Introduction
Welcome back! Today, we’re diving into a practical case study to examine and comprehend the sinister operations of malware, utilizing the dynamic capabilities of Wireshark. Our focus will be on analyzing the “Email Roulette” traffic analysis exercise from malware-traffic-analysis.net.
For those who are keen to participate actively with their own setups, you’re encouraged to download the PCAP (Packet CAPture) and email files for the “Email Roulette” exercise. This exercise is one of many that simulate real-world situations available at malware-traffic-analysis.net. Access the necessary files for this exercise at this link.
Cautionary Notice: Analyze Malicious Network Traffic in a Secure Environment
Malicious PCAP files can include payloads that, if executed, could compromise your system. They may contain exploits that target vulnerabilities in network analysis software or the operating system itself. Even a simple act of opening a file, if not done cautiously, could trigger an infection on the host system where the analysis is being performed.
When delving into the world of network analysis, particularly when examining PCAP files that may contain malicious data, it’s crucial to prioritize operational security. Wireshark is a potent tool for such analysis, but it does not inherently protect you from the dangers that may lurk within the data it helps you scrutinize.
The Scenario: Email Roulette
In this session, we will delve into the “Email Roulette” scenario. Our objective is to scrutinize a segment of network traffic, which is believed to harbor signs of a cyber attack after the email spam filter went down. We will also need to review the emails to determine what email was used to infect the computer.
During the course of my analysis, I will address the questions listed on the scenario’s webpage:
- Date and approximate time of the infection.
- The infected computer’s IP address.
- The infected computer’s MAC address.
- The infected computer’s host name.
- Which email the employee opened.
Analysis
The initial step of the analysis is to open the PCAP file in Wireshark and examine the .eml email files.
The First Email:
The Second Email:
The Third Email:
The Fourth Email:
We can extract the attachments within the emails with the munpack package using the munpack [file] command. The extracted files will save in the same directory as where the email files are located.
We can now examine each of the email attachments to determine if they are malicious and were opened by the user.
The First Email
After extracting the file we end up with a “dawningXwallXup.zip” file that we can extract further, which will then give us a “460630672421.exe” file. This exe file will need to be examined further to determine if it is malicious and what its critical attributes are. The first step we can do is to examine the file within VirusTotal, AnyRun, and Hybrid Analysis.
The results from these analysis tools reveal that we’re dealing with a harmful Upatre Trojan, specifically engineered to target Windows machines. Nevertheless, this doesn’t necessarily indicate that the virus has infected the computer or network. To ascertain this, we’ll need to employ Wireshark along with various virus analysis websites for a thorough determination.
The AnyRun analysis tool’s connections tab can be utilized to identify the IP addresses to which the malware tries to establish connections.
We can see that the 172[.]67[.]9[.]138 and 197[.]149[.]90[.]166 IP addresses are considered untrusted and malicious. We will know analyze our PCAP file in Wireshark to determine if there was any traffic to any of those IP addresses.
After the analysis it is determined that this malware was not run on this machine because there were no connections made to either of those IP addresses. At this time there is no suspicion that the user ran the malicious file from the first email.
The Second Email
Upon retrieving the file from the email, we obtain a file named “BillXPayment_000010818.xls” which requires further scrutiny. We can employ the same suite of analysis tool websites that we used previously for this examination.
Once again, the outcomes from these tools indicate that this file is malevolent; it is specifically a macro-enabled Excel file. This Excel file is designed to download additional malicious files through its embedded VBA code. However, it’s important to note that this doesn’t automatically imply that the virus was executed on the system or network.
From Hybrid Analysis we can determine that this Excel file makes a DNS request to advancedgroup[.]net[.]au or 182[.]160[.]158[.]62 as found on VirusTotal.
When we attempt to locate that IP address on Wireshark though, there are zero results. That means that this virus was likely not run on the system or network.
The Third Email
After extracting the file for this email, we end up with a html file. In a safe environment we can open this file to determine what it is.
We can identify this webpage as a phishing attempt to gain access to an American Express account via sensitive details. Upon entering the details, the information will be extracted to a server and the user will be forwarded to an unrelated website.
This can’t be the malware on the system and network because there is no malware infect the machine. This is a phishing email attempt to gain access to critical information.
The Fourth Email
The final attachment to extract is the “fax000497762.zip” file, which gives us a “fax000497762.doc.js” file when extracted. Similar to the previous files, we will employ the same set of tools to scrutinize this file for any malicious characteristics.
From the analysis conducted on those websites we can see that this is a malicious file. We can also see that there are some important URL’s that need to be examined further.
When we look for these URL’s within Wireshark we can see that the kennedy[.]sitoserver[.]com was accessed on November 6, 2015 at 10:22pm. That means that the user accessed the fourth email and ran the malware associated with it. We were unable to verify through the IP address as it has changed since 2015, indicating a difference between the current IP address and the one listed on the website at that time.
Address the Scenario Questions
Now we have all of the Information needed to answer the questions provided at the beginning of this scenario.
- Date and approximate time of the infection.
- November 6, 2015 at 10:22pm
- The infected computer’s IP address.
- 10.3.66.103
- The infected computer’s MAC address.
- 00:24:e8:2d:90:81 (Dell_2d:90:81)
- The infected computer’s host name.
- STROUT-PC
I found this answer by sorting through NetBIOS (nbns) traffic in Wireshark.
- Which email the employee opened.
- The employee opened the fourth email, the email with the subject line of “You have received a new fax, document 000497762”
Conclusion
As we wrap up our exploration into malware traffic analysis using Wireshark, we take a moment to appreciate the valuable knowledge acquired. Through a detailed analysis of the “Email Roulette” scenario from malware-traffic-analysis.net, we traversed complex network traffic and unraveled the hidden cues of cyber threats. From identifying initial signs of malicious activity to uncovering a dangerous Trojan, each step highlighted the importance of traffic analysis in fortifying cybersecurity defenses.
The realm of network traffic and malware analysis is both intricate and essential. If you have any queries, or if certain parts of this walkthrough need more clarity, feel free to post a comment below. Whether it’s a particular aspect of the Wireshark process, an anomaly in the data you’re unsure about, or a general question on cybersecurity, I’m here to help.
Please leave your questions or feedback in the comments, and I will respond as promptly as possible. By sharing knowledge and insights, we can strengthen our community, better equipped to face the cybersecurity challenges of the present and future.