Category: Packet Analysis

Just posting my write-up of another one of Brad’s exercises. You can find the answers to this exercise from Brad here. The other interesting bit that I came across while researching different aspects from this exercise was another researcher that had worked on the same one as well. Check out his blog here, or his Twitter feed here. Here are my results from this exercise. – Date and time of the activity. > User1 = 10.12.2015 18:55 – 19:10 > User2 = 10.12.2015 23:30 – 23:39 – The infected computer’s IP address. > User1 = 10.0.15.202 > User2 = 172.16.95.97…

Continue reading

So while waiting for Brad to come up with his next exercise, I figured that I would do some lab work “independently” while I waited. So I went over to Threatglass to see what I could find there. This one stood out to me being half-Korean and all so I figured that I would try my hand at it. The one that I used is from the Korea Times website. There you can find the PCAP and the screenshots that Threatglass posts. One thing that I wanted to note here is my lack of knowledge and understanding around how to…

Continue reading

So I am a little late with this one as I just could not find the mental capacity to finish this one on time due to a head cold that turned into a sinus infection (which I am still fighting). Based on what Brad had said about this one, it was one of his more “tricky” exercises and some of the other analysts seem to confirm that as well. With that being said, I seem to get the gist of it pretty quickly. The thing that threw me off was the fact that I did not see the traffic hitting…

Continue reading

TL;DR Basically this is one of Brad’s typical spot the malware within the PCAP from a drive-by infection. Nothing exciting like the previous one, but still good practice. Unfortunately I did get some of this one wrong (stupid me for not updating Snort rules in Security Onion). Also, one thing to note about this one that threw me for a loop. Trying to export objects in Wireshark did not work for me. I ended up using CapTipper’s “dump” command to export all the objects from the PCAP into a directory. My Results IP address of the Windows computer that was…

Continue reading

Prologue about this and future “Malware Excercise” posts I have been wanting to blog about my experiences playing with malware and trying to figure out how they work, techniques that helped me dissect them, tools that I used, etc… but never really had the chance/time to sit down and do it outside of work. Since Security Researcher Brad Duncan (follow him on Twitter or via his site at Malware Traffic Analysis) has started to do lab exercises for other researchers/analysts I figured that it would be a good way of killing two birds with one stone (doing the exercise and…

Continue reading

So while at work the other day I came across an interesting alert that, thankfully, was not successful. The following is what I got once I got home and was able to run this on my test VM. So let the party begin! The start of the infection chain starts here via this site (which I searched from Google): hxxp[:]//emmalinebride[.]com/decor/best-ombre-wedding-ideas/&rct=j&frm=1&q=&esrc=s&sa=U&ei=i7zbVLvYHovdatCRgqgF&ved=0CBQQFjAA&usg=AFQjCNEcGHpoa885u50SmO64kUXJ_gUH-Q Once the page loaded, there was an interesting call on port 8085 as you can see below: GET /adm/lines.php?norway=3 HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Referer: http://emmalinebride.com/decor/best-ombre-wedding-ideas/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;…

Continue reading

This is my last post about this particular malicious email that I got in the mail sometime last week. If you have not read the other posts about this email (looks to be in the Dyre malware family), please see part one here and part two here.

Continue reading

As the title suggest, this is the continuation of my investigation into a malicious Dyre email that I received a while back. If you did not see my initial post (and mind you, first blog about malware analysis), then you can find that here. The other thing that I am going to do is use  a new tool created by Omri Herscovici called CapTipper. For more information about this tool, check out his page here.

Continue reading

So I figured that it is time that I start putting SO (Security Onion) to good use and start trying to find malware to dissect. So I started going through the SPAM/JUNK mail folders in the different email accounts that I have. After checking several emails, I came across the following email: From: “invoice” <no-replay@invoice.com> To: <redacted> Subject: Employee Documents – Internal Use The email headers for this are as follows: Delivered-To: redacted Received: by 10.96.187.137 with SMTP id fs9csp1765471qdc; Wed, 21 Jan 2015 04:48:40 -0800 (PST) X-Received: by 10.229.102.68 with SMTP id f4mr57827176qco.15.1421844520124; Wed, 21 Jan 2015 04:48:40 -0800…

Continue reading