Introduction
Welcome back! In today’s session, we’re embarking on an insightful case study to understand the malicious workings of malware through the lens of Wireshark’s advanced features. Our focus will be on the “SteelCoffee” traffic analysis exercise from malware-traffic-analysis.net.
If you’re eager to engage hands-on, feel free to download the PCAP and alert files related to the “SteelCoffee” exercise. This is one of the numerous simulated real-world scenarios you can find at malware-traffic-analysis.net. To get the files needed for this exercise, please visit the following link.
Cautionary Notice: Analyze Malicious Network Traffic in a Secure Environment
Malicious PCAP files can include payloads that, if executed, could compromise your system. They may contain exploits that target vulnerabilities in network analysis software or the operating system itself. Even a simple act of opening a file, if not done cautiously, could trigger an infection on the host system where the analysis is being performed.
When delving into the world of network analysis, particularly when examining PCAP files that may contain malicious data, it’s crucial to prioritize operational security. Wireshark is a potent tool for such analysis, but it does not inherently protect you from the dangers that may lurk within the data it helps you scrutinize.
The Scenario: SteelCoffee
The case study we’re delving into today is titled “SteelCoffee,” where our objective is to scrutinize network traffic believed to exhibit signs of a cyber attack.
For this analysis, we have gathered some valuable information that will aid us in our investigation.
LAN segment data:
- LAN segment range: 10.0.0.0/24 (10.0.0.0 through 10.0.0.255)
- Domain: steelcoffee.net
- Domain controller: 10.0.0.10 – SteelCoffee-DC
- LAN segment gateway: 10.0.0.1
- LAN segment broadcast address: 10.0.0.255
During the course of my analysis, I will address the questions listed on the scenario’s webpage:
- Which two clients are Windows hosts, and what are the associated user account names?
- Which one of these two Windows clients was infected?
- What type of malware was that Windows client infected with?
The Analysis
The first phase of our analysis involves launching the PCAP file in Wireshark and closely reviewing the alert files that have been supplied.
From the information extracted from the alerts image, it’s clear that multiple IP addresses, ports, and alerts require investigation to determine if they have any malicious associations.
- 119[.]31[.]234[.]40
- Port 51132
- 34[.]98[.]72[.]95
- Port 57135
- 34[.]197[.]192[.]192
- Port 51535
- Windows Executable Sent When Remote Host Claims to Send an Image
- Microsoft Internet Explorer JPEG Rendering Buffer Overflow
- Lets Encrypt Free SSL Cert Observed
- Remote Service Control Manager Access
Question 1
We can address the fundamental queries prior to delving into the in-depth analysis.
Which two clients are Windows hosts, and what are the associated user account names?
To address this query, I’ll employ a specialized filter I’ve saved, which is tailored to identify host information within the packet capture file. The filter I will use is…
dhcp || nbns || http.accept_language || kerberos.CNameString || ip contains “Desktop-“
In this particular case, here is the output that we receive:
Upon analyzing this data, we identify three distinct hosts on the network. The host with the IP address 10.0.0.202 is identified as a Linux machine, as indicated by its User-Agent String in the HTTP traffic.
The remaining two hosts on the network are identified as Windows-based systems, evidenced by their User-Agent Strings and the use of the “DESKTOP-” prefix in their identification.
The username of the two Windows machines can be found by filtering through the Kerberos CNameString information.
The Answer
- DESKTOP-GRIONXA (10.0.0.167) – Elmer.Obrien
- DESKTOP-C10SKPY (10.0.0.149) – Alyssa.Fitzgerald
Question 2
To determine which Windows host was compromised, we should revisit the Security Onion alert image for further clues.
The two alerts that catch my attention are…
- Windows Executable Sent When Remote Host Claims to Send an Image
- Remote Service Control Manager Access
Each of these alerts are extremely serious and involve the same IP address of 10.0.0.167. That leads me to believe that the DESKTOP-GRIONXA host machine is the one infected with malware. We will need to investigate further to confirm this suspicion.
We will first look at the alert involving the Windows executable within an image file. To do that, we can filter based on the source IP, port number, and HTTP Get requests in Wireshark. The filter I will use is…
ip.addr == 119.31.234.40 && tcp.port == 51132 && ip contains “GET”
This gives us a single packet that we need to examine. We can see that the was a “8888.png” file downloaded to the computer from alphapioneer[.]com
By following the TCP Stream in Wireshark for that particular packet, we uncover what triggered the alert: Windows Executable Sent When Remote Host Claims to Send an Image. The telltale sign is the phrase “This program cannot be run in DOS mode,” which is commonly found in the headers of Windows executables.
We can export that potentially malicious file by going to
File -> Export Objects -> HTTP
Make sure you only export this file in a secure environment.
Once the file is exported, we can acquire its md5 hash by utilizing the md5sum command in Linux.
Executing this will yield the md5 hash value of 2cf20a1dd3693b996de4a559f1067850. With this hash in hand, we can now utilize various cybersecurity tools and databases to investigate whether it is associated with any known malicious activities.
The services consulted have flagged this file as malicious, identifying it specifically as the QBot malware. QBot is a type of trojan known for its capabilities in stealing financial data. You can learn more about this type of malicious software at these different links.
QBot Malware: What Is It and How Does It Work
The Answer
We can now confidently conclude that the host named DESKTOP-GRIONXA (10.0.0.167) – Elmer.Obrien was the one that was compromised.
Question 3
The Answer
From our earlier investigations, we determined that the malware infecting the Windows client was a particular type of banking trojan.
QBot, also known as Qakbot, QuackBot, or Pinkslipbot, is a sophisticated Banking Trojan first identified in 2007 and has since evolved into a major global threat. This malware primarily aims to steal sensitive banking information, including credentials and session data.
Conclusion
In conclusion, the detailed investigation into the “SteelCoffee” case study from malware-traffic-analysis.net has not only reinforced the importance of vigilant network analysis but also highlighted the sophisticated nature of malware threats in the digital age. Our journey through this simulated real-world scenario using Wireshark’s advanced features led us to identify the DESKTOP-GRIONXA (10.0.0.167) – Elmer.Obrien as the compromised Windows client, infected with the QBot malware.
This exercise serves as a stark reminder of the evolving landscape of cyber threats and the necessity for robust security measures. For professionals and enthusiasts in the field of cybersecurity, the knowledge and skills gained through such exercises are invaluable. They not only equip us to better understand the mechanics of malware but also prepare us to respond effectively to real-world cyber threats.
I encourage readers to safely explore more simulated scenarios at malware-traffic-analysis.net to enhance their understanding and proficiency in network traffic analysis. Remember, staying ahead in the fight against cybercrime requires continuous learning and adaptation to new challenges. Stay safe, stay informed, and keep exploring the fascinating world of network security analysis!