Malware Traffic Analysis Dot Net Series QUIETHUB
The writeups will be a series to document my learning experience with Wireshark and IR report writing for the malicious traffic from Malware-Traffic-Dot-Net, hope you will enjoy it :)
Note, this series will be video only :)
Malware Traffic Analysis Dot Net Series QUIETHUB Video Walkthrough
Scenario
LAN segment data:
LAN segment range: 192.168.200.0/24 (192.168.200.0 through 192.168.200.255)
Domain: quiethub.net
Domain controller: 192.168.200.10 - Quiethub-DC
LAN segment gateway: 192.168.200.1
LAN segment broadcast address: 192.168.200.255My IR Report
Executaive Summary:
At 2020-11-13 00:26:49, the user craig alda's workstation initialized the communication with the malicious IPs.
The user downloaded a spreadsheet that has Macro enabled. The attacker leveraged the phishing to get onto the
user's workstation. We observed the attacker attempted move to our Domain Controller via ZeroLogon attack from the
user's workstation.
Victim
hostname:DESKTOP-JI1UZAE.quiethub.net
MAC:00:08:02:1c:47:ae (HP)
ip: 192.168.200.8
user: craig.alda
192.168.200.2 - DC
MAC: a4:1f:72:c2:09:6a (DELL)
IOC:
143.110.191.95 - lezasopedrill.cyou
185.141.24.71 - webintercom76delivery.net
198.211.99.168
198.211.99.24 - timerdisclaimer.pw, compactmuslimsdeport.pw
205.185.113.20
http://205.185.113.20//BVd1qKwd - 302 redirect follow up with download 3.dll
http://205.185.113.20/files/3.dll
http://185.141.24.71/download/winnit.exe
http://webintercom76delivery.net/submit.php?id=12342932
http://webintercom76delivery.net/updates.rss
70db47bd97fc2d27b51eada6b24e32462d6144601a852347c0f6276db62430a6 ~2457218.tmp
d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce ~2559312.dll
ddcf95d87542f2df67aff8941fcd92c71cc704698b00923791e21285f82bb01a 3.dll
670b57b4e4625b726ea8f4eb716bb838252f4afad05aa1dc252ec07223273a74 {5FD47D96-5062-7DE3-08DA-938D00A84B6B}
cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9 baipuyac.png
d9bf5e572d313ddf6f684e93874333e68d493395dc032a1d77c250018a31548f CV.xlsb
a09d8c487a135b973af532247d62f46695a53f37add6c66e561f1c14650290f5 Maaywuku2.dll
fca6b7fe66ad9973f18f407e83b56dacd04197cbd35efc498a342d73d6a113e5 sqlite64.dll
7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0 tezehu.exe
ddcf95d87542f2df67aff8941fcd92c71cc704698b00923791e21285f82bb01a VSMecyU.dll
7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0 winnit.exe
Recommendations:
1. Contain the user's workstation
2. Remove the malicious IOC files on the workstations
3. Block the malicious IPs and URLs
4. Improve the user security awareness training Wireshark Cheatsheet
My Cheatsheet:
(http.request or ssl.handshake.type == 1) and !(ssdp)
(http.request or http.response or tls.handshake.type eq 1) and !(ssdp)
(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)
(http.request or tls.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)
(http.request or tls.handshake.type == 1) and !(ssdp)
((http.request or http.response) and ip.addr eq 194.1.236.191) or dns.qry.name contains tnzf3380au or dns.qry.name contains xijamaalj
http.request.method eq POST
http.request.method eq POST and !(urlencoded-form)
urlencoded-form
tcp.analysis.retransmission and tcp.flags eq 0x0002
smtp
smtp contains "From: "
smtp contains "Message-ID: "
smtp contains "Subject: "
http.request
kerberos.CNameString
kerberos.CNameString and !(kerberos.CNameString contains $)
smtp.data.fragment
ftp.request.command
ftp-data
ftp-data.command contains .html
dhcp
Windows NT 5.1: Windows XP
Windows NT 6.0: Windows Vista
Windows NT 6.1: Windows 7
Windows NT 6.2: Windows 8
Windows NT 6.3: Windows 8.1
Windows NT 10.0: Windows 10
tls.handshake.type eq 1 and (tcp.port eq 447 or tcp.port eq 449)
(http.request.uri contains /81 or http.request.uri contains /83 or http.request.uri contains /90) and http.request.uri contains mor
http.request.uri contains .png
tls.handshake.type eq 11 and !(x509sat.CountryName == US)
tls.handshake.type eq 11 and !(x509sat.CountryName == US)
tcp.port eq 65400
tls.handshake.extensions_server_name contains speedof
http.host contains strandsglobal
dns.qry.name contains opendns.com
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'