IcedID BackConnect Protocol

This is a follow-up to my Hunting for C2 Traffic video. But I didn't have time to record a short video this time, so I wrote a long blog post instead.

UPDATE 2022-11-02

Brad Duncan has released a new pcap file on malware-traffic-analysis.net, which contains an additional C2 command (0x12). Our analysis indicates that this command launches a file manager. This blog post has now been updated with details about this finding.

UPDATE 2022-11-09

Lenny Hansson has released IDS signatures that detect BackConnect traffic. More details further down in this blog post.

UPDATE 2022-12-05

Lenny has updated his IDS signatures to alert on BackConnect C2 traffic from port 443 in addition to 8080. The signatures in this blog post have now been updated to Lenny's new rev:2 signatures.

UPDATE 2023-04-14

Brad Duncan made the following suggestion in a toot yesterday:

If the protocol for this VNC traffic from Qakbot looks the same as the BackConnect traffic from IcedID infections, perhaps we can just call it BackConnect Protocol without specifying "IcedID"

This is an excellent idea, since IcedID, QakBot as well as Bazar have all been seen using the same BackConnect protocol. We will therefore refer to the protocol described in this blog post as just the “BackConnect Protocol” from now on. This blog post has also been updated accordingly.

IcedID BackConnect C2 Packet Structure

The BackConnect (BC) module uses a proprietary command-and-control (C2) protocol that is pretty straight forward. Both client (bot) and the C2 server typically send commands and responses as 13 byte packets using the following structure:

• Auth: 4 bytes
• Command: 1 byte
• Params: 4 bytes
• ID: 4 bytes

Auth Field

The "Auth" field is presumably used by the bot and C2 server to verify that the other party is communicating using the same protocol and version.

As mentioned by Group-IB and xors the Auth field is typically 0x974F014A (little endian), but we prefer to use the network byte order representation "4a 01 4f 97".

In their IcedID blog post from 2020 Group-IB say:

the auth field that has not changed since at least version 5 of the IcedID core is the constant 0x974F014A

Nevertheless, we recently noticed another BackConnect Auth field being used in the wild. But more on that later.

Commands

The following list of BackConnect C2 commands has been compiled by combining those mentioned by Group-IB with our own analysis of the BackConnect protocol:

• 0x00 = Bot queries for a task
• 0x01 = Set sleep timer
• 0x02 = Bot error
• 0x03 = Reconnect
• 0x04 = Start SOCKS
• 0x05 = Start VNC

We've also discovered these additional commands in BackConnect C2 traffic that uses the Auth value "1f 8b 08 08":

• 0x11 = Start VNC
• 0x12 = Start file manager
• 0x13 = Start reverse shell

Commands 0x04, 0x05, 0x11, 0x12 and 0x13 all cause the bot to connect back to the C2 server using a new BackConnect session, which will be used to wrap either SOCKS, VNC, file manager or reverse shell traffic.

Command 0x01: Set Sleep Timer

The set sleep timer command is issued by the C2 server to instruct the bot to sleep for a certain amount of time before requesting a new task from the C2 server again. The sleep time is defined in the four bytes following directly after the 0x01 command. This value is a 32-bit little endian value indicating the number of seconds the bot should sleep, i.e. "3c 00 00 00" = 0x0000003c = 60 seconds. The most common sleep value seems to be 60 seconds, which is why you'll often see byte sequences like this in IcedID C2 sessions:

zz zz zz zz 01 3c 00 00 00 xx xx xx xx

The following Wireshark display filter will show BackConnect C2 packets, where the bot is configured to sleep for 60 seconds before querying the C2 server for a new command:

tcp.len == 13 and tcp.payload[4:5] == 01:3c:00:00:00

Command 0x04: Start SOCKS

The SOCKS command (0x04) instructs the bot to start the SOCKS module. As an example, the following byte sequence was sent by the IcedID C2 server 91.238.50.80:8080 in Brad Duncan's 2022-06-28 TA578 IcedID pcap on malware-traffic-analysis.net (see frame #10231):

4a 01 4f 97 04 09 00 00 00 8c a2 b1 09

The first four bytes are the auth value, followed by the Start SOCKS command (04).

After receiving this command the bot established a new TCP connection back to the C2 server, where it echoed back the server's "Start SOCKS" command and then started acting like a SOCKS server.

Except for initially echoing the BackConnect Start SOCKS command the SOCKS module actually seems to be compliant with RFC1928, which defines the SOCKS5 protocol. This means that the C2 server can supply an IP address and port number to the bot's SOCKS proxy in order to relay a connection to that host through the bot.

Image: C2 server instructs bot to relay a connection to 188.40.30.100:80

After receiving a Start SOCKS command an IcedID bot immediately establishes a new TCP connection to the specified IP and port, and relays the application layer data back to the C2 server through the SOCKS connection.

Image: Update check of Advanced Port Scanner relayed through the infected machine

In the 2022-06-28 TA578 IcedID pcap the attacker used multiple SOCKS connections to scan the 10.6.21.0/24 network for services running on TCP ports 21, 80, 445 and 4899. That last port (TCP 4899) is typically used by Radmin VPN, which just so happens to be created by the outfit "Famatech" who also develop the "Advanced Port Scanner". The attacker also used the SOCKS module to make several HTTPS connections to servers like 18.204.62.252 (tlx.3lift[.]com), 23.94.138.115 (cmd5[.]org) and 74.119.118.137 (cat.da.us.criteo[.]com). The attacker also proxied connections to 40.97.120.242 and 52.96.182.162 (outlook.live.com) through the infected bot.

NetworkMiner showing hosts that the bot proxied TLS traffic to

JA3 Fingerprints from Proxied Traffic

Since the SOCKS proxy doesn't touch the application layer data we know that the client TLS handshake packets are coming from the C2 server rather than from the bot that's running the SOCKS proxy. This means that we can fingerprint the actual TLS client using JA3.

As you can see in the CapLoader screenshot above, most proxied TLS sessions use the cd08e31494f9531f560d64c695473da9 JA3 hash, but two of them use the rare JA3 hash 598872011444709307b861ae817a4b60. That rare JA3 hash was used only when connecting to outlook.live.com.

Command 0x05 or 0x11: VNC

Brad Duncan's 2022-06-28 TA578 IcedID pcap also contains the "Start VNC" command 0x05.

Image: Flow transcript of Start VNC command

As can be seen in the CapLoader screenshot above, Start VNC commands were sent at 16:33:33 and 16:34:06 UTC. And just like the SOCKS command, this caused the bot to establish a new connection back to the C2 server, echo the "Start VNC" command and then proceed with the VNC traffic.

Image: Flow transcript of IcedID VNC traffic in ASCII encoding

Command 0x13: Reverse Shell

Brad posted a new capture file with network traffic from another IcedID infection last week (2022-10-04). He also noted that the traffic to 51.89.201.236:8080 was different from normal IcedID post-infection traffic.

After looking at this C2 traffic I discovered that it was in fact using the IcedID BackConnect protocol outlined in this blog post, but the Auth field "4a 01 4f 97" had been replaced with "1f 8b 08 08".

That exact byte sequence is a common file header for gzip compressed files (RFC1952), where

• 1f 8b = GZIP magic
• 08 = DEFLATE compression
• 08 = Original file name header present

IcedID has previously been seen using fake gzip file headers in payloads, but this time even the C2 packets include the gzip header!

Image: Transcript of TCP session to 51.89.201.236:8080

The C2 traffic also contained the command 0x13, which I hadn't seen before. Just like the SOCKS and VNC commands, this one triggered the bot to establish a new connection back to the C2 server. But the bot sent a task query command (00) this time, instead of echoing the C2 server's command (0x13). The new TCP session then transitioned into what looks like a reverse shell session.

Image: Transcript of reverse shell traffic from IcedID BackConnect session

The reverse shell traffic reveals that the attackers retrieved a list of domain admin users and then executed a PowerShell script from aicsoftware[.]com. This PowerShell script was used to install CobaltStrike beacon on the victim's PC.

Command 0x12: File Manager

We discovered the file manager command after this blog post was published. This section has therefore been added after the original publication of this blog post.

The following Wireshark display filter can be used to find file manager commands (0x12) in BackConnect C2 traffic that uses the "1f 8b 08 08" auth value:

tcp.len == 13 and tcp.payload[0:5] == 1f:8b:08:08:12

Image: File manager commands in BackConnect C2

The screenshot above shows that the file manager command was issued three times in 2022-10-31-IcedID-with-DarkVNC-and-Cobalt-Strike-full-pcap-raw.pcap.

Image: BackConnect TCP sessions in CapLoader's Flows view

As you can see in the two screenshots above, each time a file manager command was issued in the C2 session (Wireshark screenshot) the bot established a new TCP connection back to the C2 server (CapLoader screenshot).

The file manager sessions use a proprietary protocol to perform tasks such as listing disks, changing directory and uploading files.

We've identified the following file manager commands:

• DISK = List drives
• CDDIR <path> = Change directory
• PWD = Show current directory
• DIR = List current directory
• PUT <path> = Upload file

IDS Signatures

Lenny Hansson has released IDS signatures that can detect IcedID (and QakBot) BackConnect traffic. I'd like to highlight four of Lenny's signatures here.

Alert on "sleep 60 seconds" C2 command, regardless of Auth value:

alert tcp $EXTERNAL_NET [443,8080] -> $HOME_NET 1024: (msg:"NF - Malware IcedID BackConnect - Wait Command"; flow:established; flags:AP; dsize:13; content:"|01 3c 00 00 00|"; offset:4; depth:5; reference:url,networkforensic.dk; metadata:02112022; classtype:trojan-activity; sid:5006006; rev:3;)

Alert on "start VNC" C2 command with "4a 01 4f 97" Auth:

alert tcp $EXTERNAL_NET [443,8080] -> $HOME_NET 1024: (msg:"NF - Malware IcedID BackConnect - Start VNC command"; flow:established; flags:AP; dsize:13; content:"|4a 01 4f 97 05|"; offset:0; depth:5; reference:url,networkforensic.dk; metadata:03112022; classtype:trojan-activity; sid:5006007; rev:2;)

Alert on "start VNC" C2 command with "1f 8b 08 08" Auth:

alert tcp $EXTERNAL_NET [443,8080] -> $HOME_NET 1024: (msg:"NF - Malware IcedID BackConnect - Start VNC command - 11"; flow:established; flags:AP; dsize:13; content:"|1f 8b 08 08 11|"; offset:0; depth:5; reference:url,networkforensic.dk; metadata:03112022; classtype:trojan-activity; sid:5006011; rev:2;)

Alert on "start file manager" C2 command with "1f 8b 08 08" Auth:

alert tcp $EXTERNAL_NET [443,8080] -> $HOME_NET 1024: (msg:"NF - Malware IcedID BackConnect - Start file manager command"; flow:established; flags:AP; dsize:13; content:"|1f 8b 08 08 12|"; offset:0; depth:5; reference:url,networkforensic.dk; metadata:03112022; classtype:trojan-activity; sid:5006008; rev:2;)

A zip file containing Lenny's Snort rules can be downloaded from networkforensic.dk.

Questions and Answers

Allright, that's all I had to say about the IcedID BackConnect C2 protocol. I'm now ready to take your questions.

Q: Is IcedID's BackConnect VNC traffic the same thing as DarkVNC?

No, DarkVNC traffic doesn't use the BackConnect C2 Packet Structure described in this blog post. Also, one characteristic behavior DarkVNC is that the first C2 packet contains a string that looks like one of these:

• (COMPUTERNAME)_ADDITIONAL_ID-DARKVNC
• BOT-COMPUTERNAME(USERNAME)_ID-REFnnn
• USR-COMPUTERNAME(USERNAME)_ID-REFnnn

Q: Is IcedID's BackConnect VNC traffic the same thing as hVNC?

Almost. hVNC means "hidden VNC" and includes any type of malicious VNC server running on a victim's PC, including IcedID's VNC module as well as DarkVNC.

Q: How did you get Wireshark to decode the SOCKS traffic from IcedID BackConnect?

1. Open the pcap file from 2022-06-28 TA578 IcedID
2. Apply display filter: tcp.port eq 8080
3. Right-click, Decode As, TCP port 8080 = SOCKS
4. Display filter: tcp.dstport eq 8080 and tcp.len eq 13 and tcp.payload[0:5] eq 4a:01:4f:97:04
5. Select all packets (Ctrl+A)
6. Edit, Ignore Packets (Ctrl+D)
7. Display filter: socks.dst

Q: Can CapLoader's Protocol Identification feature detect the BackConnect protocol?

The version used in this blog post (1.9.4) doesn't have a protocol model for the BackConnect protocol, but later versions can identify IcedID's BackConnect protocol regardless of port. CapLoader version 1.9.5 (and later) also alerts on BackConnect traffic.

Posted by Erik Hjelmvik on Wednesday, 12 October 2022 18:24:00 (UTC/GMT)

Tags: #IcedID​ #QakBot​ #QBot​ #TA578​ #SOCKS​ #SOCKS5​ #JA3​ #gzip​ #PowerShell​

CapLoader 1.9.4 Released

A new version of our advanced PCAP filtering tool CapLoader was released today. The new CapLoader 1.9.4 release includes features like JA3 hash extraction from TLS traffic and a fantastic thing called Select Similar Flows, which is a unique feature that you will only find in CapLoader! We have also included a VXLAN parser, so that flows tunneled inside of overlay networks can be presented directly in the CapLoader GUI.

Select Similar Flows or Services

If you right-click a flow or service in CapLoader you’ll now be presented with an option to “select similar flows” (or services). This feature causes CapLoader to read through the loaded PCAP files again in order to find other flows that are similar to the one that was right-clicked. CapLoader doesn’t care about IP addresses or port numbers when assessing this similarity. Instead it looks at behavioral patterns in the traffic itself, such as packet sizes and byte patterns. In practice, this feature will select flows that are communicating using the same protocol as the one you clicked, regardless of which port it runs on. CapLoader already comes with an advanced feature for doing port-independent protocol identification, which currently detects over 170 protocols. But the “select similar” feature can even be used to find odd or proprietary protocols that aren’t in CapLoaders protocol database.

There is also a feature called “select VERY similar flows” which, instead of searching for flows with the same protocol, looks for flows with the same implementation or dialect of that particular protocol. This feature can be used to single out the network traffic of a particular software or tool from a haystack of network traffic from multiple applications, which all run the same application layer protocol. Another use case is to find additional malicious C2 sessions that run on top of a standard protocol like HTTP, TLS or DNS – provided that you’ve located at least one such malicious flow or service.

JA3 and JA3S Hashes for TLS Flows

We added JA3 extraction to NetworkMiner back in 2019, with the release of NetworkMiner 2.5. It’s now time to bring this useful little TLS fingerprinting feature into CapLoader as well. As of version 1.9.4 CapLoader attempts to extract JA3 and JA3S hashes from all TCP flows. The JA3 and JA3S hashes are presented in the Flows and Services tabs as separate columns. This allows users to filter flows based on a JA3 hash directly in CapLoader instead of having to export a filtered PCAP to an external tool to calculate JA3 hashes.

Image: Column criteria filter “JA3 = a72f351cf3c3cd1edb345f7dc071d813” on PCAP from CERT-SE’s 2021 CTF.

Extraction of Flows Inside of VXLAN Tunnels

VXLAN is a network virtualization technology that can be used to create overlay networks, where Ethernet frames are encapsulated inside of UDP packets (see RFC 7348). The UDP port used for VXLAN is 4789 or 8472. We added support for VXLAN to NetworkMiner in 2017, but CapLoader has until now only presented the VXLAN tunnels in the GUI when VXLAN traffic is loaded. We’re happy to announce that CapLoader now extracts flows for the VXLAN tunnels and the traffic inside of those tunnels.

Image: ICMP flow extracted from VXLAN tunnel. PCAP file is Virtual_Extensible_LAN-VXLAN.pcap from Xena Networks

Additional GUI Improvements

We’ve also made several minor improvements to CapLoader’s user interface, such as a “Save Visible Flows” option on the File menu, which can be used to save the filtered traffic in the current view to a PCAP file. Another nice addition is the “Copy from Selected Rows” menu option, which can be used to copy text from a particular column.

CapLoader’s OSINT lookup context menus have also been updated to include some very useful services like Feodo Tracker, Hatching Triage and IPVoid.

Free Trial versus Full Version

Many of the new additions to CapLoader are only available in the full version, but the VXLAN extraction and some of the GUI additions are also available in the free trial version of CapLoader. No registration is required to download the trial — just download, extract and run for 30 days. If you like it, then please consider purchasing the full version!

Updating to the Latest Release

Users who have already purchased a license for CapLoader can download a free update to version 1.9.4 from our customer portal.

Posted by Erik Hjelmvik on Thursday, 16 June 2022 11:44:00 (UTC/GMT)

Tags: #CapLoader​ #JA3​ #JA3S​ #Protocol Identification​ #Protocol Detection​ #PCAP​ #TLS​ #VXLAN​

Emotet C2 and Spam Traffic Video

This video covers a life cycle of an Emotet infection, including initial infection, command-and-control traffic, and spambot activity sending emails with malicious spreadsheet attachments to infect new victims.

The video was recorded in a Windows Sandbox in order to avoid accidentally infecting my Windows PC with malware.

Initial Infection

Palo Alto's Unit 42 sent out a tweet with screenshots and IOCs from an Emotet infection in early March. A follow-up tweet by Brad Duncan linked to a PCAP file containing network traffic from the infection on Malware-Traffic-Analysis.net.

Image: Screenshot of original infection email from Unit 42

• Attachment MD5: 825e8ea8a9936eb9459344b941df741a

Emotet Download

The PCAP from Malware-Traffic-Analysis.net shows that the Excel spreadsheet attachment caused the download of a DLL file classified as Emotet.

Image: CapLoader transcript of Emotet download

• DNS: diacrestgroup.com
• MD5: 99f59e6f3fa993ba594a3d7077cc884d

Emotet Command-and-Control

Just seconds after the Emotet DLL download completes the victim machine starts communicating with an IP address classified as a botnet command-and-control server.

Image: Emotet C2 sessions in CapLoader

• C2 IP: 209.15.236.39
• C2 IP: 147.139.134.226
• C2 IP: 134.209.156.68
• JA3: 51c64c77e60f3980eea90869b68c58a8
• JA3S: ec74a5c51106f0419184d0dd08fb05bc
• JA3S: fd4bc6cea4877646ccd62f0792ec0b62

Emotet Spambot

The victim PC eventually started sending out spam emails. The spam bot used TLS encryption when possible, either through SMTPS (implicit TLS) or with help of STARTTLS (explicit TLS).

Image: Emotet spambot JA3 hash in NetworkMiner Professional

• SMTPS JA3: 37cdab6ff1bd1c195bacb776c5213bf2
• STARTTLS JA3: 37cdab6ff1bd1c195bacb776c5213bf2

Transmitted Spam

Below is a spam email sent from the victim PC without TLS encryption. The attached zip file contains a malicious Excel spreadsheet, which is designed to infect new victims with Emotet.

Image: Spam email extracted from Emotet PCAP with NetworkMiner

• .zip Attachment MD5: 5df1c719f5458035f6be2a071ea831db
• .xlsm Attachment MD5: 79cb3df6c0b7ed6431db76f990c68b5b

Network Forensics Training

If you want to learn additional techniques for analyzing network traffic, then take a look at our upcoming network forensic trainings.

Posted by Erik Hjelmvik on Monday, 09 May 2022 06:50:00 (UTC/GMT)

Tags: #Emotet​ #C2​ #video​ #pcap​ #JA3​ #JA3S​ #51c64c77e60f3980eea90869b68c58a8​ #ec74a5c51106f0419184d0dd08fb05bc​ #fd4bc6cea4877646ccd62f0792ec0b62​ #SMTP​ #SMTPS​ #Windows Sandbox​

NetworkMiner 2.7.3 Released

NetworkMiner now extracts meterpreter payloads from reverse shells and performs offline lookups of JA3 hashes and TLS certificates. Our commercial tool, NetworkMiner Professional, additionally comes with a packet carver that extracts network packets from memory dumps.

Extraction of Meterpreter Payloads

NetworkMiner 2.7.3 supports extraction of meterpreter DLL payloads from reverse shell TCP sessions deployed with Metasploit. The free version of NetworkMiner will try to extract the meterpreter DLL from TCP sessions going to "poker-hand ports" commonly used for meterpreter sessions, such as 3333, 4444, 5555, etc. The port-independent protocol detection feature available in NetworkMiner Professional additionally enables extraction of meterpreter DLLs regardless which LPORT the attacker specifies when deploying the reverse shell.

Image: Meterpreter DLL extracted from DFIR Madness' case001.pcap

Packet Carving in NetworkMiner Professional

If you try to open anything other than a PCAP, PcapNG or ETL file in NetworkMiner Professional, then you'll be presented with an option to carve packets from the opened file as of this release.

The packet carver can extract packets from any structured or unstructured data, such as memory dumps and proprietary packet capture formats. NetworkMiner Pro's carver is a simplified version of the packet carving feature in CapLoader.

Loading the 1GB "memdump.mem" from Ali Hadi's Challenge #1 - Web Server Case into NetworkMiner Professional takes roughly five seconds, during which 612 packets get extracted.

Image: Information about network hosts carved from memory dump

In this scenario the memory was dumped on the 192.168.56.101 host, which NetworkMiner identifies as "WIN-L0ZZQ76PMUF". The carved packets also indicate that this computer had an outgoing TCP connection to 192.168.56.102, which appears to be a Linux machine called "kali". As you can see in the screenshot, the packets carved from the memory dump also reveal a great deal about other hosts on the network, such as the 192.168.56.1 host, which seems to be a Windows 7 machine called "IT104-00".

Offline Matching of JA3 and X.509 hashes

NetworkMiner 2.7.3 comes with a local copy of the SSL Certificate and JA3 Fingerprint Blacklists from the awesome abuse.ch project. JA3 hashes and extracted X.509 certificates are matched against these lists in order to see if they are associated with any piece of malware or botnet.

Here's one example showing the default Cobalt Strike certificate being identified as "AKBuilder C&C", since that's how it is listed in abuse.ch's SSL certificate database.

Image: Cobalt Strike's default certificate identified as "AKBuilder C&C"
PCAP: Cobalt Strike PCAP from malware-traffic-analysis.net

The port-independent protocol detection feature in NetworkMiner Professional additionally enables X.509 certificates to be extracted even from non-standard TLS ports, such as this certificate, which is identified as "BitRAT" with help of the abuse.ch certificate block-list.

Image: Both X.509 certificate and JA3 hash identified as BitRAT
PCAP: BitRAT PCAP from Joe Sandbox

The client's JA3 hash 8515076cbbca9dce33151b798f782456 is also associated with BitRAT according to abuse.ch.

DBSBL Lookup Detection

DNSBL services are used by servers handling incoming email to verify that the sender's IP address isn't a known SPAM sender and that it isn't from a network that shouldn't be sending emails.

But DNSBL services can also be used by malware and botnets, such as TrickBot and Emotet, to verify that the public IP of a victim is allowed to send emails and that it hasn't already been blacklisted for sending SPAM. We have therefore decided to add DNSBL lookups to the Host Details section in NetworkMiner 2.7.3.

Image: TrickBot victim checks if its public IP is blocked by DNSBL services
PCAP: TrickBot PCAP from malware-traffic-analysis.net

DNSBL lookups are also logged to the "Parameters" tab of NetworkMiner.

Image: NetworkMiner's Parameters tab with "DNSBL" filter
PCAP: TrickBot PCAP from malware-traffic-analysis.net

Additional Features and Updates

We'd also like to mention some additional new features, bug fixes and improvements that have been included in this new release.

• Support for HTTP CONNECT request method to extract artifacts like X.509 certificates and JA3 hashes from HTTPS traffic passing through a web proxy.
• Traffic to TCP ports 3000 and 8000 are now configured to be parsed as HTTP by default in order to handle WEBrick traffic.
• Improved extraction of SMTP credentials.
• JA3 hashes were previously incorrect for clients that supported more than one EC point format (RFC 8422). This has now been fixed.
• Support for SLL2 (Linux cooked capture v2) frames.
• Improved handling of concurrent GUI events, for example when poking around in the "Hosts" tab while loading a PCAP file or doing live sniffing.
• NetworkMiner's GUI no longer reloads between each PCAP file when multiple files are loaded at once.

New Features in NetworkMiner Professional

We have also added a few new features exclusively to NetworkMiner Professional, which is the commercial version of NetworkMiner. Apart from the packet carver feature, mentioned earlier in this blog post, we've also updated the collection of OSINT lookup services available in the GUI. One of the newly added services is Ryan Benson's unfurl, which picks apart URLs to reveal data that might have been encoded into a complex URL. The unfurl lookup can be found by right-clicking an URL in NetworkMiner Professional's "Browsers" tab and selecting the "Lookup URL" sub menu.

Other OSINT services that we've added are FileScan.IO and JoeSandbox lookups of extracted files. These lookups can be performed by right clicking a file in the "Files" tab and opening the sub-menu called "Lookup Hash".

Image: OSINT lookup of an EXE file extracted from network traffic

The command-line version of NetworkMiner Professional, NetworkMinerCLI, has also been updated to allow extracted information to be printed directly on standard output instead of logging everything to files. Here is an example showing this feature while running NetworkMinerCLI in Linux (with help of Mono):

The command above extracts files from a PCAP file, which contains traffic from a Windows PC infected with Qbot. The "-w" switch specifies the output directory for the files extracted from network traffic, and the "-X FileInfos" specifies that metadata for these files should be sent to STDOUT instead of being written to log files. The cut utility was used to show only the filename (column 5) and MD5 hash (column 9) of the file info output.

The MD5 hashes of the extracted files confirm that this is indeed a Qbot infection:

• 124207bc9c64e20e114bcaeabde12a4e (VT)
• ca7ef367c935182a40a95b9ad8b95f42 (VT)
• a9a8366fa6be54b45ca04192ca217b75 (VT)

NetworkMinerCLI previously printed some information about the parsing process to STDOUT. That output has now been moved to STDERR in order to provide the "-X [type]" output with exclusive access to STDOUT.

Credits

We'd like to thank Michael Taggart for noticing that NetworkMiner previously failed to parse HTTP traffic to ports 3000 and 8000.

Upgrading to Version 2.7.3

Users who have purchased NetworkMiner Professional can download a free update to version 2.7.3 from our customer portal, or use the “Help > Check for Updates” feature. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Monday, 04 April 2022 06:52:00 (UTC/GMT)

Tags: #NetworkMiner​ #carve​ #JA3​ #X.509​ #CobaltStrike​ #Cobalt Strike​ #TrickBot​ #Emotet​ #PIPI​ #Protocol Detection​ #OSINT​ #NetworkMinerCLI​

NetworkMiner 2.7 Released

We are happy to announce the release of NetworkMiner 2.7 today! The new version extracts documents from print traffic and pulls out even more files and parameters from HTTP as well as SMB2 traffic. We have also updated our JA3 implementation to fingerprint the server side in TLS sessions using JA3S hashes and added a few tweaks to the user interface to better identify the extension of extracted files.

Extraction of Printed Data

NetworkMiner 2.7 can extract documents from LPR/LPD print traffic on TCP 515 (RFC1179). The extracted print data is saved to disk as .prn files, which can be analyzed with tools like PCL Paraphernalia. The professional version of NetworkMiner also comes with a carver that attempts to extract PostScript and PDF files from print traffic.

Improved File Extraction from PCAP

One of the premier features of NetworkMiner is its ability to extract transferred files from network traffic. We have fine tuned NetworkMiner’s file extraction code for SMB2 as well as HTTP POST in this release, in order to retrieve as much information as possible from these protocols. We’ve also added more granular logging of SMB2 requests and responses to the Parameters tab.

More DNS Types Supported

NetworkMiner 2.7 now parses DNS TXT and SRV resource records, which are displayed in NetworkMiner’s DNS tab. The TXT records can be used for almost anything, but the SRV records are used to map service types to the hostnames that provide that service. SRV lookups are often used in order to locate the domain controller on a network by querying for “_ldap._tcp.dc._msdcs.<DOMAIN>”.

DNS SRV of lookups are performed by malware and attackers as well as for legitimate reasons, even though attackers sometimes make mistakes that can be used for detection or threat hunting.

TLS Server Fingerprinting with JA3S

We introduced TLS client fingerprinting using JA3 hashes in NetworkMiner 2.5. We have now also added support for JA3S hashes, which is a method for fingerprinting the server side of a TLS connection. The JA3S hashes are extracted from the “Server Hello” TLS packets and shown on NetworkMiner’s Parameters tab as well as in the Host Details of the server. We have also improved how NetworkMiner displays the JA3 hashes in the Host Details view.

Additional User Interface Improvements

Double clicking on an extracted file in NetworkMiner's Files tab now brings up the File Details window. We’ve extended this window to also include a simple hex viewer and a feature that attempts to identify the file type based on the reassembled file’s header.

The file type identification feature is also used in order to provide more accurate file extensions to extracted files, such as “.exe” or “.zip”, instead of the “.octet-stream” that you’d often see in previous versions of NetworkMiner. We have added a warning dialogue to NetworkMiner 2.7 that shows up if a user tries to run an executable file directly from the NetworkMiner GUI.

NetworkMiner Professional

Our commercial tool NetworkMiner Professional has received a few additional updates. It can, for example, carve PDF and PostScript files from extracted LPR print data. We have also added several OSINT services, such as ANY.RUN, MalwareBazaar, URLHaus and ThreatFox, for performing lookups of file hashes. The OSINT context menu is opened by right-clicking an extracted file in NetworkMiner Professional.

GPS data stored in pcap-ng option fields, typically by Kismet, is now extracted as capture file metadata. Right-click a capture file and select "Show Metadata" to show the coordinates from Kismet. We have also re-implemented the support for a PCAP-over-IP listener in NetworkMinerCLI, which is the command line version of NetworkMiner Pro. This feature allows the command line tool to receive PCAP data over a TCP socket instead of reading from a capture file. The PCAP-over-IP listener feature was previously broken in NetworkMinerCLI.

Credits

We’d like to thank Hayo Brouwer (of Ricoh) for requesting the LPR extraction feature and providing capture files for testing, Jeff Rivett for reporting a 64 bit issue with WinPcap/Npcap and Ali Mohd for reporting the broken PCAP-over-IP listener feature.

Upgrading to Version 2.7

Users who have purchased NetworkMiner Professional can download a free update to version 2.7 from our customer portal, or use the “Help > Check for Updates” feature. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Tuesday, 15 June 2021 11:55:00 (UTC/GMT)

Tags: #NetworkMiner​ #PCAP​ #SMB2​ #JA3​ #JA3S​ #ANY.RUN​ #ThreatFox​ #OSINT​

Analysing a malware PCAP with IcedID and Cobalt Strike traffic

This network forensics walkthrough is based on two pcap files released by Brad Duncan on malware-traffic-analysis.net. The traffic was generated by executing a malicious JS file called StolenImages_Evidence.js in a sandbox environment.

The capture file starts with a DNS lookup for banusdona.top, which resolved to 172.67.188.12, followed by an HTTP GET request for "/222g100/index.php" on that domain. The following PowerShell oneliner is returned in the HTTP response from banusdona.top:

This oneliner instructs the initial dropper to download a Win32 DLL payload from http://banusdona[.]top/222g100/main.php and save it as "JwWdx.dat" in the user's temp directory and then run the DLL with:

As you can see in the screenshot below, the HTTP response for this second request to banusdona.top has Content-Type "application/octet-stream", but also a conflicting Content-disposition header of "attachment;filename=data.jpg", which indicates that the file should be saved to disk as "data.jpg". Nevertheless, the "MZ" header in the transferred data reveals that the downloaded data wasn't an image, but a Windows binary (dll or exe).

The downloaded file gets extracted from the pcap file by NetworkMiner as "data.jpg.octet-stream".

Right-clicking "data.jpg.octet-stream" in NetworkMiner and selecting "Calculate MD5..." brings up a new window with additional file details, such as MD5 and SHA hashes of the reassembled file.

This file is available on VirusTotal, where we can see that it's a DLL that several AV vendors identify as "Cerbu" or "IcedID". VirusTotal's C2AE sandbox analysis of the DLL also reveals the domain name "momenturede.fun" in the process' memory. As you might expect, a connection is made to that domain just a few seconds later. A nice overview of these connections can be seen in CapLoader's Flow tab.

The momenturede.fun server returns a 500kB file, which NetworkMiner extracts from the pcap file as "index.gzip".

This turns out to be an encrypted IcedID DLL file, which has been analyzed by Ali Aqeel here:
https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/

Right after the IcedID download we see a series of HTTPS connections towards odd domains like vaccnavalcod.website, mazzappa.fun, ameripermanentno.website and odichaly.space, all of which resolved to IP 83.97.20.176. That host is most likely a command-and-control (C2) server used by the IcedID malware.

CapLoader's "Services" tab also reveals that the TLS connections to port 443 on 83.97.20.176 are very periodic, with a new connection every 5 minutes. Periodic connection patterns like this is a typical indicator of C2 traffic, where the malware agent connects back to the C2 server on regular intervals to check for new tasks.

The traffic to 83.97.20.176 is encrypted, so we can't inspect the payload to verify whether or not it is IcedID C2 communications. What we can do, however, is to extract the HTTPS server's X.509 certificate and the JA3 hash of the client's TLS implementation from the encrypted traffic.

NetworkMiner has extracted the X.509 certificates for vaccnavalcod.website, mazzappa.fun, ameripermanentno.website and odichaly.space to disk as "localhost.cer".

It turns out that all these sites used the same self-signed certificate, which had SHA1 fingerprint 452e969c51882628dac65e38aff0f8e5ebee6e6b. The X.509 certificate was created using OpenSSL's default values, such as "Internet Widgits Pty Ltd" etc. Further details about this certificate can be found on censys.io.

The JA3 hashes used by the IcedID malware agent can be found in NetworkMiner's Hosts tab as well as in the Parameters tab.

The JA3 hashes for the client that connects to the C2 server are a0e9f5d64349fb13191bc781f81f42e1 and 3b5074b1b5d032e5620f69f9f700ff0e. Several legitimate Windows applications unfortunately have the same JA3 hashes, so we can't use them to uniquely identify the IcedID agents.

The IcedID C2 traffic continues for over 19 hours, at which point we suddenly see a connection to a new suspicious domain called "lesti.net" on 185.141.26.140. The first HTTP request to that domain is used to download a 261703 byte file, as can be seen in this Flow Transcript from CapLoader:

NetworkMiner extracts this file as "9r8z.octet-stream". This turns out to be a Cobalt Strike beacon download, which we can decode with Didier Stevens' fantastic 1768.py script.

The output from 1768.py reveals that this Cobalt Strike beacon is using the following URIs for C2 communication:

• GET URI: http://lesti[.]net/userid=
• POST URI: http://lesti[.]net/update.php

We can also see that the Cobalt Strike license-id (a.k.a. watermark) is 1580103814. This ID can be used to link this Cobalt Strike beacon to other campaigns. Below is a list of Cobalt Strike C2 servers using license-id 1580103814 discovered by Tek in December 2020:

• 45.147.229[.]157
• selfspin[.]com
• savann[.]org
• palside[.]com
• server3.msadwindows[.]com
• mapizzamates[.]com
• fixval[.]com
• rackspare-technology[.]download
• 108.177.235[.]148
• matesmapizza[.]com

Update 4 May 2021

Sergiu Sechel published a blog post yesterday, which included a list of Cobalt Strike C2 servers. We fed this list to Tek's scan_list.py script in order to see if license-id 1580103814 is still active. It turned out it was. We found the following 27 domains and IP's running Cobalt Strike C2 servers on TCP 443 using that license-id.

• 151.236.14[.]53
• 151.236.14[.]53
• 172.241.27[.]70
• 193.29.13[.]201
• 193.29.13[.]201
• 193.29.13[.]209
• 194.165.16[.]60
• 193.29.13[.]209
• 193.29.13[.]201
• 194.165.16[.]60
• 194.165.16[.]60
• dain22[.]net
• drellio[.]com
• feusa[.]net
• fut1[.]net
• helle1[.]net
• hars2t[.]com
• kasaa[.]net
• idxup[.]com
• maren2[.]com
• mgfee[.]com
• massflip[.]com
• oaelf[.]com
• repdot[.]com
• scalewa[.]com
• tulls[.]net
• wellser[.]org

The full output from our re-scan of Sergiu's C2 list can be found on pastebin.

Update 8 May 2021

Security researcher Michael Koczwara is tracking Cobalt Strike license 1580103814 as APT actor LuckyMouse (a.k.a. Emissary Panda or APT 27). Michael's Cobalt Stike C2 dataset, which currently contains 25 unique C2 IPs and domains for license-id 1580103814, is available as a Google Docs spreadsheet (see the "LuckyMouse Actor" tab).

Indicators of Compromise - IOCs

• MD5: 8da75e1f974d1011c91ed3110a4ded38
• SHA1: e9b5e549363fa9fcb362b606b75d131dec6c020e
• SHA256: 0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6
• DNS: banusdona.top
• IP: 172.67.188.12
• MD5: f98711dfeeab9c8b4975b2f9a88d8fea
• SHA1: c2bdc885083696b877ab6f0e05a9d968fd7cc2bb
• SHA256: 213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c
• DNS: momenturede.fun
• IP: 104.236.115.181
• MD5: 96a535122aba4240e2c6370d0c9a09d3
• SHA1: 485ba347cf898e34a7455e0fd36b0bcf8b03ffd8
• MD5: 11965662e146d97d3fa3288e119aefb2
• SHA1: b63d7ad26df026f6cca07eae14bb10a0ddb77f41
• SHA256: d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5
• DNS: vaccnavalcod.website
• DNS: mazzappa.fun
• DNS: ameripermanentno.website
• DNS: odichaly.space
• IP: 83.97.20.176
• SHA1: 452e969c51882628dac65e38aff0f8e5ebee6e6b
• DNS: lesti.net
• IP: 185.141.26.140
• MD5: 449c1967d1708d7056053bedb9e45781
• SHA1: 1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3
• SHA256: c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3
• Cobalt Strike Watermark: 1580103814

Network Forensics Training

Are you interested in learning more about how to analyze captured network traffic from malware and hackers? Have a look at our network forensic trainings. Our next class is a live online event called PCAP in the Morning.

Posted by Erik Hjelmvik on Monday, 19 April 2021 09:45:00 (UTC/GMT)

Tags: #Cobalt Strike​ #CobaltStrike​ #IcedID​ #NetworkMiner​ #CapLoader​ #Network Forensics​ #JA3​ #X.509​ #1768.py​ #a0e9f5d64349fb13191bc781f81f42e1​

NetworkMiner 2.5 Released

I am happy to announce the release of NetworkMiner 2.5 today! This new version includes new features like JA3 and parsers for the HTTP/2 and DoH protocols. We have also added support for a few older protocols that are still widely used, such as Kerberos and the CIFS browser protocol. Additionally, NetworkMiner can now parse PCAP files up to twice as fast as before!

Improving Passive TLS Analysis with JA3

Almost all web traffic is TLS encrypted nowadays, which prevents incident responders, analysts and investigators from inspecting otherwise unencrypted HTTP traffic for clues about malicious behavior or criminal intent. This requires analysts to use alternative approaches, such as looking at hostnames and X.509 certificates. This type of analysis is supported by NetworkMiner, since it parses Server Name Indication fields in client TLS handshakes and extracts X.509 certificates automatically when PCAP files are loaded.

In this release we’ve also added support for another passive TLS analysis technique called JA3, which is a method for fingerprinting TLS client implementations.

NetworkMiner leverages the JA3 fingerprint database from Trisul Network Analytics in order to match observed JA3 hashes to hashes of known malware and “normal” applications. This is what it looks like when the capture file “snort.log.1428364808”, from the FIRST 2015 “Hands-on Network Forensics” training (available here), has been loaded into NetworkMiner 2.5:

Image: JA3 fingerprint of a Skype client in NetworkMiner 2.5

The JA3 hash is also available in the “Parameters” tab, which is useful in order to find out what hosts that particular TLS implementation was reaching out to.

Image: Filtering on JA3 hash 06207a1730b5deeb207b0556e102ded2

HTTP/2 and DoH Support

Passive analysis of TLS traffic, such as HTTPS, often doesn’t give sufficient visibility. Many organizations therefore use TLS proxies in order to decrypt the traffic going in and out from their networks. However, more than half of all HTTPS traffic is actually http2 (RFC 7540) nowadays. This has previously been an issue for users who wanted to analyze decrypted http2 traffic from their TLS intercepting proxies with NetworkMiner. We’re happy to announce that NetworkMiner now can parse http2 traffic, that has been decrypted by a TLS proxy, and extract files from the http2 transfers.

NetworkMiner 2.5 also supports the DNS over HTTPS (DoH) protocol (RFC 8484), which is a technique for sending DNS queries as http2 POST requests and parsing the returned data as DNS responses. We’ve incorporated the DoH data into NetworkMiner’s DNS tab, so that you can analyze it just like normal DNS traffic.

Image: DoH traffic to mozilla.cloudflare-dns.com in NetworkMiner’s DNS tab

Please note that NetworkMiner 2.5 does not perform TLS decryption. This means that NetworkMiner can only parse the contents of a TLS stream if it has been decrypted by a TLS proxy, such as PolarProxy.

Extracting Kerberos Hashes from PCAP

NetworkMiner’s support for the Kerberos protocol allows you to passively track which user accounts that are authenticating to what services, simply by monitoring network traffic. This is a feature is essential in order to track credential theft and lateral movement by adversaries inside your networks. After implementing kerberos username and hash extraction we realized that this feature could also be valuable for penetration testers. We therefore decided to present extracted Kerberos credentials in a format that is compatible with tools like hashcat and John the Ripper.

Image: Kerberos krb5pa, krb5asrep and krb5tgs credentials extracted from the Wireshark sample capture file Krb-contrained-delegation.cap

For more information about Kerberos hashes, please see our Extracting Kerberos Credentials from PCAP blog post.

Even more NetBIOS and CIFS Artifacts!

NetworkMiner is a popular tool for extracting files transferred over SMB and SMB2 from capture files. It can also extract a great deal of information about the communicating hosts from protocols like NetBIOS and SMB/CIFS, but earlier this year Chris Raiter notified us about an important piece of information that was missing in NetworkMiner: NetBIOS Name Service (NBNS) lookups and responses!

A couple of months later Dan Gunter sent us another great feature request for another protocol that runs on top of NetBIOS: the CIFS Browser Protocol (aka MS-BRWS).

We’re happy to announce that NBNS queries and responses are now shown in NetworkMiner’s Parameters tab, and details like hostnames, domain names, Windows versions and uptime us extracted from the MS-BRWS protocol. See the screenshots below, which were created by loading the capture file “case09.pcap” from Richard Bejtlich’s TCP/IP Weapons School 2.0 Sample Lab into NetworkMiner 2.5. Thanks for sharing Richard!

Image: Hostname, domain and Windows version extracted from MS-BRWS traffic

Image: NBNS queries and responses in NetworkMiner’s Parameters tab

Mono 5 Required for Linux and MacOS

Linux and MacOS users, who run NetworkMiner with help of Mono, will need to ensure they have Mono 5 (or later) installed in order to run NetworkMiner 2.5. We recommend using at least Mono 5.18.

Instructions for installing NetworkMiner on Linux can be found in our blog post ”HowTo install NetworkMiner in Ubuntu Fedora and Arch Linux”.

MacOS users can refer to our “Running NetworkMiner on Mac OS X” blog post.

Users who are unable to install Mono 5 are recommended to use the old NetworkMiner 2.4 release, which can be downloaded here:
https://www.netresec.com/?download=NetworkMiner_2-4

NetworkMiner Professional

Apart from the features mentioned so far, our commercial tool NetworkMiner Professional now comes with a few additional new features. One of these features is port independent identification of RDP traffic, so that mstshash credentials can be extracted from RDP sessions even if the service doesn’t run on port 3389. The OSINT lookup context menus in NetworkMiner Professional have also been enriched with the following online services:

• ja3er.com JA3 lookup
• abuse.ch JA3 lookup
• urlscan.io URL, DNS and IP lookup
• IPAddress.com IP lookup
• OpenDNS DNS lookup
• circl.lu IP/BGP lookup (thank you Raphaël)
• GreyNoise Visualizer IP lookup
• RIPEstat IP lookup

Several new features have also been included in the command line tool NetworkMinerCLI, including:

• Recursive loading of PCAP files with the "-R” switch.
• Configurable export types (hosts, files, DNS etc) with the “-x” switch.
• Relative paths in CSV, XML and JSON/CASE exports unless the “-- absolutePaths” switch is used.

Credits

I’d like to thank Dan Gunter, Chris Raiter, Chris Sistrunk and a few more (who I cannot mention here) for contributing with feature requests and bug reports that have helped improve NetworkMiner.

Upgrading to Version 2.5

Users who have purchased a license for NetworkMiner Professional 2.x can download a free update to version 2.5 from our customer portal, or use the “Help > Check for Updates” feature. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Thursday, 07 November 2019 11:45:00 (UTC/GMT)

Tags: #NetworkMiner​ #JA3​ #HTTP/2​ #http2​ #DoH​ #Kerberos​ #NetBIOS​ #PCAP​ #hashcat​ #John​ #NetworkMinerCLI​ #OSINT​