Thanks to everyone who participated in our June 2021 forensic contest originally posted two weeks ago. We received 10 submissions through our contact page, and four people found all three infections in the pcap. Unfortunately, we could only pick one winner. In this case, our winner was chosen through a random process among the four eligible people. Join us in congratulating this month's winner, Dimitri! Dimitri will receive a Raspberry Pi 4 kit.
You can still find the pcap for our June 2021 forensic contest at this Github repository.
Three infected Windows clients show signs of infection within the Active Directory (AD) environment from the packet capture (pcap). The infected Windows hosts are:
To help in your analysis of this activity, please review the Requirements section in our original diary for this month's contest.
Creating Pcaps for Individual Hosts
As stated in our original post, the infected Windows hosts are part of an AD environment, and its characteristics are:
To find IP addresses for Windows clients in this AD environment, use Statsistics --> Endpoints to bring up Wireshark's Endpoints window.
The Endpoints window shows all endpoints in the pcap. Click on the IPv4 tab and sort by address to find IP addresses in the 10.6.15.0/24 range.
This should reveal six internal IP addresses within the 10.6.15.0/24 LAN segment ior saltmobsters.com:
10.6.15.1, 10.6.15.5, and 10.6.15.255 are already accounted for, we should filter on each of the three remaining IP addresses and export traffic for each one into a separate pcap.
First, filter on ip.addr eq 10.6.15.93 then use File --> Export Specified Packets... to save the displayed traffic in a new pcap as shown below.
Do the same thing for 10.6.15.119 and 10.6.15.187. Now you should have three new pcaps that contain traffic from each of the Windows clients.
Infection Traffic for Agent Tesla (AgentTesla)
Let's review traffic from 10.6.15.93. We can quickly determine host information by filtering on Kerberos.CNameString and viewing a customized column for CNameString as described in this tutorial. The host information is:
You can find host information for the other two IP addresses using this method. Note: When setting up this environment, I misspelled DESKTOP in the host name for DEKSTOP-A1CTJVY.
There's nothing unusual in web traffic from 10.6.15.93, except for a dns query to turtleoil1998b[.]com that resolves to 45.142.212[.]61, but no TCP connection is established with that IP. This traffic is related to the TA551 (Shathak) campaign, and it was pushing Ursnif (Gozi/ISFB) during this timeframe. My personal research has confirmed turtleoil1998b[.]com was a domain used by TA551 to host malware DLL files for Ursnif on 2021-06-16.
Despite a lack of interesting web traffic, 10.6.15.93 generated unusual SMTP activity. Filter on smtp, and the display will show unencrypted SMTP traffic over TCP port 587 to an external IP address. This is not normal activity from a Windows client.
Follow the TCP stream for any of the first few frames in the SMTP results. Your TCP stream should reveal an email to firstname.lastname@example.org with usernames and passwords from the Windows host. This is definitely malicious traffic.
This activity matches what I've seen for AgentTesla malware. It triggered an alert for AgentTesla-generated SMTP when I tested it in my lab environment.
The infected Windows host at 10.6.15.93 sent four emails to email@example.com.
The first message has passwords from the infected Windows host, and its subject line starts with PW. The next three messages have keylogging data, and their subject lines start with KL.
Infection Traffic for Hancitor, Cobalt Strike, and Ficker Stealer
Traffic from 10.6.15.119 fits patterns for Hancitor, Cobalt Strike, and Ficker Stealer as described in this Wireshark Tutorial. In recent weeks, Hancitor has used Google Feedproxy links as the initial URL to kick off an infection chain. The initial Google Feedproxy link in this pcap redirected to a URL from, ststephenskisugu[.]church as part of this infection chain.
Indicators for the remaining activity are listed below.
Hancitor-infected host retrieves follow-up malware:
Cobalt Strike traffic:
Ficker Stealer traffic:
EXE retrieved from the traffic:
Infection Traffic for Qakbot (Qbot)
Traffic from 10.6.15.187 fits patterns for Qakbot (Qbot) malware. Indicators are:
The initial URL for solarwindsonline[.]com was reported to URLhaus as returning a zip archive for Qakbot. Unfortunately, due to packet loss in our pcap, we cannot export the zip archive that appears in this traffic.
However, this malware sample is an Excel spreadsheet associated with Qakbot that generates traffic to khangland[.]pro and jaipurbynite[.]com. Tria.ge sandbox analysis of the sample shows it generates the following HTTPS URLs when macros are enabled:
These two URLs fit patterns associated with Qakbot infections in recent weeks. 207.246.77[.]75:2222 is also known for malicious traffic associated with Qakbot.
This month's quiz was significantly more difficult than our previous two forensic contests, so thanks to all who participated.
Congratulations again to Dimitri for winning this month's competition!
You can still find the pcap and malware at this Github repository.
Jun 30th 2021
|Thread locked Subscribe||
Jun 30th 2021
10 months ago