{"id":63,"date":"2015-01-26T23:01:57","date_gmt":"2015-01-26T23:01:57","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=63"},"modified":"2015-01-26T23:07:44","modified_gmt":"2015-01-26T23:07:44","slug":"part-2-of-nice-email-subject-employee-documents-internal-use","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=63","title":{"rendered":"Part 2 of 3 : Nice email – Subject: Employee Documents – Internal Use"},"content":{"rendered":"

As the title suggest, this is the continuation of my investigation into a malicious Dyre email that I received a while back. If you did not see my initial post (and mind you, first blog about malware analysis), then you can find that here<\/a>. The other thing that I am going to do is use\u00a0 a new tool created by Omri Herscovici called CapTipper<\/em>. For more information about this tool, check out his page here<\/a>. <\/p>\n

Last time, I had clicked the link and had received the file that was masked as a PDF but was really an executable and ran that. One of the artifacts that was left from that run was a file called informix.exe<\/em> as you can see below:<\/p>\n

\"Informix<\/p>\n

Now let’s see what happens when I run this file on my VM and what Security Onion comes back with.<\/p>\n

So after clicking on the above EXE, I did see that there was outbound traffic from the VM. And very quickly I saw a file being written the to %TEMP% folder and then deleted (along with the Informix.exe file too). I was not able to make a copy of this file as you can see here:<\/p>\n

\"\"<\/a><\/p>\n

So with a saved PCAP file from this run in hand, I fired up CapTipper to start the analysis:<\/p>\n

\n

mine:~ guido$ captipper Downloads\/CapTipper-master\/ex2.pcap
\nCapTipper v0.1 – Malicious HTTP traffic explorer tool
\nCopyright 2015 Omri Herscovici <omriher@gmail.com><\/p>\n

[A] Analyzing PCAP: Downloads\/CapTipper-master\/ex2.pcap<\/p>\n

[+] Traffic Activity Time: Sun, 01\/25\/15 21:01:56
\n[+] Conversations Found:<\/p>\n

<redacted>
\n4: \/2101uk22\/VULN-WINDOWS\/1\/0\/0\/ ->\u00a0 (4.html) [ B]
\n5: \/mandoc\/info22.pdf -> application\/pdf (info22.pdf) [431558 B]
\n6: \/2101uk22\/VULN-WINDOWS\/41\/7\/4\/ ->\u00a0 (6.html) [ B]
\n7: \/2101uk22\/VULN-WINDOWS\/0\/61-SP1\/0\/ ->\u00a0 (7.html) [ B]<\/p>\n

[+] Started Web Server on http:\/\/localhost:80
\n[+] Listening to requests…<\/p>\n

CapTipper Interpreter
\nType ‘open <conversation id>’ to open address in browser
\ntype ‘hosts’ to view traffic flow
\nType ‘help’ for more options<\/p>\n<\/blockquote>\n

The above command takes the PCAP and starts off by looking at what “conversations” have been established (from what it looks like this is synonymous with the tcp.stream in Wireshark). As we can see, there was not many conversations from this malware sample. This is also further substantiated by typing ‘host’ at the command line:<\/p>\n

\nCT> hosts
\nFound Hosts:<\/p>\n

202.153.35.133:44154
\n\u251c– \/2101uk22\/VULN-WINDOWS\/1\/0\/0\/\u00a0\u00a0 [4]
\n\u2514– \/2101uk22\/VULN-WINDOWS\/0\/61-SP1\/0\/\u00a0\u00a0 [7]<\/p>\n

dipford.com
\n\u2514– \/mandoc\/info22.pdf\u00a0\u00a0 [5]<\/p>\n

202.153.35.133:44111
\n\u2514– \/2101uk22\/VULN-WINDOWS\/41\/7\/4\/\u00a0\u00a0 [6]<\/p>\n<\/blockquote>\n

The pages from the IP 202.153.35.133 (conversations 4, 6, and 7) don’t seem to load anything since CapTipper is saying their is no size in bytes associated with them. Doing a simple ‘head 7’ or ‘body 7’ does not yield anything. So opening the PCAP up in Wireshark I see the following associated with conversation 7:<\/p>\n

\nGET \/2101uk22\/VULN-WINDOWS\/0\/61-SP1\/0\/ HTTP\/1.1
\nUser-Agent: Mazilla\/4.0
\nHost: 202.153.35.133:44154
\nCache-Control: no-cache\n<\/p><\/blockquote>\n

Once again, we can see that the name of the VM is being passed to the destination server. Based on some other reading of the Dyre malware that I have done, I am assuming that this is a GET request for a script tailored to the OS the VM is running. Unfortunately nothing was returned. The only connection that seemed to be made was in conversation 5 as you can see below:<\/p>\n

\nCT> info 5
\nInfo of conversation 5: <\/p>\n

SERVER IP : 209.235.144.9:80
\n HOST : dipford.com
\n URI : \/mandoc\/info22.pdf
\n REFERER :
\n RESULT NUM : 200 OK
\n RESULT TYPE : application\/pdf
\n FILE NAME : info22.pdf
\n LENGTH : 431558 B<\/p>\n

CT> head 5
\nDisplaying header of object 5 (info22.pdf):<\/p>\n

HTTP\/1.1 200 OK
\nDate: Sun, 25 Jan 2015 21:02:55 GMT
\nLast-Modified: Wed, 21 Jan 2015 07:29:23 GMT
\nAccept-Ranges: bytes
\nContent-Length: 431558
\nContent-Type: application\/pdf
\nSet-Cookie: TS0194eee0=0187bed8eabec43d67d7d84e5e396e8b0176d0ce65ccdf1666265c0a8569af316a9945f507; Path=\/\n<\/p><\/blockquote>\n

So now let’s pull the PDF out of the PCAP, check VirusTotal for any results the PDF may have, and save that for the final post:<\/p>\n

\nCT> dump 5 Downloads\/pcap_pdf.pdf
\n Object 5 written to Downloads\/pcap_pdf.pdf<\/p>\n

CT> vt 5
\n VirusTotal result for object 5 (info22.pdf):<\/p>\n

Detection: 0\/56
\n Last Analysis Date: 2015-01-23 17:05:06
\n Report Link: http:\/\/www.virustotal.com\/file\/0a7b28753a7d3eafea885551b6495ae55ce75042203f8a1a92631b9b219a8893\/analysis\/1422032706\/\n<\/p><\/blockquote>\n

With that said, next time we will take a look at the last part of this, the PDF, and see what happens. Stay tuned.<\/p>\n","protected":false},"excerpt":{"rendered":"

As the title suggest, this is the continuation of my investigation into a malicious Dyre email that I received a while back. If you did not see my initial post (and mind you, first blog about malware analysis), then you can find that here. The other thing that I am going to do is use\u00a0 a new tool created by Omri Herscovici called CapTipper. For more information about this tool, check out his page here.<\/p>\n

Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-63","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/63","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=63"}],"version-history":[{"count":12,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/63\/revisions"}],"predecessor-version":[{"id":78,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/63\/revisions\/78"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=63"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=63"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=63"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}