NETRESEC Network Security Blog

Erik Hjelmvik

,

Wednesday, 23 January 2019 14:00:00 (UTC/GMT)

Video: TrickBot and ETERNALCHAMPION

This video tutorial is a walkthrough of how you can analyze the PCAP file UISGCON-traffic-analysis-task-pcap-2-of-2.pcap (created by Brad Duncan). The capture file contains a malicious Word Document (macro downloader), Emotet (banking trojan), TrickBot/Trickster (banking trojan) and an EternalChampion (CVE-2017-0146) exploit used to perform lateral movement.

Network Diagram

Timeline of Events

Frame	Time (UTC)	Event
825	18:55:32	Malicious Word doc [cosmoservicios.cl]
1099	18:56:04	Emotet download [bsrcellular.com]
5024	19:00:41	Trickbot "radiance.png" download
9604	19:01:34	Client credentials exfiltrated [200.29.24.36:8082]
9915	19:01:36	ETERNALCHAMPION exploit from client to DC
10424	19:01:51	Client sends .EXE files to \\10.1.75.4\C$\WINDOWS\
11078	19:01:51	Client infects DC with Trickbot via rogue service
14314	19:07:03	DC credentials exfiltrated [200.29.24.36:8082]

OSINT Links Opened

HybridAnalysis: FILE-88654515940798.doc
VirusTotal: FILE-88654515940798.doc
VirusTotal: LXHPYOi5j.exe (Emotet)
HybridAnalysis: LXHPYOi5j.exe (Emotet)
IBM X-Force Exchange: 87.66.13.80
VirusTotal: 9b4ui3u2fj1o666n.exe (TrickBot/Trickster)
VirusTotal: radiance.png (TrickBot/Trickster)

Tools Used

Network Forensics Training

Wanna improve your network forensics skills? Take a look at our trainings, the next scheduled class is on March 18-19 at the TROOPERS conference in Germany.

Posted by Erik Hjelmvik on Wednesday, 23 January 2019 14:00:00 (UTC/GMT)

Tags: #Wireshark #CapLoader #NetworkMiner #videotutorial #video #pcap #Network Forensics

Share | Short URL: https://netresec.com/?b=1916dfe

Erik Hjelmvik

,

Wednesday, 04 July 2018 07:39:00 (UTC/GMT)

Detecting the Pony Trojan with RegEx using CapLoader

This short video demonstrates how you can search through PCAP files with regular expressions (regex) using CapLoader and how this can be leveraged in order to improve IDS signatures.

The EmergingThreats snort/suricata rule mentioned in the video is SID 2014411 “ET TROJAN Fareit/Pony Downloader Checkin 2”.

The header accept-encoding header with quality factor 0 used by the Pony malware is:
Accept-Encoding: identity, *;q=0

And here is the regular expression used to search for that exact header: \r\nAccept-Encoding: identity, \*;q=0\r\n

After recording the video I noticed that the leaked source code for Pony 2.0 actually contains this accept-encoding header as a hard-coded string. Have a look in the redirect.php file, where they set curl’s CURLOPT_HTTPHEADER to this specific string.

Pony using curl to set: Accept-Encoding: identity, *;q=0

Wanna learn more about the intended use of quality factors in HTTP accept headers? Then have a look at ~~section 14.1 of RFC 2616~~section 5.3.4 of RFC 7231, which defines how to use qvalues (i.e. quality factors) in the Accept-Encoding header.

Finally, I'd like to thank Brad Duncan for running the malware-traffic-analysis.net website, your PCAP files often come in handy!

Update 2018-07-05

I submitted a snort/suricata signature to the Emerging-Sigs mailinglist after publishing this blog post, which resulted in the Emerging Threats signature 2014411 being updated on that same day to include:

content:"|0d 0a|Accept-Encoding|3a 20|identity,|20 2a 3b|q=0|0d 0a|"; http_header;

Thank you @EmergingThreats for the fast turnaround!

Posted by Erik Hjelmvik on Wednesday, 04 July 2018 07:39:00 (UTC/GMT)

Tags: #video #regex #malware #IDS #videotutorial

Share | Short URL: https://netresec.com/?b=187e291

Erik Hjelmvik

,

Monday, 26 February 2018 11:19:00 (UTC/GMT)

Examining Malware Redirects with NetworkMiner Professional

This network forensics video tutorial covers analysis of a malware redirect chain, where a PC is infected through the RIG Exploit Kit. A PCAP file, from Brad Duncan's malware-traffic-analysis.net website, is opened in NetworkMiner Professional in order to follow a redirect chain via a couple of hacked websites before delivering malware to the PC.

Resources
https://www.malware-traffic-analysis.net/2014/11/16/index.html
Meadgive on VirusTotal
CVE-2014-0569 Flash Exploit on VirusTotal
CVE-2012-0507 Java Exploit on VirusTotal
NetworkMiner Professional

IOCs
www.ciniholland.nl
24corp-shop.com
stand.trustandprobaterealty.com
793b698a82d999f1eb75525d050ebe16
f8482f5c4632fe237d062451b42393498a8d628ed9dee27147251f484e837a42
7b3baa7d6bb3720f369219789e38d6ab
e2e33b802a0d939d07bd8291f23484c2f68ccc33dc0655eb4493e5d3aebc0747
1e34fdebbf655cebea78b45e43520ddf
178be0ed83a7a9020121dee1c305fd6ca3b74d15836835cfb1684da0b44190d3

Check out our series of network forensic video tutorials for more tips and tricks on how to analyze captured network traffic.

Posted by Erik Hjelmvik on Monday, 26 February 2018 11:19:00 (UTC/GMT)

Tags: #Netresec #Professional #NetworkMiner #malware_traffic #malware #NSM #PCAP #videotutorial #video #tutorial

Share | Short URL: https://netresec.com/?b=1829909

Erik Hjelmvik

,

Monday, 19 February 2018 06:37:00 (UTC/GMT)

Analyzing Kelihos SPAM in CapLoader and NetworkMiner

This network forensics video tutorial covers how to analyze SPAM email traffic from the Kelihos botnet. The analyzed PCAP file comes from the Stratosphere IPS project, where Sebastian Garcia and his colleagues execute malware samples in sandboxes. The particular malware sample execution we are looking at this time is from the CTU-Malware-Capture-Botnet-149-2 dataset.

Resources

Stratosphere IPS dataset: CTU-Malware-Capture-Botnet-149-2
CapLoader
nfdump
SiLK
Argus
Alexa's Top 1 Milion Domain List
Cisco Ubrella Popularity List
MaxMind
Emerging Threats' TROJAN Win32/Kelihos.F Checkin Signature
NetworkMiner

IOCs
990e5daa285f5c9c6398811edc68a659
e4f7fa6a0846e4649cc41d116c40f97835d3bb7d3d0391d3540482f077aa4493
6c55 5545 0310 4840

Check out our series of network forensic video tutorials for more tips and tricks on how to analyze captured network traffic.

Posted by Erik Hjelmvik on Monday, 19 February 2018 06:37:00 (UTC/GMT)

Tags: #Netresec #PCAP #CapLoader #NetworkMiner #videotutorial #video #tutorial #NetFlow #extract #Stratosphere

Share | Short URL: https://netresec.com/?b=182053b

Erik Hjelmvik

,

Monday, 12 February 2018 08:00:00 (UTC/GMT)

Antivirus Scanning of a PCAP File

This second video in our series of network forensic video tutorials covers a quick and crude way to scan a PCAP file for malware. It's all done locally without having to run the PCAP through an IDS. Kudos to Lenny Hanson for showing me this little trick!

Antivirus Scanning of a PCAP File

Resources

IOCs
178.62.142.240
soquumaihi.co.vu
9fd51fb05cb0ea89185fc1355ebf047cC
8cf7b281a0db4029456e416dbe05d21d17af0cad86f67e054268f5e2c46c43ed
119.238.10.9
96b430041aed13413ec2b5ae91954f39
e79ef634265b9686f90241be0e05940354dc2c2b43d087e09bb846eec34dad35

Posted by Erik Hjelmvik on Monday, 12 February 2018 08:00:00 (UTC/GMT)

Tags: #Netresec #PCAP #video #tutorial #videotutorial #NetworkMiner #malware #malware_traffic

Share | Short URL: https://netresec.com/?b=1820d24

Erik Hjelmvik

,

Monday, 05 February 2018 07:30:00 (UTC/GMT)

Zyklon Malware Network Forensics Video Tutorial

We are releasing a series of network forensics video tutorials throughout the next few weeks. First up is this analysis of a PCAP file containing network traffic from the "Zyklon H.T.T.P." malware.

Analyzing a Zyklon Trojan with Suricata and NetworkMiner

Resources
https://www.malware-traffic-analysis.net/2017/07/22/index.html
https://github.com/Security-Onion-Solutions/security-onion
https://www.arbornetworks.com/blog/asert/wp-content/uploads/2017/05/zyklon_season.pdf
http://doc.emergingthreats.net/2017930

IOCs
service.tellepizza.com
104.18.40.172
104.18.41.172
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3pre) Gecko/20070302 BonEcho/2.0.0.3pre
gate.php
.onion
98:1F:D2:FF:DC:16:B2:30:1F:11:70:82:3D:2E:A5:DC
65:8A:5C:76:98:A9:1D:66:B4:CB:9D:43:5C:DE:AD:22:38:37:F3:9C
E2:50:35:81:9F:D5:30:E1:CE:09:5D:9F:64:75:15:0F:91:16:12:02:2F:AF:DE:08:4A:A3:5F:E6:5B:88:37:D6

Posted by Erik Hjelmvik on Monday, 05 February 2018 07:30:00 (UTC/GMT)

Tags: #Netresec #PCAP #Trojan #video #tutorial #videotutorial #NetworkMiner #SecurityOnion #Suricata #malware #network #forensics #NSM #malware_traffic

Share | Short URL: https://netresec.com/?b=182b4ac

Erik Hjelmvik

,

Monday, 30 April 2012 14:35:00 (UTC/GMT)

CapLoader Video Tutorial

Below is a short video tutorial showing some of the cool features in CapLoader 1.0.

The functionality showed in the video includes:

Loading multiple pcap files into a single flow view
Port Independent Protocol Identification (PIPI)
Fast extraction of packets related to one or several flows
Exporting packets to Wireshark and NetworkMiner
Drag-and-dropping packets to Wireshark
Selecting a flow based on an IDS alert from Snort
Extracting packets from a selected flow to a new pcap file

CapLoader Video Tutorial

The video can also be seen on YouTube at the following URI:
http://youtu.be/n1Ir9Hedca4?hd=1

The three pcap files loaded in the video tutorial are from the DFRWS 2009 Challenge.

Enjoy!

Posted by Erik Hjelmvik on Monday, 30 April 2012 14:35:00 (UTC/GMT)

Tags: #CapLoader #Video #Pcap #Wireshark #NetworkMiner #Flow #TCP #Extract #Fast

Share | Short URL: https://netresec.com/?b=124DA49

Erik Hjelmvik

,

Thursday, 03 March 2011 20:45:00 (UTC/GMT)

Hak5 Crack the Code Challenge

Last week I did a blog post about NetworkMiner videos on the Internet. Just a couple of days later the Hak5 crew published a Crack the Code Challenge where NetworkMiner was included as part of the challenge zip file. The solution and winners of this challenge were announced on the Hak5 Episode 902.

The Crack the Code Challenge is covered 10 minutes into the video.

Posted by Erik Hjelmvik on Thursday, 03 March 2011 20:45:00 (UTC/GMT)

Tags: #NetworkMiner #Video

Share | Short URL: https://netresec.com/?b=113BC27