Category: Packet Analysis

Below is my write up of the latest exercise from Brad. There are two things that I learned from doing this exercise: 1) there is a difference between TCP Stream and HTTP Stream as there is more information available in TCP Stream, and 2) how to convert an encoded file from base64 to ASCII. For this last one, I came across Matt Bromiley’s blog covering Brad’s exercise and this was included in his write-up. As usual, all artifacts for this write-up can be found over in my repo located here. Executive Summary ================= Based on my analysis, it looks as…

Continue reading

Happy New Years to everyone! Hope that everyone had a great holiday break. For the first post of the year, here is an example of a Fareit/Pony (Suricata) or Phoenix/Zeus (Snort) trojan that I was able to find in the email filters. For more information about this malware please check out Fortinet’s post about it here. Like usual, the artifacts from this investigation can be found over in my Github repo here. Indicator(s) of Compromise ========================= 62.108.34.152 / ssstpc.usa.cc (Port 80) Artifacts from Investigation ============================= File name: PURCHASE ORDER.gz File size: 117KB MD5 hash: 83e493c4330bf53196d1ebfc1c9631f3 Virustotal: http://www.virustotal.com/en/file/b42a61b173e07385bfe0ae34153b61538ec916484f1653144223d63dee8cfc4e/analysis/ Detection ratio: 14…

Continue reading

Here is an example of a Crypt0L0cker infection that I got from my Twitter feed. Thanks go to @JAMESWT_MHT as he was the one that reposted the finding from @SettiDavide89. Below is my write up for this one. The artifacts from this investigation can be found in my Github repo. Indicators of Compromise ======================== 5.200.35.167 / t2e.sda-express15.org (HTTP) 192.208.177.163 / inotechsalamat.com (HTTP) 154.35.32.5 (Only a SYN packet – no response) 94.177.12.9 / ukakal.shokogot.com (HTTPS) 94.177.12.9 / ulehyrabydo.shokogot.com (HTTPS) 94.177.12.9 / ohwvilubiki.shokogot.com (HTTPS) 86.59.21.38 / www.mk84h3987i4822ak.com (HTTPS) Artifacts From Investigation ============================ File Name: sda_express.zip File size: 5KB MD5 hash: 1baace2a5e0f9921ca5e497ad80b60b2 Virustotal:…

Continue reading

Here is another example of of the latest version of Locky that I saw being delivered via some malspam. This time the email poses as a certificate for a parcel being sent. For more information about this new version of Locky, please see the article over on Bleeping Computer or Google it as there are a lot of resources out there talking about it. For the artifacts found from this infection, please see my Github repo here. Indicators of Compromise ======================== 74.208.1136.182 / mintthaicafe.com 86.110.117.155 Artifacts From Investigation ============================ File Name: q82iGnKI5 File size: 168KB MD5 hash: 996d8e3da574021232469243cf006eb3 Virustotal: NA…

Continue reading

Brad has a new one out and I figured that I would take a break from studying to crank this one out. Artifacts for this exercise can be found here. Hope that everyone has a great Thanksgiving this week! Executive Summary ================= Based on what is in the PCAP, there are two issues going on. The first issue is that the user went to a compromised site called www[.]spoofee[.]com which had a malicious script injected into it which directed the user to another site which used a Flash exploit from the Rig EK (exploit kit) against the client system. This…

Continue reading

So it has been a while since I have updated the blog. The joys of trying to study for the SANS GCIA while also working and trying to squeeze in some time for the family as well. So I thought that I would pick up on the latest exercise that Brad published (granted it was from last month). As usual, the artifacts found in this investigation can be found in my Github repo located here. Once I have taken the test (and hopefully passed it), I can get back to writing more stuff and trying to figure out how the…

Continue reading

So it has been a while since I have written something for the blog so I apologize for that. With that being said, here is a quick example of some malspam leading to a Cerber3 infection. Like it’s previous versions, the delivery method for this one was via email with a malicious attachment. In this case the zip file was password protected, which contained the malicious Word document. All the artifacts that I could gather along with the PCAP can be found at my Github repo here. Indicators of Compromise ======================== rDNS: 0.234.184.31.in-addr.arpa – 52uo5k3t73ypjije.dk0urs.bid btc.blockr.io (Port 80) http://80.82.64.45/~yakar/msvmonr.exe (Port…

Continue reading

For this blog post I am covering what looks to be a new variant of Locky ransomware called “Zepto” which also uses Nemucod as it’s downloader. As of right now it looks like the main attack-vector from Zepto is from emails pretending to be something else (in this case a JPG in a zip archive) attached to an email as you can see below: For some more information about this new variant of Locky please check out The Register’s article about it here. Also, the artifacts from this investigation along with the PCAP and Process Monitor logs can be found…

Continue reading

Here is another example of Nemucod/Kovter that I saw at work. It very much resembles another one that I saw and wrote up a while ago (see http://www.herbiez.com/?p=535). For more information about how Nemucod/Kovter keeps it’s persistence on the host system then please read this excellent blog post on MalwareBytes’ blog here. Since the MalwareByte’s blog covers the filesystem aspect incredibly well, I am not going to talk about it here since this one mimics what is seen in the blog post. Also, if you would like to see the artifacts found in this investigation, please see the Github repo…

Continue reading

So this past week I went trolling through the email filters at work to see what “goodies” I could find that it had blocked. A lot of the ones that I had tested and played around with either 1) did not work since the callbacks where already fixed, or 2) would not detonate fully on my test VM. Yesterday I was finally lucky to find one that was fully operational and worked. The email was very simple and had a zip file attached to it that held a javascript file which lead to a Cerber infection. For all the artifacts…

Continue reading