Category: Malware traffic analysis tutorial

02.04.2021

Malware traffic analysis tutorial

By Araktilar

This is an example of my workflow for examining malicious network traffic. For small pcaps I like to use Wireshark just because its easier to use.

malware traffic analysis tutorial

This pcap has packets, The Honeynet Project has already carved it out of a much larger pcap for us. The Challenge: A network trace with attack data is provided. Note that the IP address of the victim has been changed to hide the true location. Analyze and answer the following questions:. To wrap it all up this was a buffer overflow of a function that was accessible via SMB on port The service was exploited via buffer overflow and then arbitrary commands were allowed be executed on behalf of the attacker.

Overview — Wireshark Workflow This is an example of my workflow for examining malicious network traffic. Analyze and answer the following questions: Which systems i. IP addresses are involved? What can you find out about the attacking host e. How many TCP sessions are contained in the dump file? We have 5 TCP sessions that were established between the attack and victim, keep in mind Wireshark TCP streams start at 0 so our streams go from 0 — 4 for a total of 5.

How long did it take to perform the attack? Total time 16 seconds. Which operating system was targeted by the attack? And which service? Which vulnerability? The Sasser worm.

A Basic Guide to Malware Traffic Analysis Through Wireshark

Can you sketch an overview of the general actions performed by the attacker? Most likely recon for open port. Was there malware involved? Whats the name of the malware?

malware traffic analysis tutorial

We are not looking for a detailed malware analysis for this challenge 2pts Yes. By carving the binary out of the pcap and obtaining a sha1 hash of the file Virtual Total Reports it as being titled smss. Do you think this is a manual or an automated attack? I highly doubt an attacker would have been able to manually scan, exploit, enter 7 commands, download and execute a binary in that time. Summary To wrap it all up this was a buffer overflow of a function that was accessible via SMB on port By Brad Duncan.

Category: Unit Tags: pcaptutorialUrsnifWireshark. The Ursnif family of malware has been active for years, and current samples generate distinct traffic patterns.

This tutorial reviews packet captures pcaps of infection Ursnif traffic using Wireshark. Understanding these traffic patterns can be critical for security professionals when detecting and investigating Ursnif infections. Note: This tutorial assumes you have a basic knowledge of Wireshark, and it uses a customized column display shown in this tutorial.

You should also have experience with Wireshark display filters as described in this additional tutorial. Ursnif can be distributed through web-based infection chains and malicious spam malspam.

In some cases, Ursnif is a follow-up infection caused by different malware families like Hancitoras reported in this recent example. We frequently find examples of Ursnif from malspam-based distribution campaigns, such as the example in Figure 1. Figure 1. Flowchart from one of the more common Ursnif distribution campaigns.

Malware samples from either of these categories create the same type of artifacts on an infected Windows host. For example, both types of Ursnif remain persistent on a Windows host by updating the Windows registry, such as the example shown in Figure 2. Figure 2. The first pcap for this tutorial, Ursnif-traffic-example The chain of events behind this traffic was tweeted here.

Example 1 has been stripped of all traffic not directly related to the Ursnif infection. Open the pcap in Wireshark and filter on http. Figure 3. The pcap for example 1 filtered in Wireshark. In this example, the Ursnif-infected host generates post-infection traffic to 8.

This category of Ursnif causes the following traffic:. Figure 4 highlights the GET request. Figure 4. We can find the same pattern from Ursnif activity caused by a Hancitor infection on December 10, The pcap is available here.

Mixed with the other malware activity, this December 10th example contains the following indicators for Ursnif:. Note how patterns from Ursnif traffic in the December 10th example are similar to the patterns we find in example 1. The second pcap for this tutorial, Ursnif-traffic-example Like our first pcap, this one has also been stripped of any traffic not related to the Ursnif infection. If you are using Wireshark 3. Figure 5. The pcap for our second example filtered in Wireshark.

We can export the Ursnif binary from the pcap as described in this previous tutorial. Figure 6. The next four HTTP requests to bjanicki[. This URL pattern is somewhat similar to Ursnif traffic from our first pcap. Figure 7 highlights a GET request from our second pcap.Cuckoo Sandbox is the leading open source automated malware analysis system. You can throw any suspicious file at it and in a matter of minutes Cuckoo will provide a detailed report outlining the behavior of the file when executed inside a realistic but isolated environment.

Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization. In these evolving times, detecting and removing malware artifacts is not enough: it's vitally important to understand how they operate in order to understand the context, the motivations, and the goals of a breach. Cuckoo Sandbox is free software that automated the task of analyzing any malicious file under WindowsmacOSLinuxand Android.

By default it is able to:. Due to Cuckoo's open source nature and extensive modular design one may customize any aspect of the analysis environment, analysis results processing, and reporting stage. Cuckoo provides you all the requirements to easily integrate the sandbox into your existing framework and backend in the way you want, with the format you want, and all of that without licensing requirements.

What is Cuckoo? What can it do? By default it is able to: Analyze many different malicious files executables, office documents, pdf files, emails, etc as well as malicious websites under Windows, Linux, macOS, and Android virtualized environments.

Anonymizing VM Traffic (Introduction)

Trace API calls and general behavior of the file and distill this into high level information and signatures comprehensible by anyone. Perform advanced memory analysis of the infected virtualized system through Volatility as well as on a process memory granularity using YARA.Please, keep posting. I see, thanks for explanation. And many thanks for great work, I am spending about two days with your tutorials and by reading articles :.

malware traffic analysis tutorial

We did use xpsp2 as the host machine, if that's your question. VBox runs well on win7 64bit and linux ubuntu, as we tested. The image itself must be xpsp2. Hi guys. Do you know if it is true that some kind of malwares detect that they are running into a VM platform and just don't do anything? Theoretically it's very easy to do so. Malware could simply do a examination of the running processes in the system and would be able to know.

Can i use all three as a VMware Virtual Machine? Means XP host machine u r telling can we use as virtual Machine. Sorry to disturb u agian. Last time I tried, it does not work in VBox 4. You can make an experiment though. Hi, OffensiveComputer. Even their twitter is down. Any suggestions on how to get around this issue? Fu for such an excellent resource!!

I look forward to going through this over the weekend You got to check the MD5 checksum and see if this is the right version.Home About Contact. Quantify Cyber Risk Now. Screen 2: Captured packets after selecting interface.

Step 2 : Now we will see a whole lot of packets being captured so lets first sort the outputs we are getting and customise the results like adding up columns like source portdestination port, etc. For that to figure out go to columns heading right click and select Column Preferences.

Malicious Network Traffic Analysis with Wireshark

Screen 3 : Clicking on Edit Column option. Step 3 : Now add two columns naming Source port and Destination port and select type as src port resolved and Dest port resolved respectively. Drag them and make it aligned with source ip and destination Ip so that it seems more convenient to identify which port was used and by which IP address. You can even remove the column if not needed by a simple uncheck option.

Click on OK. Screen 5 : Final column Preferences. Step 4: Change the Time display format in order to identify the Timestamp of the file being flowed over the network. Screen 6 : Selecting Time Display Format. After doing this you will see a new column named as host. Now we want to see the request made through HTTP so for that we need to apply filter. Click on Close. As we can now analyse all the HTTP traffic but we need to check for objects or files transmitted.

Step 8 : Select the object you want to download like here in our example I am going to export to files which were downloaded on the system Screen Exporting the object in the Desktop for analysis. Now we have the file with us what we can do is either check that file through our anti-malware or navigate ourself to Virustotal. Step 9 : Upload the file in VirusTotal. Screen Results found by the calculated hash of that file. For further knowledge on its behaviour you can head toward the behavior tab.

Till this point we have gone through the most complex part of our tutorial which seems to be an easy one now ; lets head towards finding out the other IOC's which we discussed earlier. Determining the Hostname of the Infected Website :. In the earlier tutorials, we have added a column Host in the column bar which will provide us the hostname or domain. Select the package and you will see the Host which provided the file.

Webinar Identifying, analyzing, and reporting malware incidents using packet captures

Determining the Internal Computer which downloaded the File for that just below the request sequence the selected one we see something getting done on port 80 which is that application file. The destination in this case will be an infected computer and source will be the domain from where it is downloaded. Screen 15 : Application downloaded on IP The last thing we need to find about the infected machine is it's MAC address so for that have a close look on the Packet Detail panel below the summary panel click on the Ethernet II where you will be seeing SRC: and Dst:.Home About Contact.

Quantify Cyber Risk Now. Screen 2: Captured packets after selecting interface. Step 2 : Now we will see a whole lot of packets being captured so lets first sort the outputs we are getting and customise the results like adding up columns like source portdestination port, etc.

For that to figure out go to columns heading right click and select Column Preferences. Screen 3 : Clicking on Edit Column option.

Step 3 : Now add two columns naming Source port and Destination port and select type as src port resolved and Dest port resolved respectively. Drag them and make it aligned with source ip and destination Ip so that it seems more convenient to identify which port was used and by which IP address. You can even remove the column if not needed by a simple uncheck option. Click on OK. Screen 5 : Final column Preferences. Step 4: Change the Time display format in order to identify the Timestamp of the file being flowed over the network.

Screen 6 : Selecting Time Display Format. After doing this you will see a new column named as host. Now we want to see the request made through HTTP so for that we need to apply filter. Click on Close. As we can now analyse all the HTTP traffic but we need to check for objects or files transmitted.

Step 8 : Select the object you want to download like here in our example I am going to export to files which were downloaded on the system Screen Exporting the object in the Desktop for analysis. Now we have the file with us what we can do is either check that file through our anti-malware or navigate ourself to Virustotal.

Step 9 : Upload the file in VirusTotal. Screen Results found by the calculated hash of that file. For further knowledge on its behaviour you can head toward the behavior tab. Till this point we have gone through the most complex part of our tutorial which seems to be an easy one now ; lets head towards finding out the other IOC's which we discussed earlier.

Determining the Hostname of the Infected Website :. In the earlier tutorials, we have added a column Host in the column bar which will provide us the hostname or domain. Select the package and you will see the Host which provided the file.

Determining the Internal Computer which downloaded the File for that just below the request sequence the selected one we see something getting done on port 80 which is that application file. The destination in this case will be an infected computer and source will be the domain from where it is downloaded. Screen 15 : Application downloaded on IP The last thing we need to find about the infected machine is it's MAC address so for that have a close look on the Packet Detail panel below the summary panel click on the Ethernet II where you will be seeing SRC: and Dst:.

Finally, we have found out the major IOC elements with the help of wireshark. For further learning, I have uploaded the file here itself so that you can perform operations in this saved pcap file. Tags malware analysis wireshark. Talk to Us. Popular Posts.

Follow by Email Get all latest content delivered straight to your inbox.Wireshark is a great tool, but it's default column display doesn't work effectively for the type of analysis I normally do. Most people will change their columns from the default configuration. This guide shows how I change the columns in my Wireshark setup. From the Wireshark Preferences menu, select columns:. From there, we're going to remove the first column, which is the "Number" lists the current packet number you're viewing in the PCAP :.

The first new column to add is the source port. You'll want to select Src port unresolved so you can see the port number. Otherwise, it'll show whatever server is associated with that port instead of the number. The default name of any new columns is "New Column", so change the name of that new column.

A Basic Guide to Malware Traffic Analysis Through Wireshark

Once you've changed the name, you can left-click and drag that column to the location you choose. We'll put it after the Source address.

After a few additions and column changes, here's the setup that I use. Notice how the Source and Destination addresses are changed to an "unresolved" field type. Now let's fix the time. The default format is "Seconds Since Beginning Capture". Let's change it to "Date and Time of Day". Some of the columns are aligned to the right, which we can fix by right-clicking on the column and selecting the proper alignment:.

Now we have everything, but I also want to see the http. To do that, let's filter on http. Right-click on that, and select "Apply as Column" from the menu. You might have to widen the column to see the whole name.

This setup for Wireshark is extremely useful when looking at HTTP traffic and figuring out an infection chain. I recommend anyone going through the training exercises use this configuration. Click here to return to the main page.