恶意流量练习题之2014-12-04-traffic-analysis-exercise

pacp包地址

https://www.malware-traffic-analysis.net/2014/12/04/2014-12-04-traffic-analysis-exercise.pcap.zip

问题与回答

BASIC QUESTIONS

1. What is the IP address of the Windows host that gets infected?

2. What is the MAC address of the infected Windows host?

由上图可知，被感染的windows主机ip和mac地址分别为192.168.137.62和00:1b:21:ca:fe:d7

3. What is the domain name of the compromised web site?

4. What is the IP address of the compromised web site?

根据info可知，被攻陷得网站域名和ip分别是 www.earsurgery.org和216.9.81.189

5. What is the domain name that delivered the exploit kit and malware payload?

6. What is the IP address that delivered the exploit kit and malware payload?

查看http导出对象，通过内容类型寻找可疑域名

发现qwe.mvdunalterableairreport.net存在一个swf文件，dump出来

最简单得方法是在vt搜索，发现是CVE-2015-0311漏洞利用文件

这下就可以确定提供恶意程序得域名和ip分别为qwe.mvdunalterableairreport.net和192.99.198.158

MORE ADVANCED QUESTIONS

1. What snort events (either VRT or EmergingThreats) are generated by this pcap?

ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses [2018316]
ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST [2018442]
ET CURRENT_EVENTS Angler Encoded Shellcode IE [2018954]
ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 [2019224]

2. What is the exploit kit (EK)?

Angler EK

3. What is the redirect URL that points to the exploit kit (EK) landing page?

4. What is the IP address of the redirect URL that points to the exploit kit (EK) landing page?

一条条过滤，查找

找到页面为lifeinsidedetroit.com /02024870e4644b68814aadfbb58a75bc.php?q= e8bd3799ee8799332593b0b9caa1f426

ip为173.201.198.128

5. Which tcp stream shows the malware payload being delivered?

看到Content-Type: application/octet-stream是以流的形式下载文件，这样可以实现任意格式的文件下载，所以正在传输恶意payload的tcp流是80， tcp.stream eq 80

EXTRA QUESTIONS

1. Extract the malware payload, deobfuscate it, and remove the shellcode at the beginning. This should give you the actual payload (a DLL file) used for the infection. What’s the MD5 hash of the payload?

将恶意数据流中的数据以原始数据方式dump出来，将面前数据无用数据删除

观察数据，可发现数据应该是被异或加密了，使用工具xortool还原数据

nhadR2b4为异或的字符串，打开输出文件，发现存在pe文件，保存出来

使用工具查看pe类型

PE: compiler: Microsoft Visual C/C++(2003)[-]
PE: linker: Microsoft Linker(8.0)[DLL32]     

得到md5：f0d1ef59876e586a34eeb96c1585e910

2. A Flash file was used in conjunction with the redirect URL. What URL was used to retrieve this flash file?

adstairs.ro/544b29bcd035b2dfd055f5deda91d648.swf

3. In the traffic, we see HTTP POST requests to www.earthtools.org and www.ecb.europa.eu.

Why are we seeing these HTTP POST requests?

判断是否在连接状态，应该是心跳包之类的

4. What web browser was used by the infected host?

过滤ip为主机192.168.137.62，找到是http协议的，追踪流可以看到，user-agent信息，浏览器是IE 9.0

5. What 3 exploits were sent by the exploit kit during this infection?

前面已经说了有flash的CVE-2015-0311和恶意dll，继续查找还会发现一个可疑流

将流内的压缩包dump出来，解压，可以看到两个文件，经过分析，发现是CVE-2013-0074利用文件