PCAP - Contagio - 8202_tdb

##################
# MetaData Stuff #
##################

File name:
8202_tbd_ 6D2C12085F0018DAEB9C1A53E53FD4D1.pcap

MD5|SHA1|SHA256 Hash:
d3d8807486d5e7421404e28ec33963c6
bbb8ba25e7a2894c2308bbe85603e639b9d5e97d
c0f93e675797bc9043aebd03c43f0143a3d68740f4fed3d8a9b862ebba1434c3

Size:
330251

Packets:
982 Total Packets

############
# Analysis #
############

# Communicators #

524 - 53.3% - 192.200.99[.]194 - sa.foundcloudsearch[.]com (According to the PCAP communications. Today (Feb 25, 2018) this IP resolves to GORILLASERVERS[.]COM)
320 - 32.5% - 172.16.253[.]130 - Private IP (System 1)
11 - 1.1% - 172.16.253[.]254 - Private IP (System 2)
6 - .6% - 8.8.8[.]8 - Google DNS
6 - .6% - 4.2.2[.]2 - Level 3 DNS

# Analysis of Events #

172.16.253[.]254 attempts ping to 172.16.253[.]130
- No Response
172.16.253[.]254 attempts ping to 172.16.253[.]129
- No Response

172.16.253[.]130 queries sa.foundcloudsearch[.]com
- 4.2.2[.]2 (Level3) & 8.8.8[.]8 (Google) both deliver an IP of 192.200.99[.]194

172.16.253[.]130 establishes TCP connection.
- 192.200.99[.]194 address delivers an MS .exe to the 172.16.253[.]130 address
- EXE stats:
- PCAP only decoding as TCP... Not able to decode as HTTP to extract the .exe.
- Potentially, the .exe is 122kB in size. Not able to successfully extract, with neither WireShark nor ChaosReader.

The connection is RST by 192.200.99[.]194
172.16.253[.]130 re-establishes the connection
- Delivers the system hostname: "DellXTLaura 824_CLS"
- This step is repeated 7 times. Each time after the first repeat 172.16.253[.]130 initiates the connection with a DNS query.

# Deep Dive into the failure to export the EXE #
I tried to give a screenshot of everything I was doing and seeing. Can you see anything I missed?

1. WireShark HTTP Preferences are properly configured to pull out Port 80 as HTTP traffic


2. WireShark is breaking out the traffic as TCP Port 80


3, WireShark does not give the same contextualization for Port 80 traffic. In relation to the packet that is highlight below. Typically you will see something like TCP 1109 HTTP -> 1066 [PSH, ACK] Seq=1 Ack=14 etc... if the packet is being decoded as HTTP.


4. When you go to Follow the Stream and Select "TCP Stream" or "HTTP Stream"...


5. HTTP Stream gives the following.... Nothing


6. TCP Stream gives you data you expect. You can also see that the amount of data being pushed from 192.200.99[.]194 is 122kB in size.


7. So... Let's see if we are able to export the HTTP Objects...


8. Seriously... WTF?


9. Let's try ChaosReader... Reads well...


10. Looking at the index.html... Looks ok.... ish


11. Pulling out the session which should contain the exe... There is the data... But there is no way to save out the exe... :'(


##############
# Conclusion #
##############

On Feb 4, 2013 at 2:50:38 UTC, system 172.16.253[.]130 (System 1) made an outbound connection to the Domain 'sa.foundcloudsearch[.]com', this domain was hosted on the system with the IP address 192.200.99[.]194. System 1 then downloaded an unknown .exe from the foundcloudsearch domain. At this time it is unknown what the function of the .exe pertained to, as I was unable to successfully extract the .exe. Please see the screenshots above for details on that process. Also, see the follow screenshot for the followed stream in HEX. It is important to note that the HexDump does not contain the MZ header for an executable. But if you look at bytes 58-63 (highlight below) you can see the value '04 ad 5a', which is very similar to the Hex value of MZ (4d5a). It may be possible to edit this value in a hex editor to recreate the correct executable MZ header.



Continuing into the PCAP analysis, following the download, at 2:51:32 UTC the unknown .exe file. 192.200.99[.]194 RST the connection. System 2 then immediately re-established a connection with 192.200.99[.]194 and downloaded the same unknown file a second time.

At 2:52:25 192.200.99[.]194 terminated the connection with System 2 using a RST, ACK. 8 minutes later System 2 began a repeated pattern of outbound connections to 192.200.99[.]194. This repeated value took place every 10 minutes, starting at 3:01:30 and continued through 4:11:30. See the follow Screenshot illustrating each repetition.



It is odd that the same information was passed with each repetition. The following screenshot gives the information that was passed.



At this time, I do not have enough hard evidence to make an official determination that this .exe is indeed malicious, but I do consider this .exe to be highly suspicious. Especially given the fact that immediately following the download of the unknown .exe, System 2 began a repeated event of sending a system hostname (likely System 2's hostname) to the external system. This type of pattern holds consistent with known malicious events of a system that has been infected with a RAT (Remote Access Trojan) or a Backdoor.

Further actions. Attempt to manually correct the unknown .exe header to represent MZ, or 4d 5a.

Comments