PCAP - Contagio - BIN_9002



PCAP Analysis

################
# MetaData Stuff #
################

File name:
BIN_9002_D4ED654BCDA42576FDDFE03361608CAA_2013-01-30.pcap

MD5|SHA1|SHA256 Hash:
8a75d07e0430d8333a36fba94bffacd4
188a6e6548a0c4144745e8e8804c647ae3b140cb
f61998395930c06ce13acb94f149e8b55a3433f0678951c32509798addb5accd

Size:
4183072

Packets:
6661

###################
# High Level Review #
###################

The Contagio PCAP "BIN_9002_D4ED654BCDA42576FDDFE03361608CAA_2013-01-30.pcap" contained a single communication chain between two IP Addresses: 192.36.76[.]113 and 172.16.253[.]129. The resolution of the external IP 192.36.76[.]113 could not be identified at this time, as the resolution of this IP is no longer applicable to this analysis.

It is deemed that the Private IP address 172.16.253[.]129 is the victim IP address, and 192.36.76[.]113 is the malicious system. The two systems communicate using the TCP protocol, tunneled via Port 53, suspected to be used to attempt to hide communications.

The PCAP initiates with system 172.16.253[.]129 downloading an EXE file, believed to be called, update.exe. This file is then executed from the directory "C:\Recycler" which is believed to open a backdoor on system 172.16.253[.]113, allowing an actor on 192.36.76[.]113 control of the system. Once the actor has control of the system, they perform the following actions:
 - Identifing the current users permissions
 - SID 'S-1-5-2175567827500-839114' is identified and appears to have access to the Administrators folder. (C:\Documents and Settings\Administrator\)
 - The actor performs a query of the following directories:
 - C:\Documents and Settings\Administrator\
 - C:\Documents and Settings\Laura\
 - The actor then begins a directory walk requesting a series of documents which are believed to be exported to their local system on 192.36.76[.]113. The Actor first opens the following directories, no files are believed to have been found and the actor continues to another directory:
 - C:\Documents and Settings\Administrator\Recent Items
 - C:\Documents and Settings\Administrator\Cache
 - C:\Documents and Settings\Administrator\Desktop
 - Within the Directory 'C:\Documents and Settings\Administrator\Desktop', the actor executes the following file:
 - bablefish.exe - Bablefish is a common piece of software, often used to translate documents into different languages.
 - That actor then navigates to the User 'Laura's directory, and begins to exfiltrate the following documents:
 - C:\Documents and Settings\Laura\Desktop\
 - China's National Defense 2012.doc
 - uygh.jpg
 - C:\Documents and Settings\Laura\My 1\
 - 071.doc
 - 12238603_T*upp.? = "California and Sumatra: Journal of Geophysical Research"
 - 146129944.doc = "HIGHLY PATHOGENIC AVIAN INFLUENZA IN THE PEOPLE'S REPUBLIC OF CHINA"
 - 201*4*2216*97.doc = "The 11th China Xinjiang (Karamay) International Petroleum"
 - 201*2*8132735180.doc = "The 2nd China Xinjiang International Mining Expo & Forum"
 - 2011324*8255367862.doc = "Overview of the Investment Environment in Urumqi"
 - 2338_UN_Diplomats_Resume_Difficult_Human_Rights_Talks.doc
 - 448798-1920x1*0-*myWallpapers*.jpg
 - 7.doc = "Bringing China to Arkansas Lesson Plans"
 - APP*CALENDAR 201*(4A)AM.ED.xls
 - Archives_of_the_CPA.xls = "Cable on formally re-establishlB..U.S.-Iraqi diplomatic*"
 - *(August 1998) Profile of Asylum Claims and Country Conditions Report*.doc

##########
# Analysis #
##########

# Communicators #
172.16.253[.]129 (Victim) <> 199.36.76[.]113 (Attacker)


# Analysis of Events #
Traffic is being tunneled
 - All traffic is being sent over DNS port 53 (172 -> 199)

There is an identifier of 9002 used at the beginning of each transmission.

There is an EXE file that is transferred... I am currently unable to open the EXE
 - The EXE file was downloaded from 199.36.76[.]113

The EXE file is only 107kB in length. (Packets 1-52 ... Roughly)

Packets 58 to 464 contain a large section of encrypted data which I am unable to decode at this time.

Beginning with packet 474, clear evidence of file directories and user permissions become apparent.

Packet 474 = 199.36.76[.]113 appears to request the running of the application update.exe, contained within the C:\Recycler directory.

Packet 481 = 172.16.253[.]129 sends a user SID string: S-1-5-2175567827500-839114

Packets 491 - 517 = There are the following references:
 - Bablefish.exe (commonly used translating service)
 - Located within Documents and Settings\Administrator\Desktop
 - Search within Recently used and Cache folder (Packet 510).

Packet 518 = 199.36.76[.]113 requests the file "C:\Documents and Settings\Laura\Desktop\China's National Defense 2012.doc".
 - The document appears to contain a whitepaper style briefing on Chinese political, military, and social policies and standards. The document transmits until packet 617.

NOTE - I am currently unable to extract this doc from the pcap, as I am unable to isolate bytes needed exactly to re-create the file, as they appear to be mangled :(. This will continue throughout all of the files mentioned in this post

Packet 619 = 199.36.76[.]113 requests the file "C:\Documents and Settings\Laura\Desktop\uygh.jpg". The image is transmitted until packet 688.

 - I am currently unable to extract this jpg from the pcap, as I am unable to isolate bytes needed exactly to re-create the image.

Packet 691 = 199.36.76[.]113 requests files within the directory "C:\Documents and Settings\Laura\My 1\071.doc".

Packet 710 - 1794 = Contains encrypted data which I am not able to decrypt at this time.

Packet 1796 = 192.36.76[.]113 requests the same file from packet 710, but this time unencrypted data follows:
 - "C:\Documents and Settings\Laura\My 1\071.doc"
 - Contains "Programs of Joint Funds The j..f|.. set up by NSFC and other relevant government departments"
 - Topics like "Infared Radio", "cosmology", "galaxies", and "solar systems". "national research platforms (observ..., bases) in astronomical fields that are already established by." "Chinese Academyd...Sciences." "1. Studies on the control of south...3inental tectonic evolution and sediment basin material filling procesH..ver marine oil...gas enrichd" "3. Studies on two-phase stainless steel heat processing behavior and the mechanism of surface oxidation (E041601)"

- An address is found:
"Contn.in.;.ion:
Depo..X..MathemaT.H.pW.Physical Sx{.ces,.:..
Address: 83, Shuangqw RoaX_.Haidian D`..ict, Beij\:.
Post code: 100085'X.dj ons: Liu Xiz.+..nd Pu Men
Tel: 010-62326910"

- A PO Box is found:
PO Box 919, Mianyang
Sict.".!.vince*d..6219004d..Qiang...Cao Yl...
816-2484487

Packet 2388 = 192.36.76[.]113 requests the file "C:\Documents and Settings\Laura\My 1\12238603_T*upp.?"
 - Contains information from "California and Sumatra: Journal of Geophysical Research"

Packet 2453 = 192.36.76[.]113 requests the file "C:\Documents and Settings\Laura\My 1\146129944.doc"

 - Contains a report with the title "HIGHLY PATHOGENIC AVIAN INFLUENZA IN THE PEOPLE'S REPUBLIC OF CHINA"

Packet 2569 = 192.36.76[.]113 requests the file "C:\Documents and Settings\Laura\My 1\201*4*2216*97.doc"
 - Contains a report with the title "The 11th China Xinjiang (Karamay) International Petroleum"

Packet 2781 = 192.36.76[.]113 requests the file "C:\Documents and Settings\Laura\My 1\201*2*8132735180.doc"
 - Contains a report with the title "The 2nd China Xinjiang International Mining Expo & Forum"

Packet 3304 = 192.36.76[.]113 requests the file "C:\Documents and Settings\Laura\My 1\2011324*8255367862.doc"
 - Contains a report with the title "Overview of the Investment Environ....in Urumqi"

Packet 3400 = 192.36.76[.]113 requests the file "C:\Documents and Settings\Laura\My 1\2338_UN_Diplomats_Resume_Difficult_Human_Rights_Talks.doc"

Packet 3423 = 192.36.76[.]113 requests the file "C:\Documents and Settings\Laura\My 1\448798-1920x1*0-*myWallpapers*.jpg"

Packet 5411 = 192.36.76[.]113 requests the file "C:\Documents and Settings\Laura\My 1\7.doc"
 - Contains a report with the title "Bringing China to Arkansas Lesson Plans"

Packet 5435 = 192.36.76[.]113 requests the file "C:\Documents and Settings\Laura\My 1\APP*CALENDAR 201*(4A)AM.ED.xls"

Packet 5474 = 192.36.76[.]113 requests the file "C:\Documents and Settings\Laura\My 1\Archives_of_the_CPA.xls"
 - Contains information on "Cable on formally re-establishlB..U.S.-Iraqi diplomatic*"

Packet 6431 = 192.36.76[.]113 requests the file "C:\Documents and Settings\Laura\My 1\*(August 1998) Profile of Asylum Claims and Country Conditions Report*.doc

Comments