PCAP - Contagio - BIN_rssfeeder



PCAP Analysis

##################
# MetaData Stuff #
##################

File name:
BIN_RssFeeder_68EE5FDA371E4AC48DAD7FCB2C94BAC7-2012-06.pcap

MD5|SHA1|SHA256 Hash:
b03dc80b9b89df9595dc16291e07c02d
f6ff1843779c4354377abcfa847f36d111d0aac9
4f63bac7e330b3114515d49de134a6f1eb9b84bad1916dff2fad35894287c67d

Size:
37382

Packets:
228

#####################
# High Level Review #
#####################

Within this PCAP, there are three active heavily active endpoints one being an internal private IP system, 172.16.253[.]240, and two external systems in which the internal system performs DNS requests, and then subsequent actions:
Event #1 = huming386.livejournal[.]com resolving to 208.93.0[.]128
Event #2 = killme.98.shoptupian[.]com resolving to 216.83.45[.]18.

Both communications appear used for RSS feed traffic, however, there are distinctions between the two communications.

Event #1, pertains the request of the ZIP file from the site 'huming386.livejournal.com'. The zip file was 592 bytes in size and had an MD5 hash of 'yuh3LXs6KS2H9PjPSW1ZUQ'. The zip file is partially contained within the associated PCAP as the following was found, see screenshot.



As you can see with the following screenshot. The data contained in the packet is indeed an encrypted gzip as the file begins with the HEX value '1f 8b' the magic bytes for an encrypted zip file.



However, the zip file was not able to be opened as it appears to not be fully complete within the pcap. See the following screenshot of an attempt to 'unzip' the data extracted from the pcap.



Further investigation within the pcap did not reveal any additional missing data, and only two packets contain the zip file data, the original HTTP request, and then the corresponding TCP PSH, ACK packet. No additional data could be found within the given pcap.

Event #2 pertains to the internal system performing a POST request to the site 'killme.98.shoptupian[.]com'. This post contained information in regards to the local system, 172.16.253[.]240. The information is as follows:
- cstype=server
- authname=servername
- authpass=serverpass
- hostname=DELLXT
- ostype=Microsoft Windows XP Professional3
- macaddr=00:0C:29:71:24:89
- owner=two13
- version=1.2.0
- t=4841



This information has been confirmed as an attempt to pull the local system information, as the supplied MAC Address sent to site is the same MAC Address as the internal system. See the following screenshot.



Given that Event #2 does post data regarding its local settings, including username and password, hostname, MAC address, OS type, owner information, and version number. It is highly likely the internal system has become the victim of a compromising attack. While it is currently unclear at this time if the actions taken place within Event #1, namely the downloading of an encrypted ZIP file are malicious, given the proximity of time between the two events, being roughly simultaneous. It is highly likely that Event #1 and Event #2 are both linked in the same compromising attack resulting in the sending of internal system information to an external host. Further investigations regarding the encrypted ZIP file are required.

Future plans:
Given the events which take place within this pcap, should these same events take place within a production or enterprise environment, an investigation should be started focusing on the external IP addresses 208.93.0[.]128 and 216.83.45[.]18. Any system found communicating with these systems should be investigated. Additionally, an enterprise-wide investigation should begin attempting to find any files with the MD5 value 'yuh3LXs6KS2H9PjPSW1ZUQ'. Any files matching this MD5 value should be sent to a forensic team, with the purpose of decrypting the file, while this will prove very difficult, we may get luck in finding a potentially weak encrypted password for the zip file.

############
# Analysis #
############

# Communicators #
4.2.2[.]2 - 4 - 1.7%
8.8.8[.]8 - 4 - 1.7%
172.16.253[.]130 - 1 - .4%
172.16.253[.]240 - 216 - 94.7%
208.93.0[.]128 - 81 - 35.5%
216.83.45[.]18 - 122 - 53.5%
224.0.0[.]22 - 5 - .2%
255.255.255[.]255 - 1 - .4%

# Analysis of Events #
There are two separate events performed by 172.16.253[.]240:

Event #1
--------
172.16.253[.]240 performs a DNS request for huming386.livejournal[.]com
- 4.2.2[.]2 (Level3) and 8.8.8[.]8 (Google DNS) return the IP: 208.93.0[.]128

172.16.253[.]240 performs an HTTP GET Request for a ZIP file from /data/rss
- User-Agent = Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1) Gecko/20090624 Firefox/3.5

208.93.0[.]128 responds with the requested ZIP file
- MD5 = yuh3LXs6KS2H9PjPSW1ZUQ
- Size = 592 bytes
- Zip data is encrypted.
- See Screenshot, which contains the bytes '1f 8b', the header used to represent an encrypted gzip file.
- Sadly, the zip file does not appear to be complete within this pcap file, and I am not able to unzip the file. Upon attempt, I receive the following error, See Screenshot.



Event #2
--------

172.16.253[.]240 performs a DNS request for killme.98.shoptupian[.]com
- 4.2.2[.]2 (Level3) and 8.8.8[.]8 (Google) return the IP: 216.83.45[.]18

172.16.253[.]240 performs an HTTP POST to /orange/news.php HTTP/1.1
- User-Agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
- POSTs the following Info:
- cstype=server
- authname=servername
- authpass=serverpass
- hostname=DELLXT
- ostype=Microsoft Windows XP Professional3
- macaddr=00:0C:29:71:24:89
- owner=two13
- version=1.2.0
- t=4841

216.83.45[.]18 (AN IIS v6 Web Server, ASP.NET, PHP/5.2.17) returns the following code:
- <div id="0a552b5a4352">{'command':[]}</div>



Comments