TRAFFIC ANALYSIS EXERCISE - Ransomer

一、SCENARIO

The pcap contains traffic from three different hosts.  You also have IDS alerts to help you figure out what's going on.

Relevant Link:

http://www.malware-traffic-analysis.net/2017/02/11/index.html

 

二、QUESTIONS

0x1：BASIC TASKS

• Document the date, start time and end time of the pcap in UTC (GMT).
• Document the IP address of the three hosts in the pcap.
• Document the mac address of the three hosts in the pcap.
• Document the type of computer (Windows, Mac, Android, etc) fore each of the three hosts in the pcap.
• Determine which host(s) were infected.

0x2：MORE ADVANCED TASKS 

• Document the family (or families) of malware based on indicators from the pcap.
• Document the root cause for any infections noted in the pcap.

0x3：FINAL TASK

• Draft an incident report for the infected host(s).
• If more than one host is infected, draft a separate incident report for each host.

 

三、Analysis

0x1：访问异常域名

1、DNS解析

unittogreas.top

2、向可疑域名发起HTTP请求

http://unittogreas.top/search.php

该域名在Tracker中被标注为Ransomer Domain

------------------------------------------------------------------------
Count:1 Event#3.23810 2017-02-11 03:02:41 UTC
ET DNS Query to a *.top domain - Likely Hostile
10.3.14.134 -> 10.3.14.2
IPVer=4 hlen=5 tos=0 dlen=61 ID=1417 flags=0 offset=0 ttl=128 chksum=1178
Protocol: 17 sport=51734 -> dport=53

len=41 chksum=6660
------------------------------------------------------------------------
Count:1 Event#3.23811 2017-02-11 03:02:43 UTC
ET INFO HTTP Request to a *.top domain
10.3.14.134 -> 104.155.4.180
IPVer=4 hlen=5 tos=0 dlen=325 ID=0 flags=0 offset=0 ttl=0 chksum=13276
Protocol: 6 sport=49249 -> dport=80

Seq=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=62268 chksum=0

0x2：下载可疑文件

从网络流分析的角度来看，这里可以做的事情有几件

• 1. 截取整个PE/ELF流，计算MD5
• 2. 根据每个[TCP segment of a ressembled PDU]的size，计算文件大小，如果是小文件，则很可能是一个恶意loader文件
• 3. 从HTTP头部的filename字段中分析得到文件名，如果是PE文件，且无后缀，则很可能是一个恶意文件
• 4. 根据network binary流判断出当前网络中正在进行什么类型的文件下载(例如该pcap包分析出EXE/DLL、以及JS/WSF文件下载)

0x3：C&C通信

1、Ransomware/Cerber Checkin M3 (4)

UDP: 33343032343164386336383030303931633730303030303134
UDP: 3334303234316438633638303465

Suricata的流量实时报警规则中关于该恶意勒索软件流量的检测

alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (4)"; dsize:25; content:"3"; depth:1; pcre:"/^[a-f0-9]{24}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023615; rev:1;)

2、ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)

• #alert udp $HOME_NET [!1720,!1722,!2222,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009205; classtype:trojan-activity; sid:2009205; rev:5;)
• #alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009206; classtype:trojan-activity; sid:2009206; rev:4;)
• #alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009207; classtype:trojan-activity; sid:2009207; rev:4;)
• #alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009208; classtype:trojan-activity; sid:2009208; rev:4;)

0x4：bitcoin相关通信

1、查询指定钱包地址是否可用

勒索软件会在在运行时随机生成一个比特币钱包地址，用来接收勒索汇款，在生成后，会向blockchain进行查询是否该地址可用，如果已经被占用则重新继续生成一个新的

http://api.blockcypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1486782174891

{"error": "Address 17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt is unaccessible."}

2、向blockchain发起请求，查询指定钱包地址是否收到勒索汇款

http://api.blockcypher.com/v1/btc/main/txs/0c58687c2057837da6c08a090b75a41defe11c9927d3e0228d71a2bff2b264fa?_=1486782175218

{
  "block_hash": "000000000000000001c2563a05c879d883aa1680d0a49a1e0148afcf5b5034bf",
  "block_height": 452418,
  "block_index": 8,
  "hash": "0c58687c2057837da6c08a090b75a41defe11c9927d3e0228d71a2bff2b264fa",
  "addresses": [
    "17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt",
    "1NmrtQoXN1F4sSCRfCzCimYM4ncuj9tam7"
  ],
  "total": 31115000,
  "fees": 100000,
  "size": 192,
  "preference": "high",
  "relayed_by": "109.236.87.132:8333",
  "confirmed": "2017-02-10T14:43:06Z",
  "received": "2017-02-10T14:36:04.282Z",
  "ver": 1,
  "lock_time": 0,
  "double_spend": false,
  "vin_sz": 1,
  "vout_sz": 1,
  "confirmations": 2189,
  "confidence": 1,
  "inputs": [
    {
      "prev_hash": "f1d398776872297adcddedaca37c9bf00ce3683c11233fa291a0d588375cc6df",
      "output_index": 0,
      "script": "483045022100d9ffd79b0ec63e474b0a7878f397f6f262f4f05a106270e3791f1e76fec3b03802202c2d4eacd271b10fed5fff06066a958b41f10da041a63810573ecfaeb2f55e8a01210276ddc5fb72799194e3bd52a96400304b9d22d61f1944b4ad9f7209d58be36496",
      "output_value": 31215000,
      "sequence": 4294967295,
      "addresses": [
        "17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt"
      ],
      "script_type": "pay-to-pubkey-hash"
    }
  ],
  "outputs": [
    {
      "value": 31115000,
      "script": "76a914eed6963ae01cd87e4d737aa03e6267d346b7de9288ac",
      "spent_by": "2c55aacdad6a8830ebfd56d5d01e143a7e3a3bb94fc9bff49181ce518152f5a0",
      "addresses": [
        "1NmrtQoXN1F4sSCRfCzCimYM4ncuj9tam7"
      ],
      "script_type": "pay-to-pubkey-hash"
    }
  ]
}

3、Cerber Payment Site

0x5：Tor网络相关通信

1、ET TROJAN Ransomware/Cerber Onion Domain Lookup

Count:1 Event#3.23826 2017-02-11 03:02:54 UTC
ET TROJAN Ransomware/Cerber Onion Domain Lookup
10.3.14.134 -> 10.3.14.2
IPVer=4 hlen=5 tos=0 dlen=73 ID=3686 flags=0 offset=0 ttl=128 chksum=64432
Protocol: 17 sport=50205 -> dport=53

len=53 chksum=52268

勒索软件上线后，会通过Tor2web这类Tor代理或者直接在软件中集成Tor Client，向Tor网络中的黑客组织者报告勒索成功信息以及其他相关主机信息

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Brazilian Banker Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?role="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&bits="; http_uri; content:"&av="; http_uri; content:"&host="; http_uri; content:"&plugins="; http_uri; content:!"Referer|3a 20|"; http_header; reference:md5,580f82bbd46e8344231cf005; classtype:trojan-activity; sid:2023424; rev:2;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ffoqr3ug7m726zou"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023425; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lfdachijzuwx4bc4"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023426; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ojmekzw4mujvqeju"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023427; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xrhwryizf5mui7a5"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023428; rev:1;)

Relevant Link:

https://ransomwaretracker.abuse.ch/tracker/

 

四、Analysis：10.3.14.131

0x1：疑似SHELLCODE下载

1、ET SHELLCODE UTF-8/16 Encoded Shellcode

TCP返回包中带有'\x5C'开头的UTF Unicode数据流

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2;)

2、ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt"; flow:established,to_client; content:"String.FromCharCode("; nocase; pcre:"/String\x2EFromCharCode\x28[0-9]{1,3}/i"; reference:url,www.w3schools.com/jsref/jsref_fromCharCode.asp; reference:url,www.roseindia.net/javascript/method-fromcharcode.shtml; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; classtype:bad-unknown; sid:2011347; rev:2;)

0x2：可疑HTTP URL访问

1、ET POLICY HTTP Request on Unusual Port Possibly Hostile

正常来说网站是开放在80、8080等端口的，如果一个URL开放在了非常用端口，则这种访问本身就很可疑

#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET POLICY HTTP Request on Unusual Port Possibly Hostile"; flow:established,to_server; flowbits:isnotset,et.httpproto; flowbits:set,et.httpproto; flowbits:set,ET.knowitsnothttpnow; flowbits:isnotset,ET.knowitsnothttpnow; threshold: type limit, count 1, seconds 30, track by_dst; reference:url,doc.emergingthreats.net/2006408; classtype:policy-violation; sid:2006408; rev:14;)

0x3：可疑DNS解析

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Spora Ransomware DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|spora|03|biz|00|"; nocase; distance:0; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2023887; rev:1;)

Relevant Link:

https://rules.emergingthreats.net/open/suricata/rules/
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules
https://ransomwaretracker.abuse.ch/ip/185.183.98.143/host/p27dokhpz2n7nvgr.1nmrtq.top/
https://www.pcrisk.com/removal-guides/10824-spora-ransomware