Category: Packet Analysis

IoC from this investigation: ============================ myson123456[.]ddns[.]net 178.32.72.136:2550 Here is another example of an email that most users get claiming that they (the user) has something that they need to action on. In this case it is a malicious Java file. Thankfully most email gateways block these types of files from every reaching the user base. Let’s dig in. The Java file has the following characteristics: File Name: payment..jar Size: 118KB MD5: f4b463e4df4ef274a198bfb07ed3e6cd SHA256: f4c93ab532e53274bd97c00fccba3b231de0832e743879380f7af7bf81aef60f Virustotal Link: http://www.virustotal.com/en/file/f4c93ab532e53274bd97c00fccba3b231de0832e743879380f7af7bf81aef60f/analysis/ Detection Ratio: 25 / 54 First Submitted: 2016-02-07 21:28:02 UTC Malwr link: http://malwr.com/analysis/Y2FmYjEwNGM0MjM5NDBmYWI3YTdjYjJkOTRjY2M5OWY/ Since this is a Java file, I usually like to…

Continue reading

Today while investigating the normal events of the day we got some employees that got sent some phishing emails (related to the latest round of Dridex) with a Word document attached. The email is shown below: The attached Word document has the following properties: The interesting thing about this Word doc, and a couple of the others that came in as well, was the fact that I could not extract the contents from the doc via 7Zip, and OfficeMalScanner did not recognize it as an OLE file either as you can see below: So I opened it up in Notepad++…

Continue reading

Hello and Happy New Year to you all. Now that the holidays are done, it is time to get back into the swing into things and start with the malware exercises. So here is another one from Brad (the first of the year actually). As usual, to find the artifacts from my investigation into this, please see my Github for this exercise here. The following are my results. – Date and time range of the traffic you’re reviewing. > 22:05:47 – 22:17:18 Duration: 00:11:31 – IP address, MAC address, and host name for each of the 3 computers in the…

Continue reading

So with the push of the Christmas season upon me and my family, it has taken some time to get back to this. So with that being said, I have come back to it only to find out that the malicious word doc is not working fully at the present time – most likely since the compromised server is no longer up/has been fixed. But here is the little bit that I got from running the word doc. After running the malicious word doc within my test VM, I could see a call being made to an IP address of…

Continue reading

So the purpose of this post is because I could not remember how to extract the script from a malicious Word document. Damn old age and lack of coffee! Like anyone in a SOC role, you most likely get a lot of emails sent to you (or your distro) for odd/weird/humorous emails that people are not sure about. It is up to you and the team in the SOC to figure out if the email is malicious or not. So yesterday someone sent in an email from someone else saying that they would like to work for the company and…

Continue reading

So this one has a great comical backstory – how the user (ironically from the SOC) Tom brought his personal laptop in and managed to get his system infected while looking for a shotgun to go hunting with. Outside of making me and one of my co-workers laugh at the scenario (and then another one asking if this could be based on a real event – lol), there is one thing that I learned from this and it was from reading the answers. Brad explains how he went about finding the start of the infection chain from working backwards using…

Continue reading

So here is my write-up of the latest malware exercise from Brad. Needless to say, his description of the event that lead up to the infection is hilarious. Another great exercise to say the least. As usual, if you spot something off or something that I could improve on, drop me a comment below. Summary of the Investigation ============================== – Date and time of the activity. > 2015-11-06 @ 16:22 – The infected computer’s IP address. > 10.3.66.103 – The infected computer’s MAC address. > Dell 00:24:e8:2d:90:81 – The infected computer’s host name. > STROUT-PC – Domains and IP addresses…

Continue reading

So here is the latest one from Brad – another good exercise to say the least! One thing to note about this one is that I had some issues extracting objects from the PCAP using Wireshark. In those cases I was able to use Captipper to extract out the HTTP object. Also, I am re-organizing my Github so the individual files from the different labs can be downloaded individually and not as one huge download. **Update 06/11/2015 – So after reading Malware Kiwi’s blog post with his results, and talking to some of the guys at work that did the…

Continue reading

Just posting my write-up of another one of Brad’s exercises. You can find the answers to this exercise from Brad here. The other interesting bit that I came across while researching different aspects from this exercise was another researcher that had worked on the same one as well. Check out his blog here, or his Twitter feed here. Here are my results from this exercise. – Date and time of the activity. > User1 = 10.12.2015 18:55 – 19:10 > User2 = 10.12.2015 23:30 – 23:39 – The infected computer’s IP address. > User1 = 10.0.15.202 > User2 = 172.16.95.97…

Continue reading