{"id":457,"date":"2016-04-22T17:00:49","date_gmt":"2016-04-22T16:00:49","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=457"},"modified":"2016-04-22T17:00:49","modified_gmt":"2016-04-22T16:00:49","slug":"malware-exercise-2016-04-16-playing-detective","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=457","title":{"rendered":"Malware Exercise 2016-04-16 Playing detective"},"content":{"rendered":"

So here is my answers for the latest exercise from Brad. This one threw me off a bit as I thought that I was missing something when reviewing the PCAP since I was not seeing the “usual” things that I have come to expect from Brad when doing these exercises. It reminded me of when I was in school and would get through an exam with plenty of time to spare. I would then look around and see that the rest of the class was still chugging through the test. Then self-doubt would kick in. Did I miss something, or did I rush through this? And then I would spend the rest of the time double checking my answers and second-guessing myself.<\/p>\n

So here are my results from this exercise. Hopefully I did not miss something… <\/p>\n

About the Investigation
\n=======================
\n\u2013 Date and time range of the traffic you\u2019re reviewing.
\n> First packet: 2016-04-15 23:50:49 \/ Last packet: 2016-04-16 00:01:19<\/p>\n

\u2013 IP address, MAC address, username, and host name.
\n> 172.16.155.254 \/ 00:0b:46:7f:9e:22 \/ manny.lehman@mailinator.com \/ MANNY-PC<\/p>\n

\u2013 Description of the activity (what happened, if the host became infected, any details, etc.).
\n> Based on what I am seeing in the PCAP, the user used Bing to find the website “billinggoldspal[.]com.” The site landed the user on a fake login page for what looks like an Apple page. The user then proceeded to enter their information into this fake site. Outside of that, there does not look to be anything malicious in the traffic or anything malicious downloaded to the user’s system.<\/p>\n

\u2013 A conclusion with recommendations for any follow-up actions.
\n> User education on what to look for when it comes to phishing sites asking for the user’s information would be a great start. I would also block this IP\/FQDN at the perimeter to make sure that the user cannot visit this site again from the corperate network.<\/p>\n

\u2013 Indicators of Compromise (IP, FQDN, etc\u2026)
\n> 91.194.91.203 \/ billinggoldspal[.]com<\/p>\n

About the Investigation
\n=======================
\n\u2013 Date and time range of the traffic you\u2019re reviewing.
\n> First packet: 2016-04-15 23:50:49 \/ Last packet: 2016-04-16 00:01:19<\/p>\n

\u2013 IP address, MAC address, username, and host name.
\n> 172.16.155.254 \/ 00:0b:46:7f:9e:22 \/ manny.lehman@mailinator.com \/ MANNY-PC<\/p>\n

\u2013 Description of the activity (what happened, if the host became infected, any details, etc.).
\n> Based on what I am seeing in the PCAP, the user used Bing to find the website “billinggoldspal[.]com.” The site landed the user on a fake login page for what looks like an Apple page. The user then proceeded to enter their information into this fake site. Outside of that, there does not look to be anything malicious in the traffic or anything malicious downloaded to the user’s system.<\/p>\n

\u2013 A conclusion with recommendations for any follow-up actions.
\n> User education on what to look for when it comes to phishing sites asking for the user’s information would be a great start. I would also block this IP\/FQDN at the perimeter to make sure that the user cannot visit this site again from the corperate network.<\/p>\n

\u2013 Indicators of Compromise (IP, FQDN, etc\u2026)
\n> 91.194.91.203 \/ billinggoldspal[.]com<\/p>\n

Notes from the investigation:
\n=============================<\/p>\n

Performing the usual steps for when I look at these types of PCAPs (Statistics –> Protocol Hierarchy and Conversations) showed that most of the communication was over TCP and via ports 80 and 443. There was no evidence of any callbacks on strange ports or anything like that. I also noticed that the DNS of the system was setup for Google’s DNS servers and not the local ISP’s DNS or the router that the system was sitting behind. From there I used the filter of “http.request” to see what sites were found in the PCAP while also looking at the HTTP Objects as well to see what types of files are in the PCAP. Nothing stood out here.<\/p>\n

I then used the alerts found Suricuta which gave me a clue:<\/p>\n

\r\nCount:1 Event#3.13546 2016-04-15 23:34:01\r\nETPRO CURRENT_EVENTS Successful Paypal Phish Dec 8 M2\r\n172.16.155.149 -&gt; 91.194.91.203\r\nIPVer=4 hlen=5 tos=0 dlen=634 ID=0 flags=0 offset=0 ttl=0 chksum=47435\r\nProtocol: 6 sport=49273 -&gt; dport=80<\/code>\r\n\r\nSeq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=3 chksum=0<\/pre>\n
Looking at the page via the filter “http.host == “billinggoldspal.com”” I then proceeded to see what looked to be a fake Apple site as you can see below:<\/p>\n
\r\n\tGET \/cola\/153b7ff4a55eb44e549bcd88c8c11368\/index\/web\/Login\/index.php HTTP\/1.1\r\n\tAccept: text\/html, application\/xhtml+xml, *\/*\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko\r\n\tAccept-Encoding: gzip, deflate\r\n\tHost: billinggoldspal.com\r\n\tDNT: 1\r\n\tConnection: Keep-Alive\r\n\t\r\n\tHTTP\/1.1 200 OK\r\n\tDate: Fri, 15 Apr 2016 22:55:03 GMT\r\n\tServer: Apache\/2.4.18 (Unix) OpenSSL\/1.0.1e-fips mod_bwlimited\/1.4\r\n\tX-Powered-By: PHP\/5.5.33\r\n\tKeep-Alive: timeout=5, max=100\r\n\tConnection: Keep-Alive\r\n\tTransfer-Encoding: chunked\r\n\tContent-Type: text\/html<\/pre>\n
\"\"<\/a><\/p>\n
I also see that there are some POSTS as well to this site. Using the “http.request.method == “POST”” filter, I see that the user did believe that this was a legit site and gave the actor all the information that they were wanting as you can see below:<\/p>\n
\"\"<\/a>
\n\"\"<\/a>
\n\"\"<\/a>
\n\"\"<\/a><\/p>\n
From there I am not seeing anything else malicious in traffic. Checking Virustotal for this site, I am seeing that this has been labeled as a malicious site:<\/p>\n
\tURL: hxxp[:]\/\/billinggoldspal[.]com\/cola\/153b7ff4a55eb44e549bcd88c8c11368\/index\/web\/Login\/index.php
\n\tFirst Submission: 2016-04-15 23:45:44 UTC
\n\tDetection ratio: 8 \/ 67
\n\tVirustotal link: http:\/\/www.virustotal.com\/en\/url\/2b235f9d2e960accdb6803f75dad149c679815328ce933d0fcc94a083352ea0c\/analysis\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
So here is my answers for the latest exercise from Brad. This one threw me off a bit as I thought that I was missing something when reviewing the PCAP since I was not seeing the “usual” things that I have come to expect from Brad when doing these exercises. It reminded me of when I was in school and would get through an exam with plenty of time to spare. I would then look around and see that the rest of the class was still chugging through the test. Then self-doubt would kick in. Did I miss something, or…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-457","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=457"}],"version-history":[{"count":11,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/457\/revisions"}],"predecessor-version":[{"id":476,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/457\/revisions\/476"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}