CloudShark developer and packet guru Tom Peterson has been deep in the trenches doing malware analysis exercises from malware-traffic-analysis.net to learn how to best use CloudShark and our Threat Assessment add-on to get to the root of malicious activity. Let’s join him now for his latest exercise.
What’s up with this Windows 10 PC?
Hi all! Tom here from CloudShark Support. One of the latest exercises from malware-traffic-analysis.net involves seeing some malicious traffic coming from a Windows 10 PC, as set up in the 2017-10-21 malware traffic analysis exercise.
Here’s what I found when digging through it, and how you can solve problems like these using CloudShark.
The exercise - starting with the capture
Here is a link to the capture on CloudShark:
All we know for this exercise is that something happened to a Windows 10 PC sent to the future with Doc Brown and Marty McFly. We need to figure out:
- Date, start time, and end time of the malicious activity in UTC (GMT).
- IP address of the Windows host from in the pcap.
- Mac address of the Windows host in the pcap.
- Host name for the Windows host in the pcap.
- What type(s) of malicious activity were noted.
- Indicators of the malicious activity (IP addresses, domain names, file hashes, etc).
- A summary of what happened.
Information about the infected machine
I started by getting some information about the Windows host we captured the network traffic from.
We can look at the DHCP traffic in this capture to get the IP address, Mac address, and host name of the Windows host.
From this DHCP traffic we can determine:
- IP Address: 10.0.1.95
- Mac Address: 60:a4:4c:6a:b2:1f
- Host Name: DELOREAN-PC
If we needed to track this machine down later and remove it from the network this information would help us find it.
This capture in CloudShark already has the HTTP column preset
applied for all users. If we filter on
HTTP Requests and SSL Client Hello messages
we can see what servers the Windows machine accessed over HTTP and HTTPS. I
started here to get an idea of what the user might have been doing in this
capture and it looks like we see some HTTPS traffic to
which seems like a user checking their e-mail. After that we see the
Windows host requesting an EXE file over HTTP. That smells like something
malicious right away! I made a quick annotation so that I remember where this
is. Later I can get a copy of this file with the HTTP Objects
analysis tool and submit it to VirusTotal and reverse.it to see if these
services detect it as malicious.
Moving on I found some HTTP POSTs that didn’t look right.
Why would this machine be posting data to a server under
Even the hostname
amellet.bit seems very unusual! A quick search shows that
the .bit domain is used for a
cryptocurrency called Namecoin as an alternative decentralized domain name
system. This is starting to look like the user downloaded and ran something
they shouldn’t have and now things are getting interesting!
With those two notes in mind I took a look at the Threat Assessment to see if I might be on the right track. Here I found a threat for the EXE download and those strange HTTP POSTs were flagged as a Chthonic CnC Beacon 8 threat. At this point it looks like we might have an infected host thats become part of a botnet.
This doesn’t seem related to the CnC threats above so for now I opened the traffic for that TCP stream and made an annotation to remind me to look into it further. First I want to investigate this CnC traffic and try and decipher what these packets mean.
To dig deeper into this traffic I went back to the
packet where the exe download happened
and found this file in the HTTP objects analysis tool. From there I found some
very interesting results from reverse.it.
Suspicious Indicators it states that this software does in fact
send HTTP POSTS to amellet.bit. So that does explain that traffic. I also
noticed that running this software resulted in some DNS traffic over TCP based
Contacted Hosts section. Looking at TCP DNS and HTTP posts to amellet.bit
I saw that a DNS query is performed for
amellet.bit before every HTTP Post.
I’m guessing that this helps the bot evade detection by using TCP instead of
UDP for DNS and that it isn’t caching these results anywhere on the machine
where they could be found by anti-virus software.
It was hard to make sense out of any of the data being sent to
Looking at what was sent in the HTTP streams
didn’t offer any clues so I started doing some research and came across this
detailed writeup on Chthonic.
The Chthonic malware uses encryption to communicate with a CnC server so we won’t be able to determine what commands or information was sent in this PCAP. Hidden deep inside the software even the configuration for the bot is encrypted! This malware has many different modules that can be enabled including starting a keylogger and it can even record sound and video from the infected machine! Even though this is just an exercise that is some pretty disturbing malware to come across. We can use the information about the infected machine above to find this machine, remove it from the network, and enrol the user in a phishing prevention class.
Tech support scam
Hopefully looking into this threat won’t be as disturbing as the last. This threat
triggered when the user went to
www.singlemoms.org. Here is the TCP stream
downloaded when this page was loaded. The threat triggered on the payload
When that site is loaded instead of bringing the user to
http://helpcenterforall.bid/index/?MCPKV8 that server instead responds with
an HTTP Redirect
http://krep2010123.tk/?number=888-779-0939. This got flagged by threat
assessment as a
Tech Support Scam Landing and it sure looks like one.
This page even autoplays an obnoxious sounding mp3 to get the users attention.
<audio autoplay="autoplay" loop=""> <source src="/landinf/err.mp3" type="audio/mpeg"> </audio>
Going throught the HTTP objects I also found a Windows Defender icon to make this look more like a real message from Microsoft. Hopefully no one fell for this but at least we know what phone number to look for!
Indicators of compromise
Using the HTTP Objects analysis tool to download and inspect the dowloaded EXE we can get indicators of compromise from this particular file:
- SHA256: a56876fd456d0737eecc4a8bbe3154b35314ab28accb29abf0df7c518c81a490
- File URL:
- File Description: ChthonicbankingTrojan
The DNS Resolved Addresses will also help us find the IP addresses and hostnames involved in both of these threats:
- 18.104.22.168 -
- 22.214.171.124 -
- 126.96.36.199 -
- 188.8.131.52 -
- 184.108.40.206 -
We can also look for DNS over TCP traffic trying to resolve
Quite a lot of nefarious activity going on in that PCAP! I’ll be having nightmares about that Chthonic malware for a while. It was exciting to see that the threat assessment tool flagged some of the traffic I saw that just didn’t seem right. The DNS queries over TCP were also interesting! Traffic like that is very out of the ordinary since hosts usually use UDP instead for DNS. Thats one more thing I’ll be looking for when hunting for malware now.
The next traffic analysis exercise is already posted and this time there are 6 PCAPs to investigate for malware traffic so I’d better get started!