PCAP-Contagio-BIN_Enfal_Lurid




PCAP Analysis

##################
# MetaData Stuff #
##################

File name:
BIN_Enfal_Lurid_0fb1b0833f723682346041d72ed112f9_2013-01.pcap

MD5|SHA1|SHA256 Hash:
eb1add698849b43f0ee4e88741e7a4bf
690670f3894cb7255fa2733a1118ba9a71cc5f4d
bd515fc3e6b36a50d4e9f7bd7a0839c52f3a1c51829a1bf5e788579be8556342

Size:
12110

Packets:
84

#####################
# High Level Review #
#####################

On January 6, 2013 internal system 172.16.253[.]129 performed a DNS request for the domain, europd.ddns.info. At the time of this recording this domain resolved to the IPv4 address 173.231.54[.]69.

The internal system immediately initiated a tcp connection with the external system, and began an encrypted TLS v1.0 communication string. The private key for the encrypted communication was not available so an encrypted viewing of the communications between the two system was not available. What is available is that between the beginning of the communication at 03:33:51 UTC and 03:35:56 UTC a total of 1265 bytes were exchanged between the internal system and the external system. 727 bytes were sent from the external system to the internal system, while 538 bytes were sent from the internal system the external system.

The certificate was pulled from the pcap which contained the following, relatively unhelpful Organization details:
- Signature = 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
- Organization Name = SomeOrganization
- State = SomeState
- City = SomeCity
- Email = root@10_01[.]lvqiucai



The email address is a unique indicator which does point back to the Enfal Lurid driveback attack. Which is the basis for this pcap. Without spoiling the pcap analysis by bringing in 5 year old analysis of this attack, I will stick to just what is in the PCAP itself.

It is important to note that this PCAP does not specifically call out the context of the events surrounding the connection to europd.ddns[.]info. Given that fact, there is no available context for determining for what reason the internal system made the outbound connection to the external. Unless the external IP address of the domain itself was associated with a Threat Intel listing of suspicious IPs or Domains, it would have been difficult to assertain the severity of this connection.

Having the beauty of hindsight for this particular investigation, the Enfal Lurid attack is relatively well known, and there are several examples of the downloaded malware taken from europpd.ddns[.]info within VirusTotal. Had these tools not been available, then the following IOCs would be recommended to be performed:
- Investigate other instances of internal systems communicating with europd.ddns[.]info and 173.231.54[.]69
- Perform an investigation on the internal system to assertain what processes were running on the system at the time of the connection.
- Determine if any additional processes were initiated after connection to the external site.

############
# Analysis #
############

# Communicators #
172.16.253[.]129 - 38 - 45.23%
173.231.54[.]69 - 33 - 39.28%
4.2.2[.]2 - 4 - 4.76%
8.8.8[.]8 - 4 - 4.76%
172.16.253[.]254 - 3 - 3.57%
65.55.21[.]13 - 1 - 1.19%

# Analysis of Events #

DNS Requests:
Packet #2
172.16.253[.]129 performs a DNS request for time.windows.com
- 4.2.2[.]2 and 8.8.8[.]8 responds with 65.55.21.13

Packet #11
172.16.253[.]129 performs a DNS request for europd.ddns.info
- 4.2.2[.]2 and 8.8.8[.]8 responds with 173.231.54.69

Packet #26
172.16.253[.]129 performs a DNS request for www.download.windowsupdate.com
- 4.2.2[.]2 and 8.8.8[.]8 responds with seven answers, two of which are IP addresses, 208.47.254.59 & 208.47.254.82

Packet #51
172.16.253[.]129 performs a second DNS request for europd.ddns.info
- 4.2.2[.]2 and 8.8.8[.]8 responds with 173.231.54.69

HTTPs Communication:
Packet #15
172.16.253[.]129 establishes a connection with 173.231.54.69. At packet #20, the communication is successfully encrypted using TLSv1.0. The TLS Certificate has the following metadata:
- Size = 1003 bytes
- Certificate = 308203e43082034da003020102020239d7300d06092a864886f70d01010505003081ad310b3009060355040613022d2d3112301006035504081309536f6d6553746174653111300f06035504071308536f6d654369747931193017060355040a1310536f6d654f7267616e697a6174696f6e311f301d060355040b1316536f6d654f7267616e697a6174696f6e616c556e69743117301506035504030c0e31305f30312e6c767169756361693122302006092a864886f70d0109011613726f6f744031305f30312e6c76716975636169301e170d3132303630363133343731305a170d3133303630363133343731305a3081ad310b3009060355040613022d2d3112301006035504081309536f6d6553746174653111300f06035504071308536f6d654369747931193017060355040a1310536f6d654f7267616e697a6174696f6e311f301d060355040b1316536f6d654f7267616e697a6174696f6e616c556e69743117301506035504030c0e31305f30312e6c767169756361693122302006092a864886f70d0109011613726f6f744031305f30312e6c7671697563616930819f300d06092a864886f70d010101050003818d0030818902818100e0b51ab1050d77e061367a06621e230a352576a63dd9e9997034918ffd46187bafccdca76c02c6d7a8522210c3d0f31ae9583aa33e87036d3f95717fea9ecc39653b531d85710e937002f477ef753f0aa243d6e8f0b8ba81554cdc383d9a8c9da3337a622c8e2c853cad0c3cb352f2ca0b347f222e004e2a92e3483b9f6adfe90203010001a382010f3082010b301d0603551d0e04160414e749d621b4ae0530ca5204a75b3293ecad7370033081db0603551d230481d33081d08014e749d621b4ae0530ca5204a75b3293ecad737003a181b3a481b03081ad310b3009060355040613022d2d3112301006035504081309536f6d6553746174653111300f06035504071308536f6d654369747931193017060355040a1310536f6d654f7267616e697a6174696f6e311f301d060355040b1316536f6d654f7267616e697a6174696f6e616c556e69743117301506035504030c0e31305f30312e6c767169756361693122302006092a864886f70d0109011613726f6f744031305f30312e6c76716975636169820239d7300c0603551d13040530030101ff300d06092a864886f70d010105050003818100a560c95529a9a53cf28e2722859ac3a88c80474d5b61273bc8c1258a98f02b3223af6e27ed19ecfbafba552fc4cf5bdf3ee6e856440fa0988efd2fd66298a350541c87a3c45db0ef3044928a25ea5305c3f6c0375074410d99de4758cc02c1b0465c571f4478c967f23c66738af86d16b3d9a4516bc90dc4a08590456237c818
- Signature = 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
- Organization Name = SomeOrganization
- State = SomeState
- City = SomeCity
- Email = root@10_01[.]lvqiucai
- Public Key = 30818902818100e0b51ab1050d77e061367a06621e230a352576a63dd9e9997034918ffd46187bafccdca76c02c6d7a8522210c3d0f31ae9583aa33e87036d3f95717fea9ecc39653b531d85710e937002f477ef753f0aa243d6e8f0b8ba81554cdc383d9a8c9da3337a622c8e2c853cad0c3cb352f2ca0b347f222e004e2a92e3483b9f6adfe90203010001

Packet #30 and 32 contain the encryption application data. Additionally, the following packets contain encrypted application data: 45, 48, 63, 65, 78, and 80

No private key can be found, not able to decrypt the TLS v 1.0 traffic

Comments