Packet Analysis

Windows 10 Malware Analysis Exercise in CloudShark

7 min read

CloudShark developer and packet guru Tom Peterson has been deep in the trenches doing malware analysis exercises from malware-traffic-analysis.net to learn how to best use CloudShark and our Threat Assessment add-on to get to the root of malicious activity. Let’s join him now for his latest exercise.

What’s up with this Windows 10 PC?

Hi all! Tom here from CloudShark Support. One of the latest exercises from malware-traffic-analysis.net involves seeing some malicious traffic coming from a Windows 10 PC, as set up in the 2017-10-21 malware traffic analysis exercise.

Here’s what I found when digging through it, and how you can solve problems like these using CloudShark.

The exercise - starting with the capture

Here is a link to the capture on CloudShark:

https://www.cloudshark.org/captures/7f2c7ebfb43d

All we know for this exercise is that something happened to a Windows 10 PC sent to the future with Doc Brown and Marty McFly. We need to figure out:

  • Date, start time, and end time of the malicious activity in UTC (GMT).
  • IP address of the Windows host from in the pcap.
  • Mac address of the Windows host in the pcap.
  • Host name for the Windows host in the pcap.
  • What type(s) of malicious activity were noted.
  • Indicators of the malicious activity (IP addresses, domain names, file hashes, etc).
  • A summary of what happened.

Our solution

Information about the infected machine

I started by getting some information about the Windows host we captured the network traffic from.

We can look at the DHCP traffic in this capture to get the IP address, Mac address, and host name of the Windows host.

From this DHCP traffic we can determine:

  • IP Address: 10.0.1.95
  • Mac Address: 60:a4:4c:6a:b2:1f
  • Host Name: DELOREAN-PC

If we needed to track this machine down later and remove it from the network this information would help us find it.

Malicious activity

This capture in CloudShark already has the HTTP column preset applied for all users. If we filter on HTTP Requests and SSL Client Hello messages we can see what servers the Windows machine accessed over HTTP and HTTPS. I started here to get an idea of what the user might have been doing in this capture and it looks like we see some HTTPS traffic to messaging.office.com which seems like a user checking their e-mail. After that we see the Windows host requesting an EXE file over HTTP. That smells like something malicious right away! I made a quick annotation so that I remember where this is. Later I can get a copy of this file with the HTTP Objects analysis tool and submit it to VirusTotal and reverse.it to see if these services detect it as malicious.

Moving on I found some HTTP POSTs that didn’t look right. Why would this machine be posting data to a server under /a/ and /html/? Even the hostname amellet.bit seems very unusual! A quick search shows that the .bit domain is used for a cryptocurrency called Namecoin as an alternative decentralized domain name system. This is starting to look like the user downloaded and ran something they shouldn’t have and now things are getting interesting!

With those two notes in mind I took a look at the Threat Assessment to see if I might be on the right track. Here I found a threat for the EXE download and those strange HTTP POSTs were flagged as a Chthonic CnC Beacon 8 threat. At this point it looks like we might have an infected host thats become part of a botnet.

I also saw a threat mentioning a tech support scam surrounded by some strange DNS queries and an EITest Inject threat. This threat looks like javascript injected into a page the users browser loaded that would automatically open a page that the user never asked for. The javascript we find in the payload here looks like the culprit:

window.event;doOpen("http://helpcenterforall.bid/index/?MCPKV8");

This doesn’t seem related to the CnC threats above so for now I opened the traffic for that TCP stream and made an annotation to remind me to look into it further. First I want to investigate this CnC traffic and try and decipher what these packets mean.

Chthonic

To dig deeper into this traffic I went back to the packet where the exe download happened and found this file in the HTTP objects analysis tool. From there I found some very interesting results from reverse.it. Under the Suspicious Indicators it states that this software does in fact send HTTP POSTS to amellet.bit. So that does explain that traffic. I also noticed that running this software resulted in some DNS traffic over TCP based on the Contacted Hosts section. Looking at TCP DNS and HTTP posts to amellet.bit I saw that a DNS query is performed for amellet.bit before every HTTP Post. I’m guessing that this helps the bot evade detection by using TCP instead of UDP for DNS and that it isn’t caching these results anywhere on the machine where they could be found by anti-virus software.

It was hard to make sense out of any of the data being sent to amellet.bit. Looking at what was sent in the HTTP streams didn’t offer any clues so I started doing some research and came across this detailed writeup on Chthonic.

The Chthonic malware uses encryption to communicate with a CnC server so we won’t be able to determine what commands or information was sent in this PCAP. Hidden deep inside the software even the configuration for the bot is encrypted! This malware has many different modules that can be enabled including starting a keylogger and it can even record sound and video from the infected machine! Even though this is just an exercise that is some pretty disturbing malware to come across. We can use the information about the infected machine above to find this machine, remove it from the network, and enrol the user in a phishing prevention class.

Tech support scam

Hopefully looking into this threat won’t be as disturbing as the last. This threat triggered when the user went to www.singlemoms.org. Here is the TCP stream downloaded when this page was loaded. The threat triggered on the payload containing this javascript:

doOpen("http://helpcenterforall.bid/index/?MCPKV8");

When that site is loaded instead of bringing the user to http://helpcenterforall.bid/index/?MCPKV8 that server instead responds with an HTTP Redirect to http://krep2010123.tk/?number=888-779-0939. This got flagged by threat assessment as a Tech Support Scam Landing and it sure looks like one. This page even autoplays an obnoxious sounding mp3 to get the users attention.

<audio autoplay="autoplay" loop="">
<source src="/landinf/err.mp3" type="audio/mpeg">
</audio>

Going throught the HTTP objects I also found a Windows Defender icon to make this look more like a real message from Microsoft. Hopefully no one fell for this but at least we know what phone number to look for!

Indicators of compromise

Using the HTTP Objects analysis tool to download and inspect the dowloaded EXE we can get indicators of compromise from this particular file:

  • SHA256: a56876fd456d0737eecc4a8bbe3154b35314ab28accb29abf0df7c518c81a490
  • File URL:http://jgbennett.com/3cgconsulting.com30723bio_152.exe
  • File Description: ChthonicbankingTrojan

The DNS Resolved Addresses will also help us find the IP addresses and hostnames involved in both of these threats:

  • 107.180.41.148 - jgbennett.com
  • 35.198.166.240 - amellet.bit
  • 104.18.61.210 - www.singlemoms.org
  • 162.244.35.33 - helpcenterforall.bid
  • 162.244.35.36 - krep2010123.tk

We can also look for DNS over TCP traffic trying to resolve amellet.bit.

Summary

Quite a lot of nefarious activity going on in that PCAP! I’ll be having nightmares about that Chthonic malware for a while. It was exciting to see that the threat assessment tool flagged some of the traffic I saw that just didn’t seem right. The DNS queries over TCP were also interesting! Traffic like that is very out of the ordinary since hosts usually use UDP instead for DNS. Thats one more thing I’ll be looking for when hunting for malware now.

The next traffic analysis exercise is already posted and this time there are 6 PCAPs to investigate for malware traffic so I’d better get started!

Get articles like this in your inbox: