Malware Traffic Analysis Dot Net Series QUIETHUB
09 May 2021
The writeups will be a series to document my learning experience with Wireshark and IR report writing for the malicious traffic from Malware-Traffic-Dot-Net, hope you will enjoy it :)
Note, this series will be video only :)
Malware Traffic Analysis Dot Net Series QUIETHUB Video Walkthrough
VIDEO
Scenario
LAN segment data :
LAN segment range : 192.168 . 200.0 / 24 ( 192.168 . 200.0 through 192.168 . 200.255 )
Domain : quiethub . net
Domain controller : 192.168 . 200.10 - Quiethub - DC
LAN segment gateway : 192.168 . 200.1
LAN segment broadcast address : 192.168 . 200.255
My IR Report
Executaive Summary :
At 2020 - 11 - 13 00 : 26 : 49 , the user craig alda ' s workstation initialized the communication with the malicious IPs.
The user downloaded a spreadsheet that has Macro enabled. The attacker leveraged the phishing to get onto the
user ' s workstation . We observed the attacker attempted move to our Domain Controller via ZeroLogon attack from the
user ' s workstation.
Victim
hostname:DESKTOP-JI1UZAE.quiethub.net
MAC:00:08:02:1c:47:ae (HP)
ip: 192.168.200.8
user: craig.alda
192.168.200.2 - DC
MAC: a4:1f:72:c2:09:6a (DELL)
IOC:
143.110.191.95 - lezasopedrill.cyou
185.141.24.71 - webintercom76delivery.net
198.211.99.168
198.211.99.24 - timerdisclaimer.pw, compactmuslimsdeport.pw
205.185.113.20
http://205.185.113.20//BVd1qKwd - 302 redirect follow up with download 3.dll
http://205.185.113.20/files/3.dll
http://185.141.24.71/download/winnit.exe
http://webintercom76delivery.net/submit.php?id=12342932
http://webintercom76delivery.net/updates.rss
70db47bd97fc2d27b51eada6b24e32462d6144601a852347c0f6276db62430a6 ~2457218.tmp
d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce ~2559312.dll
ddcf95d87542f2df67aff8941fcd92c71cc704698b00923791e21285f82bb01a 3.dll
670b57b4e4625b726ea8f4eb716bb838252f4afad05aa1dc252ec07223273a74 {5FD47D96-5062-7DE3-08DA-938D00A84B6B}
cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9 baipuyac.png
d9bf5e572d313ddf6f684e93874333e68d493395dc032a1d77c250018a31548f CV.xlsb
a09d8c487a135b973af532247d62f46695a53f37add6c66e561f1c14650290f5 Maaywuku2.dll
fca6b7fe66ad9973f18f407e83b56dacd04197cbd35efc498a342d73d6a113e5 sqlite64.dll
7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0 tezehu.exe
ddcf95d87542f2df67aff8941fcd92c71cc704698b00923791e21285f82bb01a VSMecyU.dll
7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0 winnit.exe
Recommendations:
1. Contain the user ' s workstation
2 . Remove the malicious IOC files on the workstations
3 . Block the malicious IPs and URLs
4 . Improve the user security awareness training
Wireshark Cheatsheet
Wireshark Cheatsheet
My Cheatsheet:
( http . request or ssl . handshake . type == 1 ) and ! ( ssdp )
( http . request or http . response or tls . handshake . type eq 1 ) and ! ( ssdp )
( http . request or ssl . handshake . type == 1 or tcp . flags eq 0x0002 ) and ! ( udp . port eq 1900 )
( http . request or tls . handshake . type == 1 or tcp . flags eq 0x0002 or dns ) and ! ( udp . port eq 1900 )
( http . request or tls . handshake . type == 1 ) and ! ( ssdp )
(( http . request or http . response ) and ip . addr eq 194.1 . 236.191 ) or dns . qry . name contains tnzf3380au or dns . qry . name contains xijamaalj
http . request . method eq POST
http . request . method eq POST and ! ( urlencoded - form )
urlencoded - form
tcp . analysis . retransmission and tcp . flags eq 0x0002
smtp
smtp contains " From: "
smtp contains " Message-ID: "
smtp contains " Subject: "
http . request
kerberos . CNameString
kerberos . CNameString and ! ( kerberos . CNameString contains $ )
smtp . data . fragment
ftp . request . command
ftp - data
ftp - data . command contains . html
dhcp
Windows NT 5.1 : Windows XP
Windows NT 6.0 : Windows Vista
Windows NT 6.1 : Windows 7
Windows NT 6.2 : Windows 8
Windows NT 6.3 : Windows 8.1
Windows NT 10.0 : Windows 10
tls . handshake . type eq 1 and ( tcp . port eq 447 or tcp . port eq 449 )
( http . request . uri contains / 81 or http . request . uri contains / 83 or http . request . uri contains / 90 ) and http . request . uri contains mor
http . request . uri contains . png
tls . handshake . type eq 11 and ! ( x509sat . CountryName == US )
tls . handshake . type eq 11 and ! ( x509sat . CountryName == US )
tcp . port eq 65400
tls . handshake . extensions_server_name contains speedof
http . host contains strandsglobal
dns . qry . name contains opendns . com
grep - Eo ' [0-9]{1,3} \ .[0-9]{1,3} \ .[0-9]{1,3} \ .[0-9]{1,3} '