BohanSec

Malware Traffic Analysis Dot Net Series QUIETHUB

Alt

The writeups will be a series to document my learning experience with Wireshark and IR report writing for the malicious traffic from Malware-Traffic-Dot-Net, hope you will enjoy it :)

Note, this series will be video only :)

Malware Traffic Analysis Dot Net Series QUIETHUB Video Walkthrough

Scenario

    LAN segment data:

        LAN segment range:  192.168.200.0/24 (192.168.200.0 through 192.168.200.255)
        Domain:  quiethub.net
        Domain controller:  192.168.200.10 - Quiethub-DC
        LAN segment gateway:  192.168.200.1
        LAN segment broadcast address:  192.168.200.255

My IR Report

Executaive Summary:

At 2020-11-13 00:26:49, the user craig alda's workstation initialized the communication with the malicious IPs. 
The user downloaded a spreadsheet that has Macro enabled. The attacker leveraged the phishing to get onto the 
user's workstation. We observed the attacker attempted move to our Domain Controller via ZeroLogon attack from the 
user's workstation.

Victim
hostname:DESKTOP-JI1UZAE.quiethub.net
MAC:00:08:02:1c:47:ae (HP)
ip: 192.168.200.8
user: craig.alda

192.168.200.2 - DC
MAC: a4:1f:72:c2:09:6a (DELL)

IOC:
143.110.191.95 - lezasopedrill.cyou
185.141.24.71 - webintercom76delivery.net
198.211.99.168
198.211.99.24 - timerdisclaimer.pw, compactmuslimsdeport.pw
205.185.113.20

http://205.185.113.20//BVd1qKwd - 302 redirect follow up with download 3.dll
http://205.185.113.20/files/3.dll
http://185.141.24.71/download/winnit.exe
http://webintercom76delivery.net/submit.php?id=12342932
http://webintercom76delivery.net/updates.rss
                               
70db47bd97fc2d27b51eada6b24e32462d6144601a852347c0f6276db62430a6  ~2457218.tmp
d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce  ~2559312.dll
ddcf95d87542f2df67aff8941fcd92c71cc704698b00923791e21285f82bb01a  3.dll
670b57b4e4625b726ea8f4eb716bb838252f4afad05aa1dc252ec07223273a74  {5FD47D96-5062-7DE3-08DA-938D00A84B6B}
cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9  baipuyac.png
d9bf5e572d313ddf6f684e93874333e68d493395dc032a1d77c250018a31548f  CV.xlsb
a09d8c487a135b973af532247d62f46695a53f37add6c66e561f1c14650290f5  Maaywuku2.dll
fca6b7fe66ad9973f18f407e83b56dacd04197cbd35efc498a342d73d6a113e5  sqlite64.dll
7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0  tezehu.exe
ddcf95d87542f2df67aff8941fcd92c71cc704698b00923791e21285f82bb01a  VSMecyU.dll
7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0  winnit.exe

Recommendations:
1. Contain the user's workstation
2. Remove the malicious IOC files on the workstations
3. Block the malicious IPs and URLs
4. Improve the user security awareness training 

Wireshark Cheatsheet

Wireshark Cheatsheet

My Cheatsheet:

(http.request or ssl.handshake.type == 1) and !(ssdp)

(http.request or http.response or tls.handshake.type eq 1) and !(ssdp)

(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)

(http.request or tls.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)

(http.request or tls.handshake.type == 1) and !(ssdp)

((http.request or http.response) and ip.addr eq 194.1.236.191) or dns.qry.name contains tnzf3380au or dns.qry.name contains xijamaalj

http.request.method eq POST

http.request.method eq POST and !(urlencoded-form)

urlencoded-form

tcp.analysis.retransmission and tcp.flags eq 0x0002

smtp

smtp contains "From: "

smtp contains "Message-ID: "

smtp contains "Subject: "

http.request

kerberos.CNameString

kerberos.CNameString and !(kerberos.CNameString contains $)

smtp.data.fragment

ftp.request.command

ftp-data

ftp-data.command contains .html

dhcp

Windows NT 5.1: Windows XP
Windows NT 6.0: Windows Vista
Windows NT 6.1: Windows 7
Windows NT 6.2: Windows 8
Windows NT 6.3: Windows 8.1
Windows NT 10.0: Windows 10

tls.handshake.type eq 1 and (tcp.port eq 447 or tcp.port eq 449)
(http.request.uri contains /81 or http.request.uri contains /83 or http.request.uri contains /90) and http.request.uri contains mor
http.request.uri contains .png

tls.handshake.type eq 11 and !(x509sat.CountryName == US)

tls.handshake.type eq 11 and !(x509sat.CountryName == US)
tcp.port eq 65400
tls.handshake.extensions_server_name contains speedof
http.host contains strandsglobal

dns.qry.name contains opendns.com

grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'