Blue Team Labs Online — Network Analysis — Malware Compromise Challenge Walkthrough
Analyzing PCAP files with Wireshark and NetworkMiner
Introduction:
Welcome to my weekly walkthrough! Have you ever been curious about analyzing a network packet capture (PCAP) file to investigate malicious traffic from a malware infected computer?
Well, we’re about to explore some PCAP analysis by tackling the Network Analysis — Malware Compromise challenge from Blue Teams Labs Online! This is an incident response challenge that has us defenders investigating a PCAP file taken from an endpoint infected with the Dridex malware.
To tackle this investigation, we’re going to leverage Wireshark and NetworkMiner for the analysis. So, whether you’re here to learn more about PCAP analysis, see some practical use of these tools, or are just looking for a reference walkthrough for the Network Analysis — Malware Compromise, you’ve stumbled on the right blog.
Now, let’s put on our detective hats and have some fun with forensics! Thanks for reading along!
Challenge Link: https://blueteamlabs.online/home/challenge/network-analysis-malware-compromise-e882f32908
Challenge Scenario:
A SOC Analyst at Umbrella Corporation is going through SIEM alerts and sees the alert for connections to a known malicious domain. The traffic is coming from Sara’s computer, an Accountant who receives a large volume of emails from customers daily. Looking at the email gateway logs for Sara’s mailbox there is nothing immediately suspicious, with emails coming from customers. Sara is contacted via her phone and she states a customer sent her an invoice that had a document with a macro, she opened the email and the program crashed. The SOC Team retrieved a PCAP for further analysis.
Warning about working with malicious files & Dridex background:
Safety first — It’s always important when working with lab/challenge files from Blue Team Labs Online (or any educational lab/challenge/range) to keep yourself safe by performing these tasks in a dedicated, isolated virtual machine environment. Even for educational purposes, we are working with potentially malicious files, after all.
Now, let’s also set the stage with some background information on the Dridex malware from Malpedia to enrich the scenario:
Dridex as “an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another…”
According to MalwareBytes, “Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware…”
That isn’t good! Now that we have some context on the malware and our virtual environment created, updated, isolated, and snapshotted, we can download and extract our challenge file and get to work!
Question 1: What’s the private IP of the infected host?
To start this off, let’s open up Wireshark and load the challenge PCAP file — We’re going to focus on the first packet (№. 1) in the list. Check out the source IP (10.11.27.101) performing a DNS query to the DNS server (10.11.27.1) for the domain klychenogg[.]com.
We can’t be sure yet this is the infected host we are looking for until we look at the TCP three-way handshake where the source IP (10.11.27.101) connects to 95[.]181[.]198[.]231 (which resolves to klychenogg[.]com).
After the host establishes a connection with the server, we observe a strange file in the HTTP GET request (packet #6.) Let’s jump over and search for this domain on VirusTotal:
Okay! So, we’ve got some hits on this domain which gives us some additional context and confidence that this host is communicating with a malicious domain. It is likely that this is the infected source IP that we are searching for to answer Question 1.
But let’s look at this with another view in Wireshark to double-check what the traffic utilization of this IP address is overall. To do this, we can utilize the Statistics > Endpoints view in Wireshark.
Here we will see all the endpoints from this packet capture. Looking at the suspected host IP, we can confirm that it has the lion’s share of traffic compared to the other hosts. Let’s submit the answer and check our work.
Question 2: What’s the malware binary that the macro document is trying to retrieve?
We may have already stumbled across the answer during our analysis of Question 1. But let’s go ahead and follow the TCP stream starting with the SYN packet of the three-way handshake (packet #3.)
To do this, click the row of the packet, right click it, and select Follow > TCP Stream.
Now, in the TCP Stream view and we see that the victim host requested the file “spet10.spr” from this server.
According to the United States Cybersecurity & Infrastructure Security Agency (CISA,) this technique is consistent with the Dridex malware:
Many of the files, rather than containing the actual malware, contain hidden or obfuscated macros. Upon activation, the macros reach to a command and control server, FTP server, or cloud storage site to download the actual Dridex malware.
Question 3: From what domain HTTP requests with GET /images/ are coming from?
For Question 3 let’s try something a little different; instead of just using one utility, why don’t we add another one to the toolkit to compare the differences?
- Wireshark
- NetworkMiner
We’ll start with Wireshark. Let’s do a simple string search with the “find packet” function. We can access this function through Edit > Find Packet OR by pressing the magnifying glass above the display filter field. Then, we can search for the “/images” to locate the requests that contain this string.
We’ll see that the first hit lists the request URI with the domain we are looking for down in the packet details pane.
The second option is to leverage the tool, NetworkMiner. NetworkMiner is another powerful network forensic tool that can extract artifacts from PCAP files and display them in an easy-to-understand format with robust sorting and filtering capabilities.
Let’s search NetworkMiner for the same information that we found earlier with Wireshark. To do this, open NetworkMiner, load the PCAP file, and then press Parameters. In the Filter keyword box, input “/images.”
Now that we have filtered our results, we can see three entries from our search. If we focus on the Destination host tab, we will see the request domain. While finding the same information with both tools, it’s still useful to understand the different capabilities between the two applications and how they present the data.
Question 4: The SOC Team found Dridex, a follow-up malware from Ursnif infection, to be the culprit. The customer who sent her the macro file is compromised. What’s the full URL ending in .rar where Ursnif retrieves the follow-up malware from?
For Question 4, we’ll again use both Wireshark and NetworkMiner to hunt for the second stage RAR file in the PCAP.
In Wireshark, we’ll do another simple string search like we did in Question 3 but this time we will search for “.rar”
Take a look at the Full request URI in the packet details pane. This is the URL that we are looking for!
From the NetworkMiner perspective, click on the Files tab then, in the Filter keyword box, input “.rar” — Now check the Details tab, we will see the same URI that we found with Wireshark!
Question 5: What is the Dridex post-infection traffic IP addresses beginning with 185.? (4 points)
Okay, last question! We know that the Dridex malware on the victim’s machine is communicating with a command-and-control IP address beginning with 185. We just need to find the full IP.
We’ll start by filtering for destination IP addresses to locate the valid indicator of compromise (IOC). We did this earlier in Question 1 but let’s open Wireshark and use the Statistics > Endpoints view again. This will help us locate two IP addresses beginning with 185.
Let’s see if we can get any more information about these IP addresses with NetworkMiner. In NetworkMiner, we just need to visit the Hosts tab. This will list all the hosts within the PCAP file just like the Endpoints view in Wireshark but with the added benefit of some extra information in one tab.
Unfortunately, while we get some additional information, it isn’t enough to determine which of the two 185 IP addresses is the command-and-control traffic the challenge wants us to find from our tools alone.
Let’s pivot and try to enrich our data by using a straightforward process of elimination by checking VirusTotal for any intelligence about each of the IP addresses…
Hey, we found something! While this isn’t a definitive test, the 2nd IP address has a few hits on VirusTotal for malicious activity. For the purposes of this challenge, this will be enough information. Let’s check that we have found the right IP Address!
Conclusion:
Excellent job with the investigation! We successfully analyzed the PCAP file given to us by the SOC team to complete the Network Analysis — Malware Compromise challenge! Now that we understand the scope of the incident, let’s wrap this up.
A big thank you to Blue Teams Labs Online for hosting this awesome challenge! This was a fantastic opportunity to practice PCAP analysis, sharpen my skills with Wireshark, and test out the capabilities of NetworkMiner. I always find it valuable to get the hands-on practice with these tools to keep my skills sharp for the next time I’ll need to use these tools in the real world.
Thank you so much for reading along and working through this investigation with me. I hope that you had as much fun as I did and learned something new, too!
Until next week — stay curious!
Tools & References:
Wireshark: https://www.wireshark.org/
Network Miner: https://www.netresec.com/?page=NetworkMiner
Wireshark Wiki (TCP 3-Way Handshake): https://wiki.wireshark.org/TCP_3_way_handshaking/
Malpedia (Dridex): https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex
CISA Dridex Malware: https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a
VirusTotal: https://www.virustotal.com/
