Introduction
Welcome back! Today, we dive into a detailed examination of malware intricacies using Wireshark’s insightful capabilities. Our focus will be on analyzing the “Cold as Ice: IcedID” traffic analysis scenario presented by malware-traffic-analysis.net.
For those keen on a hands-on experience using their own setup, you’re encouraged to download the PCAP file designated for the “Cold as Ice: IcedID” case. This exercise is just one of the many authentic simulations available at malware-traffic-analysis.net (https://malware-traffic-analysis.net/). Access and download the necessary files for this specific investigation through the link provided (https://unit42.paloaltonetworks.com/wireshark-quiz-icedid/).
Critical Alert: Safely Analyze Malicious Network Traffic in a Secure Environment
Understanding the risks associated with PCAP files filled with malicious content is crucial, as these files may contain payloads that pose a threat to your system’s security. Simply opening a file without the appropriate safeguards could inadvertently trigger an infection on the device being used for analysis.
When it comes to network analysis, particularly the examination of PCAP files that may contain dangerous data, maintaining a high level of operational security is paramount. Although Wireshark is a powerful instrument for conducting such analysis, it’s important to bear in mind that it does not offer automatic protection against the hidden threats within the data you’re investigating.
The Scenario: Cold as Ice (IcedID)
In this section, we focus on the IcedID scenario, a compelling and intricate case. IcedID is a type of malware recognized for its proficiency in stealing information, encompassing the acquisition of sensitive data such as passwords, browser history, and cryptocurrency details from compromised systems. It frequently disseminates through deceptive tactics like phishing emails or tainted software downloads. Our goal in this analysis is to examine network traffic related to this malware to discern its actions and pinpoint possible routes of infection.
In our investigation of the IcedID scenario using Wireshark, we are equipped with crucial details that will greatly enhance our analysis.
Local Area Network (LAN) Details:
- LAN segment range: 10.4.19[.]0/24 (10.4.19[.]1 through 10.4.19[.]255)
- Domain: boogienights[.]live
- Domain controller IP address: 10.4.19[.]19
- Domain controller hostname: WIN-GP4JHCK2JMV
- LAN segment gateway: 10.4.19[.]1
- LAN segment broadcast address: 10.4.19[.]255
During the course of my analysis, I will address the questions listed on the scenario’s webpage:
- What is the date and time in UTC the infection started?
- What is the IP address of the infected Windows client?
- What is the MAC address of the infected Windows client?
- What is the hostname of the infected Windows client?
- What is the user account name from the infected Windows host?
- Is there any follow-up activity from other malware?
Additional Information About IcedID
Introduction to IcedID Malware
IcedID, a significant player in the realm of cyber threats, has emerged as a formidable challenge to cybersecurity. It’s engineered to stealthily penetrate systems and harvest sensitive information. The core functionality of IcedID revolves around its capacity to pilfer personal and financial details, representing a profound threat to individuals and organizations alike. Its influence is amplified by its ongoing development, positioning it as a continual obstacle for cybersecurity defenses.
How IcedID Operates and its Impact
IcedID utilizes a variety of entry tactics, including phishing campaigns and the exploitation of software vulnerabilities. Once it breaches a system, it methodically siphons an extensive array of data, from login information and financial records to system settings and web browser details such as cookies and history. The particularly covert nature of IcedID allows it to evade traditional detection techniques. This obscurity not only facilitates widespread data theft but also hinders efforts to identify and disarm the malware.
Preventive Measures and Future Outlook
In addressing IcedID, adopting a range of preventative strategies is essential. This encompasses educating individuals about phishing strategies, maintaining software updates to close security loopholes, and deploying effective antivirus and anti-malware tools. As we look to the future, malware like IcedID is anticipated to advance, introducing new cybersecurity challenges. Foreseeing these developments and adjusting protective measures accordingly will be critical in reducing the hazards presented by such advanced malware.
The Analysis
To kick off the analysis, I’ll start by converting the resolved host names into their respective IP addresses. This method streamlines the investigation, enhancing its clarity. The first and only change I’ll implement at this stage is to the domain controller. I’ll label it with the resolved host name “Domain Controller,” as depicted in the image below. This initial step is vital for the precise identification and monitoring of network traffic associated with the domain controller throughout our analysis.
After setting up the initial parameters, the subsequent phase of the investigation involves meticulously examining the traffic for indications of any anomalous or suspicious activities. Within Wireshark, one highly efficient filter to aid in this endeavor is “tcp.flags.syn == 1.” This specific filter is instrumental in identifying the initiation of TCP connections, a common indicator of network communication attempts that could signify suspicious behavior.
Description of the “tcp.flags.syn == 1” Filter:
- TCP Flags: TCP, or Transmission Control Protocol, uses various flags to manage the state of network communications. These flags are integral parts of the TCP header in each packet.
- SYN Flag: The SYN flag, short for “Synchronize,” is used to initiate a TCP connection. It’s the first step in the three-way handshake process, which is essential for establishing a TCP/IP connection.
- Filter Function: When you apply the filter “tcp.flags.syn == 1” in Wireshark, it filters out all TCP packets except those with the SYN flag set. Essentially, this displays only the packets that are attempting to initiate a new TCP connection.
- Investigation Relevance: This filter is particularly useful in malware traffic analysis, as it helps to identify attempts to establish new connections, which could indicate communication with command and control servers, data exfiltration attempts, or unauthorized access attempts.
By applying this filter, we direct our attention to the initiation phases of TCP connections, potentially revealing the early actions of malicious communications or attempts at unauthorized network access. Such activities are frequently observed in malware operations, including those related to IcedID. This focus on the beginning stages of communication helps in identifying and analyzing the tactics used by malware to establish a foothold or communicate with command and control servers, crucial for understanding the scope and method of an attack.
With the refined filter in place, concentrating solely on packets that initiate TCP connections simplifies the process of spotting suspicious domains within these packets. This targeted approach allows for a more efficient identification of potentially malicious traffic, laying the groundwork for further investigation into the domains involved in these initial connection attempts. Such scrutiny is essential for uncovering the infrastructure used by threats like IcedID and for taking the first steps towards mitigating their impact.
Investigating the suspicious domains and IP addresses pinpointed in our Wireshark analysis stands as a pivotal next action. To accomplish this, we can leverage a variety of trusted online resources that offer comprehensive details about potentially harmful web entities. Here’s our plan of action:
- VirusTotal: VirusTotal provides an extensive examination of files and URLs to identify different forms of malware. By submitting the questionable domains or IP addresses to VirusTotal, we can obtain detailed reports on any recognized malicious activities linked to them. This includes information on whether they have been involved in hosting malware, conducting phishing attempts, or engaging in other security threats. This tool aggregates data from multiple antivirus engines, domain and IP reputation databases, and user-contributed content, offering a wide-angle view on the security status of the analyzed entities, making it an invaluable resource for our investigation into suspicious online activities.
- Cisco Talos: Cisco Talos, renowned for its cybersecurity intelligence, provides valuable insights into the reputation and associated risks of IP addresses and domains. By comparing our suspicious entities against Cisco Talos’ extensive database, we can gauge their credibility and uncover any documented security concerns. This process allows us to assess the potential threat level of these entities based on Talos’ in-depth analysis of internet traffic, vulnerabilities, and threats. Their comprehensive security assessments and threat intelligence reports make Cisco Talos an essential resource for understanding the security implications of the domains and IP addresses identified in our investigation.
- Open-Source Intelligence (GitHub): This repository is a rich source of information on Indicators of Compromise (IoCs) specific to the IcedID malware. It encompasses a wide range of data that can be crucial for identifying and understanding the characteristics, mechanisms, and network behaviors associated with IcedID. Such repositories are invaluable for cybersecurity professionals and researchers, providing detailed insights that aid in the detection, analysis, and mitigation of threats posed by this sophisticated malware. Access to this data enables the development of more effective defense strategies and enhances the ability to respond promptly and efficiently to potential IcedID infections.
The first Indicator of Compromise (IoC) we’ll examine is the domain skigimmtroc[.]com, which corresponds to the IP address 192[.]153[.]57[.]233.
The second Indicator of Compromise (IoC) in our investigation is the domain spakernakurs[.]com, associated with the IP address 104[.]168[.]53[.]18.
The third Indicator of Compromise (IoC) in our investigation is the domain skansnekssky[.]com, associated with the IP address 217[.]199[.]121[.]56.
The final Indicator of Compromise (IoC) in our investigation is the IP address 80[.]77[.]25[.]175.
Utilizing these tools empowers us to expand our investigation, confirm our concerns, and possibly reveal the full scope and severity of the threat these domains and IP addresses represent. Such a detailed and methodical strategy is essential for gaining a complete grasp of the cybersecurity challenges at hand.
A considerable number of Indicators of Compromise (IoCs) connected to this IcedID malware infection were identified. Below is the list of all the IoCs that were pinpointed:
- skigimmtroc[.]com
- 192[.]153[.]57[.]233
- spakernakurs[.]com
- 104[.]168[.]53[.]18
- skansnekssky[.]com
- 217[.]199[.]121[.]56
- 80[.]77[.]25[.]175
Now that the malicious nature of the identified IoCs has been confirmed, we are positioned to tackle the initial queries that prompted our investigation.
Question 1
Determining the precise date and time in UTC of when the infection commenced is pivotal in comprehending the extent and ramifications of the malware incident. To unearth this data, an in-depth analysis of the network traffic captured during our Wireshark investigation is essential, with a special emphasis on the interactions involving the identified malicious Indicators of Compromise (IoCs):
- skigimmtroc[.]com
- 192[.]153[.]57[.]233
- spakernakurs[.]com
- 104[.]168[.]53[.]18
- skansnekssky[.]com
- 217[.]199[.]121[.]56
- 80[.]77[.]25[.]175
By scrutinizing the first occurrences of traffic to or from these domains and IP addresses, we can pinpoint the initial moments of the malware’s network activity. This involves filtering the captured data for communications with these specific IoCs and analyzing the timestamps of these interactions. The filter that we will use for this purpose is “ip.addr == 192.153.57.233 || ip.addr == 104.168.53.18 || ip.addr == 217.199.121.56 || ip.addr == 80.77.25.175“.
In examining the first TCP SYN packet within our dataset, the exact time in UTC of the infection can be pinpointed as the malware initiates a connection to a Command and Control (C2) server.
From the analysis, the onset of the infection has been accurately determined to occur on April 19, 2023, at 15:31:07.87 UTC.
Question 2
The second question in our investigation has led us to identify the IP address of the infected Windows client. Within the analysis of the previously mentioned packet, the IP address of the Windows client showing signs of infection has been pinpointed as 10.4.19.136. This discovery is crucial as it allows us to further isolate and scrutinize the activities of the infected machine within the network traffic.
Question 3
The third query in our investigative process involves pinpointing the MAC address of the compromised Windows client. By examining the original packet capture image, we have been able to extract this information, identifying the MAC address as 14:58:d0:2e:c5:ae. The MAC address, which is unique to every network interface, provides a vital piece of information for identifying the physical device on the network that was compromised.
Question 4
The subsequent stage of our investigation requires the identification of the hostname of the compromised Windows client. To facilitate this task in Wireshark, an effective filter is “dhcp || nbns || http.accept_language || kerberos.CNameString || ip contains ‘Desktop-‘“. This filter leverages multiple protocols to uncover the hostname.
Description of the “dhcp || nbns || http.accept_language || kerberos.CNameString || ip contains ‘DESKTOP-‘” Filter:
- DHCP and NBNS: DHCP (Dynamic Host Configuration Protocol) and NBNS (NetBIOS Name Service) are crucial for network configuration and name resolution. Filtering for these protocols can reveal dynamic IP assignments and machine names within the network.
- HTTP Accept-Language: This part of the HTTP header specifies the client’s preferred languages. Monitoring this can provide insights into the locale settings of the network clients, which could be relevant in an investigation.
- Kerberos CNameString: Kerberos, a network authentication protocol, plays a significant role in secure communication within Windows environments. The CNameString in Kerberos tickets represents the client principal name. Filtering for this can help identify user accounts involved in network authentication processes.
- IP Contains ‘Desktop-‘: This filter component is designed to capture packets containing specific string patterns in their IP headers. It is particularly useful for pinpointing hostnames that follow a certain naming convention, such as those beginning with ‘Desktop-‘.
The hostname for the compromised Windows client has been successfully identified as DESKTOP-SFF9LJF.
Question 5
The fifth query in our investigation aims to uncover the user account name associated with the infected Windows host. Utilizing the same filter as mentioned before can assist in extracting this piece of information. This filter is adept at revealing details related to network sessions and authentications, where user account names are often transmitted.
The user account name identified on the infected Windows host is csilva. This discovery is significant as it provides insight into who might have been using the compromised machine at the time of infection or whose credentials may have been exploited.
Question 6
To address the final question regarding potential follow-up activity from other malware, a comprehensive investigation into the packet traffic details is necessary. Starting from the beginning of the captured traffic allows us to construct a complete overview of the network’s interactions over time.
To closely examine the traffic associated with the malicious domains and IP addresses, applying the filter “(http.request or tls.handshake.type eq 1) and !(ssdp)” in Wireshark is a strategic approach. This filter is designed to isolate HTTP requests and TLS (Transport Layer Security) handshake initiations, which are crucial for spotting the communications between the infected host and potentially malicious servers, while excluding SSDP (Simple Service Discovery Protocol) traffic that is commonly used for network discovery and not relevant to our investigation of malicious activities.
- http.request: Captures all HTTP request packets, useful for seeing if the infected host is attempting to access or has accessed HTTP-based resources that could be malicious.
- tls.handshake.type eq 1: Filters for the initial handshake in a TLS connection, which is indicative of secure connections being established. This can reveal attempts to secure communications with C2 servers or download additional payloads via encrypted channels.
- !(ssdp): Excludes all SSDP traffic, ensuring that the results are not cluttered with data irrelevant to the investigation of the malware’s network activities.
Utilizing this filter helps in pinpointing the exact moments and mechanisms through which the malware communicates or attempts to communicate with external servers, facilitating a deeper understanding of its operation and potential secondary payloads. By analyzing these communications, we can gain insights into the malware’s objectives, such as data exfiltration, additional malware downloads, or command and control (C2) activities, thus providing a more comprehensive view of the infection’s scope and impact.
This analysis has led to the uncovering of an additional Indicator of Compromise (IoC) with the IP address 80.77.25.175. Following the TCP stream associated with this IP address reveals a significant event: a 302 redirect to a website involved in the distribution of a suspicious file named “Scan_Inv.zip”. This action introduces another IoC, a URL leading to a file hosted on Firebase Storage: hxxps[:]//firebasestorage[.]googleapis[.]com/v0/b/serene-cathode-377701[.]appspot[.]com/o/XSjwp6O0pq%2FScan_Inv.zip?alt=media&token=a716bdce-1373-44ed-ae89-fdabafa31c61
.
This finding is particularly noteworthy for several reasons:
- Use of Legitimate Services: The malware uses Firebase Storage, a legitimate cloud service provided by Google, to host malicious files. This tactic can help the malware evade detection by blending in with normal internet traffic and leveraging the reputation of a trusted service.
- Malicious File Distribution: The “Scan_Inv.zip” file, suggested by its name and distribution method, likely contains malicious content intended for the target to download and open, furthering the infection within the network.
- Advanced Tactics: The use of a 302 redirect indicates a level of sophistication in the malware’s distribution strategy, as it attempts to obfuscate the true source of the download and potentially bypass security measures that might block known malicious sites.
These findings underscore the importance of comprehensive network traffic analysis in identifying and understanding the multifaceted approaches used by cyber threats. The information gathered from this IoC can be crucial for further investigation, enabling cybersecurity professionals to block access to the identified malicious domain, analyze the downloaded file for malware, and enhance defenses against similar tactics in the future.
The observation of traffic to the googleapis.com
website following the initial communication with 80[.]77[.]25[.]175 is significant in the context of our malware investigation. This sequence suggests that after interacting with the initially identified malicious IP, the compromised system then communicates with a service hosted on googleapis.com—in this case, specifically for retrieving the “Scan_Inv.zip” file from Firebase Storage, as indicated by the subsequent Indicator of Compromise (IoC).
On URLhaus (https://urlhaus.abuse.ch/url/2614322/), a platform dedicated to collecting and sharing data about malware URLs, you can find detailed information about malicious URLs, including their associated files. For the specific case of the “Scan_Inv.zip” file mentioned earlier, URLhaus provides valuable data such as the SHA256 hash of the zip file. This hash acts as a unique identifier for the file, enabling a precise way to track and analyze it across security platforms.
By taking the SHA256 hash provided on URLhaus and searching for it on VirusTotal (https://www.virustotal.com/gui/file/fc96c893a462660e2342febab2ad125ce1ec9a90fdf7473040b3aeb814ba7901/detection/f-fc96c89), you can access a comprehensive analysis of the file.
The analysis of the “Scan_Inv.zip” file on VirusTotal, using its SHA256 hash obtained from URLhaus, reveals that several antivirus vendors have identified the file as malicious. This consensus among multiple security vendors underscores the file’s dangerous nature, affirming its role in the malware distribution chain associated with the investigation.
The identification of connections to 104[.]168[.]53[.]28 or spakernakurs[.]com hours after the initial infection highlights ongoing malicious activity within the network. This finding is particularly concerning as it suggests that the malware is not only still active but possibly engaging in further malicious actions such as data exfiltration, downloading additional payloads, or receiving updated commands from the attackers.
The discovery of a new connection to 193[.]149[.]176[.]100, not previously identified in the early stages of the investigation, warrants further analysis to assess its role and significance in the context of the malware incident. Investigating this IP address using platforms like VirusTotal and Cisco Talos will provide valuable insights into its reputation, associated domains, and any known malicious activities.
The analysis results from VirusTotal and Cisco Talos regarding the IP address 193[.]149[.]176[.]100 reveal a nuanced view of its potential threat. With VirusTotal reporting that 12 security vendors have flagged the IP address as malicious, there is significant evidence to suggest that it has been involved in harmful activities. This level of detection underscores the importance of treating traffic to and from this IP with caution, as it likely represents a security risk.
On the other hand, Cisco Talos categorizing the sender’s reputation as neutral presents a more complex picture. However, this can be due to several factors such as more recent data past the old threat. An address that was previously used for benign purposes can be compromised or repurposed for malicious activities, and vice versa.
Based on the evidence gathered from the analysis, including the connections to known suspicious IP addresses like 104.168.53.28 or spakernakurs[.]com and the newly identified connection to 193.149.176.100, which has been flagged as malicious by multiple vendors on VirusTotal, it is reasonable to conclude that there was follow-up activity from other malware.
This follow-up activity indicates that the initial infection was likely not an isolated event but part of a broader campaign or attack that involved additional malicious payloads or actions. The presence of further malware activity could signify attempts at deeper infiltration, data exfiltration, establishing persistence within the network, or laying the groundwork for future attacks.
Conclusion
In conclusion, our journey through the intricate landscape of malware analysis with Wireshark, focusing on the “Cold as Ice: IcedID” case, has been a revealing venture into the depths of cyber threats and their operational mechanisms. This investigation has not only highlighted the critical need for robust cybersecurity measures but also showcased the power of Wireshark as an indispensable tool in the identification and analysis of malicious network activities. Our findings, including the identification of several Indicators of Compromise (IoCs) and subsequent follow-up malware activities, underscore the sophisticated nature of modern cyber threats such as IcedID and the importance of continuous vigilance and advanced security practices. By leveraging detailed network traffic analysis and utilizing resources like VirusTotal and Cisco Talos, we have been able to uncover and understand the multifaceted strategies employed by attackers, thus providing invaluable insights for cybersecurity professionals aiming to fortify their defenses against such pervasive and evolving threats.
Check out this informative infographic that illustrates the workings of this malware:
Full credit for the infographic goes to Qomplx.
Here are all the IoCs that we identified in this blog post for this specific situation of IcedID:
- Domains:
- skigimmtroc[.]com
- spakernakurs[.]com
- skansnekssky[.]com
- IP Addresses:
- 192[.]153[.]57[.]233
- 104[.]168[.]53[.]18
- 217[.]199[.]121[.]56
- 193[.]149[.]176[.]100
- URL:
- hxxps[:]//firebasestorage[.]googleapis[.]com/v0/b/serene-cathode-377701[.]appspot[.]com/o/XSjwp6O0pq%2FScan_Inv.zip?alt=media&token=a716bdce-1373-44ed-ae89-fdabafa31c61
- File Hash:
- fc96c893a462660e2342febab2ad125ce1ec9a90fdf7473040b3aeb814ba7901
Thank you for taking the time to read through our detailed exploration of the “Cold as Ice: IcedID” malware analysis using Wireshark. I hope that this investigation has provided you with valuable insights into the complex world of cybersecurity and the importance of vigilant network monitoring.