This video tutorial is a walkthrough of how you can analyze the PCAP file
UISGCON-traffic-analysis-task-pcap-2-of-2.pcap
(created by Brad Duncan).
The capture file contains a malicious Word Document (macro downloader), Emotet (banking trojan),
TrickBot/Trickster (banking trojan) and an EternalChampion (CVE-2017-0146)
exploit used to perform lateral movement.
Wanna improve your network forensics skills? Take a look at our
trainings,
the next scheduled class is on March 18-19 at the
TROOPERS conference in Germany.
Posted by Erik Hjelmvik on Wednesday, 23 January 2019 14:00:00 (UTC/GMT)
This short video demonstrates how you can search through PCAP files with regular expressions (regex) using
CapLoader and how this can be leveraged in order to
improve IDS signatures.
The EmergingThreats snort/suricata rule mentioned in the video is
SID 2014411
“ET TROJAN Fareit/Pony Downloader Checkin 2”.
The header accept-encoding header with quality factor 0 used by the Pony malware is: Accept-Encoding: identity, *;q=0
And here is the regular expression used to search for that exact header:
\r\nAccept-Encoding: identity, \*;q=0\r\n
After recording the video I noticed that the leaked source code for Pony 2.0 actually contains this accept-encoding header as a
hard-coded string. Have a look in the
redirect.php file, where they set
curl’s CURLOPT_HTTPHEADER to this specific string.
Wanna learn more about the intended use of quality factors in HTTP accept headers?
Then have a look at section 14.1 of RFC 2616section 5.3.4 of RFC 7231, which defines how to use qvalues (i.e. quality factors) in the Accept-Encoding header.
This network forensics video tutorial covers analysis of a malware redirect chain, where a PC is infected through the RIG Exploit Kit.
A PCAP file, from Brad Duncan'smalware-traffic-analysis.net website,
is opened in NetworkMiner Professional in order to follow a redirect chain via a couple of hacked websites before delivering malware to the PC.
This network forensics video tutorial covers how to analyze SPAM email traffic from the Kelihos botnet.
The analyzed PCAP file comes from the Stratosphere IPS project,
where Sebastian Garcia and his colleagues execute malware samples in sandboxes.
The particular malware sample execution we are looking at this time is from the CTU-Malware-Capture-Botnet-149-2
dataset.
This second video in our series of network forensic video tutorials covers a quick
and crude way to scan a PCAP file for malware. It's all done locally without having to run the PCAP through an IDS. Kudos to Lenny Hanson for showing me this little trick!
We are releasing a
series of network forensics video tutorials
throughout the next few weeks.
First up is this analysis of a PCAP file containing network traffic from the "Zyklon H.T.T.P." malware.
Analyzing a Zyklon Trojan with Suricata and NetworkMiner