Our latest forensics puzzle has a malware twist to it, and was written by Lenny Zeltser. Lenny teaches the reverse-engineering malware (REM) course at SANS Institute.
The puzzle:
It was a morning ritual. Ms. Moneymany sipped her coffee as she quickly went through the email that arrived during the night. One of the messages caught her eye, because it was clearly spam that somehow got past the email filter. The message extolled the virtues of buying medicine on the web and contained a link to the on-line pharmacy. “Do people really fall for this stuff?” Ms. Moneymany thought. She was curious to know how the website would convince its visitors to make the purchase, so she clicked on the link.
The website was slow to load, and seemed to be broken. There was no content on the page. Disappointed, Ms. Moneymany closed the browser’s window and continued with her day.
She didn’t realize that her Windows XP computer just got infected.
You are the forensic investigator. You possess the network capture (PCAP) file that recorded Ms. Moneymany’s interactions with the website. Your mission is to understand what probably happened to Ms. Moneymany’s system after she clicked the link. Your analysis will start with the PCAP file and will reveal a malicious executable.
Here is the network capture file for this puzzle. The MD5 hash of this PCAP file is c09a3019ada7ab17a44537b069480312. Please use the Official Submission Form to submit your answers.
Answer the following questions:
1. As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applets?
2. What was Ms. Moneymany’s username on the infected Windows system?
3. What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click?
4. As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on “91ed”.
5. What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in “mainstream” malware.
6. What is the MD5 hash of the unpacked version of the malicious Windows executable file?
7. The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host?
Prize: Lenovo Ideapad S10-2 netbook
Deadline is 5/13/10 (11:59:59PM UTC-11) (In other words, if it’s still 5/13/10 anywhere in the world, you can submit your entry.)
Consider using an automated tool for extracting file artifacts (web pages, executable files, etc) embedded in the network capture file. Doing this manually tends to be slow and error-prone.
Also, note that to complete a comprehensive analysis of this incident, we should examine the malicious executable that found its way onto Ms. Moneymany’s system. That task is outside the scope of this particular puzzle, but we may look at it in a later puzzle.
Warning:
When answering this puzzle, remember that you will be working with real-world malicious software. Be careful not to infect yourself! Use an isolated system, which you will be able to reinstall at the end of your investigation.
About Your Solution:
Use the Official Submission form to submit your solution. All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will not be reviewed.
When grading your solutions, we will not just look for correct answers, but will also look at the explanation of how you derived your answers. The winning solution will stand out due to its elegance, insights, and readability. In the event of a tie, the entry submitted first will receive the prize.
You are welcome to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified.
By submitting your answer to this puzzle, you agree to license your solution’s text according to the Creative Commons v3 “Attribution” License.
Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the analysis process. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a license that allows free derivative works.
Exceptional solutions may be incorporated into the SANS Network Forensics Investigative Toolkit (SNIFT kit) and/or Reverse-Engineering Malware course materials. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Reverse-Engineering Malware or Network Forensics course. All authors will receive full credit for their work.
Getting started with malware analysis:
If you’re interested in malware analysis, here are a few resources to help you get started:
• Building a Malware Analysis Toolkit Using Free Tools
• Using VMware for Malware Analysis
• Introduction to Malware Analysis Webcast
Final Note
Lenny Zeltser holds the copyright for this puzzle. He thanks Anand Sastry, Sherri Davidoff and Slava Frid for their feedback when creating this puzzle.
April 2, 2010 at 12:04 pm
Hi guys– please note that we’ve updated question #7 to include more info. cheers!
April 2, 2010 at 8:34 pm
Is questions #7 supposed to be answered with malware analysis? Because the pcap actually contains a DNS lookup for the HTTP Bot’s C&C, so this cannot be it. On the other hand, quick dynamic analysis of the malware in a Lab VM with Wireshark on the host does not exhibit any outbound connectings and strings on the dropped executable did not reveal any IP addresses either. Given the niveau of the other questions, thorough static analysis of the dropped executable also didn’t seem to be what is wanted, so I decided to rather quickly ask how this is intended.
April 3, 2010 at 7:43 pm
oxff: You’re welcome to use whichever approach you feel most comfortable with. However, I think performing static analysis of the dropped executable is not the easiest way to answer question #7.
May 12, 2010 at 10:38 pm
I can extract the executable from the pcap, but get checksum errors when using the appropriate unpacker. Anyone else having this issue?
May 13, 2010 at 9:23 pm
@Dave:
I had no problems unpacking it.
I’d look at how you’re extracting it from the pcap file, if you’re positive that you are extracting it correctly then you are probably using the wrong unpacker or a 3rd party unpacker.
May 14, 2010 at 10:47 am
I have successfully extracted executable from pcap…and there is no checksum error while using appropriate unpacker.
May 19, 2010 at 6:16 am
Winter, G
Thanks for the replies. Now that the contest is over, I can say that I extracted with both foremost and manually. A hexdump shows UPX packing with version 3.0.1. I’ll take a look at the solution once posted and retrace my steps. Thanks again.
May 19, 2010 at 11:23 am
For those that are interested, I was using foremost to extract the exe from a raw chuck exported out of Wireshark. For some reason, this introduced corruption. Using Network Miner, the exe had no issues being unpacked.
This is peculiar to say the least, as the the header and footer of the exe are identical with the corrupted and correct versions. Guess the foremost just fell down in this instance.
May 20, 2010 at 4:38 am
Dave,
If you export chunked data from wireshark to unchunk later with another tool, try to export as ASCII and not as raw content.
May 23, 2010 at 6:01 pm
Thanks Ed,
Gave that a shot and still no go. Could be a cross-platform issue, or god knows what. I’m just glad to be on the lookout for it from now on 🙂
I’ll dig into it some more when I have time, but thank you all for your suggestions.
Dave
June 3, 2010 at 6:07 pm
Dave,
Now contest is over, I can explain. When you check tcp follow stream option in wireshark, you can see there are few bytes before MZ starts and also at the end there are few extra bytes.
I think foremost check header bytes MZ only to extract exe file.
I think there are 2 ways you can use, manually if you want to carve then you can calculate length of PE file based on PE file structure and second can be run some tool which can create fake client/server request/response that way you can actually download exact pe file.
G