PCAP - Contagio - Gh0st-gif

BOO!!!!!!

PCAP Analysis

################
# MetaData Stuff #
################

File name:
BIN_Gh0st-gif_f4d4076dff760eb92e4ae559c2dc4525.pcap

MD5|SHA1|SHA256 Hash:
f99816578553c66ea2f96af4551e6278
fd89caceb0aaccfe0c912434207aa0e742ab008f
b14e30d836c04f46427421646e901cb086bb7796c8a32ad110aa5cbafa5e77ec

Size:
5502 bytes

Packets:
51

#####################
# High Level Review #
#####################

The internal system 172.16.253[.]130 performs three unique GET requests to the site 'godson355.vicp[.]cc/h.gif?pid =113&v=130586214568' using the email protocol POP. Source ports are sequential from 1067-1069. With the PCAP the first and second POP sessions are terminated using the RST, ACK switch after 34ms and 33ms respectively, however, the third POP session does not appear to have been terminated. Following the TCP Stream of each request is as follows:



The GET request directed requested the following file to be downloaded, h.gif. The size of file itself was not specified, however, the size of the GET request packet was 243 bytes. By subtracting the size of the IP header (20 bytes) and the size of the TCP header (20 bytes), the remaining size of the gif should be roughly 203 bytes, which is a typical size for an average size gif. However, given the malicious history tagging of this given domain, the suspected download is not likely considered to be a funny cat meme or other style office culture gif.

IP Header Size


TCP Header Size


The site godson355.vicp[.]cc, has a sorted history of IP address that has been tagged as malicious by industry tools like PassiveTotal. The history of this site is as follows:

Between 2014-07-31 -> 2014-11-04 the site resolved to the Hong Kong IP address 210.209.118[.]87.
- Address of: 17/F Chevalier Commercial Centre, Hong Kong
- This IP has also hosted at least three malicious domains which include:
- mailindia.imbbs[.]in - 2014-07-31 -> 2018-03-15
- softinc[.]pw - 2014-08-11 -> 2015-08-21
- godson355.vicp[.]cc - 2014-07-31 -> 2014-11-04
At the time of this PCAPs recording, 2013-02-04 -> 2014-05-14, the site positively resolved to 202.85.136[.]181.
- Address of IADVANTAGE, 399 Chai Wan Road, Hong Kong
- This IP has also hosted at least two domains tagged as malicious:
- gen2012.eicp[.]net - 2013-08-28 -> 2018-03-15
- godson355.vicp[.]cc - 2013-02-04 -> 2014-05-14
Between 2013-03-29 -> 2013-05-03 the site resolved to the tagged malicious IP address 50.117.115[.]89.
- Address of EGIHosting, 55 S. Market St. Suite 1616, San Jose, CA, 95113
Finally, between  2012-07-19 -> 2013-03-23 the site resolved to the Chinese IP address 61.178.77[.]111
- Address of No.405 Pingliang Road,LANZHOU,CHINA
- The godson355 domain is the only domain hosted on this IP which was tagged as malicious, however, there are two other domains known to have been hosted on the system. One of which has a very similar naming convention:
- godson555.gicp[.]net - 2012-06-09 -> 2012-06-10
- liveupdates.3322[.]org - 2011-03-31 -> 2011-11-15

At this time it is unclear what the contents of the file h.gif were, perhaps hence the name Gh0st-gif. The PCAP file did not contain the data in a manner in which I was able to extract the information. If someone has the means to extract this data, please let me know! I would like to know the files contents, metadata values, and perhaps do some more digging!

Additionally, the only data I can pull out of this PCAP which could assist others would be to list all of the identified malicious IP addresses and Domains which were uncovered during the research. If anyone should find internal systems connecting to any of these systems, it would be highly suspicious.

Let me know if there is anything I missed, or just let me know if there are any comments you have on the analysis.
Thanks


IoCs
~~~~~

IP Addresses:
202.85.136[.]181
210.209.118[.]87
50.117.115[.]89
61.178.77[.]111

Domains:
godson355.vicp[.]cc
mailindia.imbbs[.]in
softinc[.]pw
gen2012.eicp[.]net
godson555.gicp[.]net (maybe not bad, but still suspicious)
liveupdates.3322[.]org (maybe not bad, but still suspicious)



##########
# Analysis #
##########

# Communicators #
172.16.253[.]130 - 37 - 72.54%
202.85.136[.]181 - 17 - 33.33% - godson355.vicp[.]cc
224.0.0[.]22 - 12 - 23.52%
172.16.253[.]254 - 4 - 7.84%
0.0.0[.]0 - 2 - 3.91%
4.2.2[.]2 - 2 - 3.91% - Level 3 DNS
8.8.8[.]8 - 2 - 3.91% - Google DNS
255.255.255[.]255 - 2 - 3.91%

# Analysis of Events #

Packet #24 - 2013-02-04 @ 02:51:03
172.16.253[.]130 performs a DNS Query for the site: godson355.vicp[.]cc
- 4.2.2[.]2 (Level 3 DNS) & 8.8.8[.]8 (Google DNS) respond with the IP address: 202.85.136[.]181
- At the time of this investigation (Pi Day, 2018), the site resolves to the IP address 174.128.255[.]253
- However, the site has resolved to a number of suspicious IP addresses in the past:
- 2014-07-31 -> 2014-11-04 = 210.209.118[.]87
- 17/F Chevalier Commercial Centre, Hong Kong
- This IP has also hosted the following tagged malicious Domains:
- mailindia.imbbs[.]in - 2014-07-31 -> 2018-03-15
- softinc[.]pw - 2014-08-11 -> 2015-08-21
- godson355.vicp[.]cc - 2014-07-31 -> 2014-11-04
- 2013-02-04 -> 2014-05-14 = 202.85.136[.]181 (The time frame of this PCAP capture)
- 17/F Chevalier Commercial Centre, Hong Kong
- This IP has also hosted the following tagged malicious Domains:
- gen2012.eicp[.]net - 2013-08-28 -> 2018-03-15
- godson355.vicp[.]cc - 2013-02-04 -> 2014-05-14
- 2013-03-29 -> 2013-05-03 = 50.117.115[.]89
- US
- 2012-07-19 -> 2013-03-23 = 61.178.77[.]111
- No.405 Pingliang Road,LANZHOU,CHINA
- The godson355 domain is the only tagged malicious domain, however it also has hosted the following sites which have not been tagged as suspicious:
- godson555.gicp.net - 2012-06-09 -> 2012-06-10
- liveupdates.3322.org - 2011-03-31 -> 2011-11-15

Packet #31 - 2013-02-04 @ 02:51:04
172.16.253[.]130 performs a GET request via the POP protocol to the following site:
- /h.gif?pid =113&v=130586214568
- GET request is 243 bytes in length
- Src Port = 1067, dst port = 110
- Connection is open for 34ms before a RST, ACK is sent

Packet #31 - 2013-02-04 @ 02:53:15
172.16.253[.]130 performs a GET request via the POP protocol to the following site:
- /h.gif?pid =113&v=130586214568
- GET request is 243 bytes in length
- Src Port = 1068, dst port = 110
- Connection is open for 33ms before a RST, ACK is sent

Packet #50 - 2013-02-04 @ 02:55:25
172.16.253[.]130 performs a GET request via the POP protocol to the following site:
- /h.gif?pid =113&v=130586214568
- GET request is 243 bytes in length
- Src Port = 1069, dst port = 110
- The connection is not witnessed to be closed

Comments