Skip to content

Latest commit

 

History

History
97 lines (64 loc) · 6.82 KB

02_WARMCOOKIE.md

File metadata and controls

97 lines (64 loc) · 6.82 KB
Raw

2024-08-15: WARMCOOKIE

  • Link to PCAP file: https://malware-traffic-analysis.net/2024/08/15/index.html

  • Background:

    A Windows host was infected, and it seems to be from WarmCookie malware.

    LAN segment details:

    LAN segment range:  10.8.15[.]0/24 (10.8.15[.]0 through 10.8.15[.]255)
Domain:  lafontainebleu[.]org
Active Directory (AD) domain controller:  10.8.15[.]4 - WIN-JEGJIX7Q9RS
AD environment name:  LAFONTAINBLEU
LAN segment gateway:  10.8.15[.]1
LAN segment broadcast address:  10.8.15[.]255

  • Task:

    Write an incident report based on malicious network activity from the pcap and from the alerts.

Incident Report:

https://docs.google.com/document/d/1cehUOrXnY4xODM3f54MB8L6gAmSwqR9FEBYFScHF1QM/edit?tab=t.0

  1. I began by downloading and unzipping the PCAP files and alerts from Malware Traffic Analysis, then opening them in Wireshark. After that, I reviewed the alerts and find that there's suspicious POST requests communicating to a Dotted Quad (IP Address) and not a fully qualified domain name, and that there was a possible Executable/DLL file downloaded.

0 1 0 2

  1. Next, I searched for any Kerberos authentication events to identify login details and hostnames. I then applied an LDAP (Lightweight Directory Access Protocol) filter to retrieve the user’s full name, IP, and MAC address.

1 02 1 01

  1. Now it's time to investigate further into the traffic alerts. I started by following the TCP stream on destination IP 72[.]5[.]43[.]29 and identify a few suspicious indicators. The first one was a suspiciously long cookie string, an outdated User-Agent: Microsoft Internet Explorer 6, and that the GET request is communicating to an IP Address as the hostname and not a fully qualified domain name.

2 02

  1. There wasn't much information there so I decided to follow the HTTP stream on the same destination IP and find more suspicious indicators. The HEAD and GET request is pointing to a specific file but the User-Agent is Microsoft BITS. This is suspicious because Microsoft BITS is a legitimate service used for Window's update and never used for a file transfer to an untrusted external IP Address; furthermore, the data starting with 'MZ' is the 'magic number' that indicates a file is a Window's executable, which is then followed by 'This program cannot be run in DOS mode.' which furthers my suspicion that this is a malicious payload.

3 01 3 02

  • I checked the suspicious IP Address on VirusTotal, which confirms that this IP is indeed malicious and originates from Romania.

Screenshot 2024-11-04 162259

  1. Continuing the same rabbit hole, I exported and downloaded the suspicious file and used the Linux terminal to identify its file type. The analysis confirmed it as a DLL executable. Next, I obtained its SHA256 hash and verified it on VirusTotal. The result confirms it is malicious - Trojan malware.

3 03 3 04 Screenshot 2024-11-05 094036

  1. Now, having more information on the malicious payload, I went back to investigate the source ip 10[.]8[.]15[.]133's HTTP traffic to see what happened before this payload was successfully downloaded. I find a potentially suspicious Host domain name, quote[.]checkfedexexp[.]com, and followed its HTTP stream and found many interesting suspicous indicators.

4 01 4 02

  • I found a ZIP file attachment titled 'Invoice 876597035_003.zip', which contains a JavaScript (.js) file. This is unexpected, as invoices are usually in PDF or similar document formats. Email attachments that contain Javascript are highly suspicious as well because it may contain malicious code.

4 03

  1. To investigate further, I exported and downloaded the suspicious ZIP file. Before I extract and open the malicious attachment, I took a snapshot of my virtual machine to create a safe restore point, allowing me to revert to its original state if needed.

5 01 5 02

  • Once I have my snapshot, I open the malicious attachment and find that the "Invoice" is really a js document with a lot of random words and information. So I started to search for keywords such as '.exe', 'dll', 'warm', and 'cookie' but didn't get any hits. I received a hit on 'quote' but wasn't anything of relevance. Then I checked 'checkfedex' from the DLL executable finding from earlier and got a hit on a URL.

5 03 5 04 5 05

  1. I went back to my terminal and retrieved the file's SHA256 hashes and searched both instances on VirusTotal, both flagged as malicious under the identification, WormCookie.

6 01 Screenshot 2024-11-05 093823 Screenshot 2024-11-05 093847

  1. Finally, I recorded the data file sizes of both the malicious file and its payload for thorough documentation in my incident report.

6 02

Incident Report