Wireshark Investigation: Analyzing ‘Turkey and Defense’ Network Traffic

Introduction

Welcome! Today we will dissect a real-world scenario to identify and understand the nefarious actions of malware using the powerful tool Wireshark. This will be an analysis of the turkey and defense traffic analysis exercise from malware-traffic-analysis.net

If you are eager to follow along on your own system, I invite you to download the PCAP (Packet CAPture) and alert files for the “Turkey and Defense” exercise from the numerous exercises of real-life scenarios at malware-traffic-analysis.net. You can find the files here (https://www.malware-traffic-analysis.net/2018/11/13/index.html).

Cautionary Notice: Analyze Malicious Network Traffic in a Secure Environment

Malicious PCAP files can include payloads that, if executed, could compromise your system. They may contain exploits that target vulnerabilities in network analysis software or the operating system itself. Even a simple act of opening a file, if not done cautiously, could trigger an infection on the host system where the analysis is being performed.

When delving into the world of network analysis, particularly when examining PCAP files that may contain malicious data, it’s crucial to prioritize operational security. Wireshark is a potent tool for such analysis, but it does not inherently protect you from the dangers that may lurk within the data it helps you scrutinize.

Why Traffic Analysis?

The act of traffic analysis is critical in the realm of cybersecurity, traffic analysis stands as the sentry, scrutinizing the stream of data packets for signs of malicious intent. By being able to interpret these signals, we can uncover hidden malware communications, unauthorized data exfiltration, and other cyber threats before they have the ability to wreak havoc.

Getting Started with Wireshark

Wireshark is a significant part of the Swiss Army knife that network security analysts will use on a daily basis. It allows us to capture and interactively browser the traffic running on a computer network. Wireshark will let us peer into the anatomy of network packets, revealing the raw data and the structured layers that govern how computers communicate. Discover more about Wireshark and access the download link for your system here (https://www.wireshark.org).

The Scenario: Turkey and Defense

The scenario that we will be analyzing is named “Turkey and Defense,” and in this exercise we’ll analyze a slice of network traffic that’s suspected to contain indicators of a cyber attack.

We have received some information that will prove beneficial during our analysis.

LAN segment data:

• LAN segment range:  10.22.15.0/24 (10.22.15.0 through 10.22.15.0.255)
• Domain:  geeographic.com
• Domain controller:  10.22.15.2 – Geeographic-DC
• LAN segment gateway:  10.22.15.1
• LAN segment broadcast address:  10.22.15.255
• IP address of the Windows client to investigate:  10.22.15.119

During the course of my analysis, I will address the questions listed on the scenario’s webpage:

• What was the date and time the malicious traffic started?
• What is the MAC address of the infected Windows host?
• What is the host name of the infected Windows host?
• What is the user account name used on the infected Windows host?
• What URL in the pcap returned a Windows executable file?
• What is the size of the Windows executable file from that URL?
• What is the SHA256 hash of the Windows executable file from that URL?
• What type of malware is the Windows executable returned from that URL?

The Analysis

The initial step of the analysis is to open the PCAP file in Wireshark and examine the alert files that were provided.

Based on the insights gleaned from the alerts text file and accompanying images, it becomes evident that there are several IP addresses that need to be examined to ascertain their potential maliciousness.

• 46[.]29[.]160[.]132
• 192[.]162[.]244[.]171
• 95[.]181[.]198[.]115
• 46[.]229[.]214[.]92

Next, we’ll delve into Wireshark and meticulously sift through the traffic associated with each of these IP addresses to compile information and gain a deeper understanding of the context surrounding this scenario.

The examination of these Wireshark outputs yields essential details that warrant further scrutiny. These will be considered for our list of Indicator of Compromise (IoC).

• 46[.]29[.]160[.]132
  • shumbildac[.]com
• 192[.]162[.]244[.]171
  • dhsiwyqdlskwsqo[.]com
• 95[.]181[.]198[.]115
  • tmencedfu[.]com
• 46[.]229[.]214[.]92
  • link[.]sandwseafood[.]net

Question 1

Based on the analysis we’ve conducted thus far, we are also able to respond to the initial questions.

1. What was the date and time the malicious traffic started?

• Nov 7, 2018 (11-07-2018) @ 15:47:11 EST (20:47:11 UTC)

This answer was determined by inspecting the first packet received from an IP address that triggered an alert.

---

Question 2

2. What is the MAC address of the infected Windows host?

• 00:11:2f:d1:6e:52

The same packet examined for the previous answer also contained this answer.

---

Question 3

3. What is the host name of the infected Windows host?

• Danger-Win-PC

The same packet scrutinized for the preceding response also revealed the information for this answer.

---

Question 4

To answer the subsequent question, we’ll need to delve deeper into the PCAP file’s contents.

There are several different ways you can locate the user account name of the infected Windows host within a PCAP file. Usernames can often be found in the traffic associated with network authentication protocols, such as SMB (Server Message Block) or Kerberos. We can use the the filter ‘ kerberos.CNameString ‘, which is used to identify the canonical name (CName) string in Kerberos protocol traffic.

4. What is the user account name used on the infected Windows host?

• carlos.danger

---

Question 5

To address the next question, a more thorough investigation of the PCAP file is necessary.

In order to find out which URL in a PCAP file returned a Windows executable file, there are several things you can do. The first thing you will want to do is filter the Wireshark traffic to show only HTTP traffic with the ‘ http ‘ filter. From there you can also filter it further with the filter of ‘ http contains “[FILE EXTENSION]” ‘ When searching for Windows file types within a PCAP file, look out for typical extensions such as .exe, .msi, .dll, .bat, .cmd, .vbs, and .ps1. These are commonly associated with executable and script files in the Windows operating system. In this case, we can just locate the malicious source and destination address that we noted earlier and examine their http traffic. An initial finding reveals that the domain shumbildac[.]com initiated an HTTP GET request to retrieve a .xap file.

5. What URL in the pcap returned a Windows executable file?

• www[.]shumbildac[.]com/WES/fatog.php?l=ngul5.xap

---

Question 6

The subsequent query is answered within the HTTP response to the malware’s preceding request.

6. What is the size of the Windows executable file from that URL?

• 439808 Bytes (0.439808 MB)

---

Question 7

Ensuring a secure environment is paramount for the upcoming steps in our analysis, as we’ll be handling files with the potential to compromise your system. For this sensitive part of the investigation, I’ll be operating within a securely isolated REMnux virtual machine to prevent any risk of infection. If you’re not fully confident in how to safely manage such files, I recommend you refrain from attempting this on your own system and instead, follow along with the walk through provided in this blog post.

Wireshark offers the capability to retrieve specific files embedded within a packet capture. For our purposes, we have the option to extract the suspect file from the capture for a more detailed examination.

To do this, in Wireshark you can go to File -> Export Objects -> HTTP

From there you can locate the fatog.php?l=ngul5.xap file and click Save in the bottom right corner

7. What is the SHA256 hash of the Windows executable file from that URL?

• 97f149f146b0ec63c32abff204ae27638f0310536172b0f718f1a91a5672fe71

---

Question 8

To address the concluding query, we can upload the suspicious file to VirusTotal (https://www.virustotal.com/) for a static analysis. The resulting analysis provides a grim outlook, confirming the file as a malicious trojan.

8. What type of malware is the Windows executable returned from that URL?

• trojan.ursnif/dijo

Conclusion

As we conclude our journey through the intricacies of malware traffic analysis using Wireshark, we reflect on the invaluable insights gained. Through careful examination of the “Turkey and Defense” scenario from malware-traffic-analysis.net, we navigated the complex network traffic and deciphered the silent whispers of cyber threats hidden within. From pinpointing the initial malicious traffic to extracting and identifying a dangerous trojan, each step has been a testament to the critical role of traffic analysis in cybersecurity defense.

Navigating the complexities of network traffic and malware analysis can be as challenging as it is crucial. If you find yourself with questions, or if certain aspects of this walk through require further clarification, please don’t hesitate to leave a comment below. Whether it’s a specific step in the Wireshark process, an anomaly in the data you’re not sure how to interpret, or a general inquiry about cybersecurity practices, I’m here to assist.

Drop your questions or feedback in the comment section, and I’ll do my best to address them promptly. Together, we can build a stronger, more informed community ready to tackle the cybersecurity challenges of today and tomorrow.