2015/09/01

Network Forensics – Round 5: Ms. Moneymany’s Mysterious Malware

:Network Forensics – Round 5: Ms. Moneymany’s Mysterious Malware:

The puzzle:

It was a morning ritual. Ms. Moneymany sipped her coffee as she quickly went through the email that arrived during the night. One of the messages caught her eye, because it was clearly spam that somehow got past the email filter. The message extolled the virtues of buying medicine on the web and contained a link to the on-line pharmacy. “Do people really fall for this stuff?” Ms. Moneymany thought. She was curious to know how the website would convince its visitors to make the purchase, so she clicked on the link.

The website was slow to load, and seemed to be broken. There was no content on the page. Disappointed, Ms. Moneymany closed the browser’s window and continued with her day.

She didn’t realize that her Windows XP computer just got infected.

You are the forensic investigator. You possess the network capture (PCAP) file that recorded Ms. Moneymany’s interactions with the website. Your mission is to understand what probably happened to Ms. Moneymany’s system after she clicked the link. Your analysis will start with the PCAP file and will reveal a malicious executable.

Here is the network capture file for this puzzle. The MD5 hash of this PCAP file is c09a3019ada7ab17a44537b069480312.

 

Answer the following questions:

  • As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applets?
  • What was Ms. Moneymany’s username on the infected Windows system?
  • What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click?
  • As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on “91ed”.
  • What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in “mainstream” malware.
  • What is the MD5 hash of the unpacked version of the malicious Windows executable file?
  • The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host?

For this challenge I utilized a couple new tools than in previous rounds. Below is a list of tools I utilized:

  • *Wireshark*
  • *NetworkMiner*
  • *Notepad++*
  • *UPX*
  • *010 Editor*
  • *HashCalc*
  • *Buster Sandbox Analyzer*
  • Sysinternals Strings

After verifying the packet capture (infected.pcap) has the correct hash (c09a3019ada7ab17a44537b069480312), we are ready to start the round. Question one wants us to track down the names of the two .jar files that implemented the applets. There are a couple different ways to attack this question. First, you could go to File > Export Objects > HTTP. In the window that pops up, you’ll see two .jar files with names of *q.jar* and *sdfg.jar*. You could also just do a ctrl-f for the string of “.jar”.

1 - export objects
Figure 1: File > Export Objects > HTTP
1.1 - location and names of jar files
Figure 1.1: Both .jar files

Question 2 wants to know what was Ms. Moneymany’s username on the infected Windows system? One way to track down the username is by opening the pcap in NetworkMiner. Within NetworkMiner, go to the “Parameters” tab. Under the “Parameters” tab you’ll find the “guid” parameter name containing the username/hostname of the infected windows system. The username is ADMINISTRATOR (Figure 2).

2.2 - Username
Figure 2: ADMINISTRATOR

Moving on to question 3, what was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click? We can figure out the answer to this question with a simple filter in Wireshark. By using the filter “http.request.method == GET”, you’ll narrow down the results for all the pages that were requested by Ms. Moneymany. The first result we see is “http://nrtjo[.]eu/true[.]php“, which is the starting URL of this incident (Figure 3).

3 - URL
Figure 3

Question 4 wants to know, as part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on “91ed”. There are a few ways to get the answer to this question. You can open the pcap in NetworkMiner. Under the “Files” tab, you will find an executable with a name of “file.exe”. If you hash that file, you will get a hash of “5942ba36cf732097479c51986eee91ed”. You can also carve this file out of the pcap using Wireshark and your favorite hex editor. The hash of the malicious executable can also be found by running Sysinternals Strings against the pcap. Below is a screenshot of the malicious file found using NetworkMiner:

4 - malicious file

Question 5 is asking us what is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in “mainstream” malware. The hint that they give us, and some Google surfing if you need to, will come up with an answer of *UPX* as the name of the packer used to protect the malicious Windows executable.

 

Only a couple questions to go. For question 6, we need to find out the MD5 hash of the unpacked version of the malicious Windows executable file. Run the packed file through UPX to unpack it. Run that new file through HashCalc to determine the MD5 hash. You should get a hash value of “0f37839f48f7fc77e6d50e14657fb96e”.

 

The final question wants us to figure out the following: The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host? To complete this question, I ran the unpacked malicious file through Buster Sandbox Analyzer. After you run the file through the sandbox, you’ll get a nice report showing external connects that the malware makes. In this case, the IP address and the answer to the final question is “213.155.29.144”.


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Monday
2018/01/22