Phishing Emails and Malware Traffic Analysis
In this article, I use NetworkMiner, Wireshark and Hybrid-Analysis to analyze several malicious emails and a PCAP file that captured network traffic belonging to a malware infection. The PCAP and email files belong to a blue team focused challenge on the CyberDefenders website, titled “Malware Traffic Analysis 5” and was created by Brad Duncan.
Disclaimer
I like to add a brief disclaimer before a writeup to encourage people to attempt the challenge before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the challenge more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint. So without any further delay, lets get started!
Challenge Scenario
You’re working as an analyst at a Security Operations Center (SOC) for a Thanksgiving-themed company. One quiet evening, you hear someone knocking at the SOC entrance. As you answer the door, an exhausted mail server technician stumbles in and quickly falls to the floor. He whispers in a shaky voice, “Mail filters are down… Spam everywhere…”
As you help him up, he looks to the sky and yells, “The gates of hell have opened!”. The technician immediately collapses again and softly whispers, “The horror… The horror…”.
The mail filter outage lasted throughout the next day. Fortunately, very few incidents were reported. But one example caught your eye. During the mail filter outage, one of the company employees decided to play “email roulette.” The employee opened one of the malicious emails from his inbox and treated it as a legitimate message.
You acquired four malicious emails the employee received. You also received a pcap of traffic from his infected computer. Your task? Figure out which email was used to compromise the system.
Challenge Questions
1. c41-MTA5-email-01: What is the name of the malicious file?
I started by uploading the email to VirusTotal, where forty one security vendors marked the email as malicious. Looking at the output for the email under the Behavior tab, I can see the name of the malicious file.
2. c41-MTA5-email-01: What is the name of the trojan family the malware belongs to? (As identified by emerging threats ruleset).
If we upload the mail to hybrid-analysis, we can see additional information about the mail and it’s related files.
If I select the malware filename, I can get additional information, such as falcon sandbox reports.
Reviewing this report, I can see Suricata alerts for the Upatre trojan malware family.
3. c41-MTA5-email-01: The malware dropped two malicious files with the same hash but with different names. Provide the SHA256 hash of those files? (Check the report submitted in 2015).
In hybrid-analysis, we can use the SHA256 hash of the malware identified earlier above to search for any reports that were submitted in 2015. There are six reports returned, one of which was submitted in 2015.
If we scroll down the report to the extracted files section, we can see two files marked as malicious with the same SHA256 hash but different file names.
4. c41-MTA5-email-01: How many DNS requests were initiated by the malware? (Check the report submitted in 2015).
In the hybrid-analysis 2015 report, we can see that three DNS requests were made.
5. c41-MTA5-email-02: Multiple streams contain macros in this document. Provide the number of the highest one.
I extracted the attachment from the email and used OLETOOLS to analyze the file. If you want to learn more about OLETOOLS, I published an article where I used OLETOOLS to analyze malicious Microsoft word documents.
I started by using OLEID to analyze the file and I can see that the files contains suspicious VBA Macros.
oleid 'Bill Payment_000010818.xls'
Next, I can use OLEDUMP to analyze the streams and identify the highest stream that contains a MACRO:
python oledump.py 'Bill Payment_000010818.xls'
6. c41-MTA5-email-02: The Excel macro tried to download a file. Provide the full URL of this file?
There are two approaches to solve this. The first approach is to upload the excel file to VirusTotal. Forty-four security vendors and one sandbox flagged this file as malicious. Under the Behavior tab, we can see the URL used by the macro to make an HTTP GET request to download the executable file.
The second approach is to extract and reverse engineer the VBA code from the excel file. To extract the VBA code, we can use OLEVBA.
olevba -c "Bill Payment_000010818.xls"This returns all the VBA source code of the macros without any further analysis. If we review the source code, we can see an array called “valdis” which contains a large number of values.
This is likely the URL but it has been encoded, so we will need to identify how the Macro gets the original value. Looking down a little further below, I can see that the array is passed to a function called “Pochemu”.
I can see the word “GET” is present, which indicates that the value generated by the “Pochemu” function may provide the value used as part of the HTTP GET request seen earlier in VirusTotal. I searched for the function “Pochemu” and found it’s source code.
Based on the code for the “Pochemu” function, it performs the following:
- Function takes two parameters:
- A VBA Variant: a VBA variable that has not been declared to have a specific data type. It can therefore hold any type of data that VBA variables are able to hold — be it text, numbers, dates, time or objects.
- An Integer value called “oldLen”.
2. “n” variable uses the LBound and UBound function to determine the size of the array.
3. Performs arithmetic operations on each Integer value in the array before it is converted into an ANSI character code by the “Chr()” function.
Since we now have the source code for decoding the URL and the values used to encode the URL, we can use a simple python script to replicate the arithmetic operations performed by the “Pochemu” function and retrieve the decoded URL.
7. c41-MTA5-email-02: What is the name of the object used to get data from the download URL?
Looking at the first image of the “Pochemu” function from earlier, we can see a object called “read_same_ch_from3”. If we look at where the value for this object is set, we can see a partial string being concatenated with the “zilibobe” object value.
To reconstruct the full string, we need to identify the “zilibobe” object value. Looking further above in the VBA code, I can see the value is set to “t”.
We can now reconstruct the full string: Microsoft.XMLHTTP.
8. c41-MTA5-email-02: The Excel macro writes a file to the temp folder. Provide the filename?
Again, we can use VirusTotal to identify the filename written to the temp folder.
In the VBA code, we can see a function called “is_sqr_in_string”.
Based on the code for the “is_sqr_in_string” function above, I can create a simple python script to reconstruct the filename written to TEMP.
9. c41-MTA5-email-03: Provide the FQDN used by the attacker to store the login credentials?
If we upload the email to VirusTotal, we can see a list of FQDN that were identified.
Next, we can extract the AmericanExpress.html attachment from the email and upload the file to Hybrid-Analysis. Reviewing the report generated, I can see eight HTTP GET requests using the “jpmmotos” FQDN.
10. c41-MTA5-email-04: How many FQDNs are present in the malicious js?
11. c41-MTA5-email-04: What is the name of the object used to handle and read files?
I started by extracting the malicious JS from the email attachment titled “fax000497762.zip”. It is difficult to read in a single line so I placed it in a JavaScript Beautifier to make it more legible.
Looking at the JavaScript, it appears to be reconstructing some JS code and then passing the “var” string value to it. I can pass the JavaScript to an online compiler and get the output.
At the top of the JavaScript output, we can see three domains listed. Further down, we can also see the name of the object used to handle and read files is “ADODB.Stream”.
12. c41-MTA5.pcap: The victim received multiple emails; however, the user opened a single attachment. Provide the attachment filename.
13. c41-MTA5.pcap: What is the IP address of the victim machine?
14. c41-MTA5.pcap: What is the hostname of the victim machine?
15. c41-MTA5.pcap: What is the FQDN that hosted the malware?
The following list of attachments were retrieved from the emails provided.
AmericanExpress.html
'Bill Payment_000010818.xls'
'dawning wall up.zip'
fax000497762.zipBased on our previous analysis of the malicious attachment files, we can use Wireshark and NetworkMiner to look for any indicators that are related to one of these files. In NetworkMiner under the hosts tab, I started by identifying the infected endpoint. I can see a single Windows machine in the internal private network for the organization.
Next, under the sessions tab I can see a session between the infected Windows host and one of the FQDN’s identified earlier in the malicious JavaScript for question ten.
In NetworkMiner under the files tab, I can also see that three executables disguised as GIF files were downloaded from the FQDN found in the malicious JavaScript.
In Wireshark, I can filter for the IP address of the FQDN and follow the TCP stream. In the TCP stream, I can see that the first packet downloads an Windows/DOS executable file (note the MZ header) disguised as a GIF file.
Looking at the malicious JavaScript from earlier we can also see that the URL syntax structure matches the one seen in Wireshark.
This indicates that the victim opened the “fax000497762.zip” email attachment, which contained the malicious JavaScript.
16. c41-MTA5.pcap: The opened attachment wrote multiple files to the TEMP folder. Provide the name of the first file written to the disk?
Analyzing the malicious JavaScript, I can see that once the HTTP GET request is successful, the “saveToFile()” file function is used with the parameters seen below.
The filename is compromised of the value stored in “fn” variable, the current value of “n” variable and the string “.exe”. I can see that the “n” variable is used in the first for loop and the “fn” variable contains a static string value.
Since this is the first file, the “n” variable will be set to 1. The “fn” variable will then be concatenated with “n” and “.exe” to provide the following filename:
%TEMP%\7997551.exe17. c41-MTA5.pcap: One of the written files to the disk has the following md5 hash “35a09d67bee10c6aff48826717680c1c”; Which registry key does this malware check for its existence?
To analyze the malicious Portable Executable (PE) file, I used pestudio but if you are working on a Linux machine you can use pev tools instead. Unlike some other tools, pestudio attempts to determine if a file is malicious based on certain “indicators” it may have.
If I look at some of the top indicators found by pestudio, I can see that the malicious file is referencing some suspicious strings. I can look at the strings found by pestudio and organize them based on size.
I can see an unusual string that matches the answer format for this challenge and is the registry key used by the malware to check for its existence. You could also find this same string using “pestr” from pev tools.
pestr pe-file
18. c41-MTA5.pcap: One of the written files to the disk has the following md5 hash “e2fc96114e61288fc413118327c76d93” sent an HTTP post request to “upload.php” page. Provide the webserver IP. (IP is not in PCAP)
I can take the MD5 hash provided and submit it to hybrid-analysis. Looking at the last report for 2015, I can see that the PE executable for this hash made two HTTP POST requests to “upload.php” page hosted on the webserver IP seen below.
19. c41-MTA5.pcap: The malware initiated callback traffic after the infection. Provide the IP of the destination server.
In Wireshark, I can navigate to “Statistics > Conversations > TCP” and sort the conversations by highest number of packets.
I can see that a large number of packets were exchanged between the infected host and the IP address highlighted above over port 80. In Wireshark, I filtered for the IP address and http traffic.
ip.addr == 109.68.191.31 && httpI can see a HTTP GET request is made from the infected machine to download a suspicious file.
If we look at the HTTP objects in Wireshark, we can see there is a large volume of suspicious traffic associated with this IP address, which is likely post-infection traffic..
Closing Remarks
I found this challenge was great for practicing with NetworkMiner, Wireshark and Hybrid-Analysis. I also really enjoyed working through the emails and PCAP challenge to understand how the Windows VM became infected. Thank you for reading till the end and keep hacking 😄!
