web filter, then scroll down a bit to find the
ZLoader post-infection traffic.

Most of the time, ZLoader post-infection traffic is HTTPS, and it's much harder
to detect from a pcap. However, this ZLoader campaign currently uses
unencrypted HTTP for the post-infection activity. For more background on this
type of infection, see:

• https://isc.sans.edu/forums/diary/Job+applicationthemed+malspam+pus
hes+ZLoader/26222/

To summarize, we have a probable malicious Word document retrieved by

Ted Brokowski at 10.6.12.157, but we don't have any solid evidence of post-
infection traffic. But we do have evidence of a malicious DLL file and post-
infection traffic on Frank Brokowski's computer at 10.6.12.203.

It makes me feel like saying, "Heeey yeaah yeaah yeaaaaaaaah!" Who's with
me?

Page 4 of 4