IR 304: VirusTotal & Wireshark (15 pts + 20 pts extra)

What You Need for This Project

A computer that you have prepared to handle Windows malware, such as a Windows 2016 Cloud Server with no important files on it, or a Mac or Linux machine.
DO NOT use a Windows machine with important data on it to analyze malware.

CAUTION
This project uses traffic captured from a real malware attack. It may set off virus scanners and possibly even infect old, unpatched Windows machines.
Don't do this project on a real Windows machine in normal use. Use your Windows virtual machine instead.

Purpose

To practice these skills, which are essential for a security analyst:

Basic hygiene when working with malware
Obtaining and extracting malware samples from the Web
Using VirusTotal
Understanding Snort and Suricata alerts
Extracting downloaded files from PCAP files with Wirehark

Choosing a Machine to Use

When working with malware, use a virtual machine with no antivirus software, and one that isn't used for other tasks such as shopping or emailing.

In this case we are using a fairly old Windows malware sample, so it's OK to use a Mac or Linux machine.

Don't use a regular Windows machine for this project, especially one used for other work, such as company machine at a workplace. However, using Windows as the host for a virtual machine is fine.

Downloading the Malware Traffic Sample

On your analysis machine, in a Web browser, download this file:

2014-12-15-traffic-analysis-exercise.pcap.zip

Unzipping the Sample

Double-click the 2014-12-15-traffic-analysis-exercise.pcap.zip file. It is a password-protected Zip file. Use this password, which is standard in the malware analysis community:

infected

Using VirusTotal

In a Web browser, go to

https://www.virustotal.com/

On the File tab, click the "Choose file" button, as shown below.

Navigate to the 2014-12-15-traffic-analysis-exercise.pcap file you unzipped and double-click it.

VirusTotal reports that this file triggers Snort and Suricata alerts, as shown below.

In VirusTotal, click the Details tab.

Flag IR 304.1: Suricata Alert (5 pts)
Find the Suricata alerts. The flag is covered by a green box in the image below.

Scroll down to the "Snort Alerts" and "Suricata Alerts" section.

Expand the last three items, as shown below, outlined in red.

We will investigate the two items outlined in blue in more detail below: a suspicious User-Agent and a PHP exploit.

Examining User-Agent Strings with Wireshark

If you don't already have Wireshark on your analysis machine, get it here:

https://www.wireshark.org/

Launch Wireshark.

From the Wireshark menu bar, click File, Open.

Navigate to the 2014-12-15-traffic-analysis-exercise.pcap file you unzipped and double-click it.

In Wirehark, at the top, enter this filter into the filter bar, as outlined in blue in the figure below:

http

Press Enter to filter the traffic.

In the middle pane, expand "Hypertext Transfer Protocol".

Right-click the User-Agent line and click "Apply as Column", as shown below.

A column titled "User-Agent" appears in the packet list. Click the "User-Agent" column header to sort the rows, and scroll through them.

Most of the User-Agent strings are long or empty, which is normal, but three of them have the strange value of Mozilla.

Click one of the Mozilla lines and examine the HTTP request in the middle pane, as shown below.

The URL is epzqy.iphaeba.eu:22780

This is a suspicious URL: the domain name and hostname look like random letters, and the port is very unusual.

Look at the "Full request URI" of these packets. The paths and parameters are random words, like "peeve", "delight", and "scholar". This looks like some sort of obfuscated data, possibly malware beacons.

Flag IR 304.2: Word in URI (5 pts)
Find the request shown below. The flag is the word covered by a green rectangle.

Examining PHP Requests with Wireshark

In Wireshark, in the packet list, right-click the User-Agent header and click "Remove This Column", as shown below.

Adjust the filter string to this value:

http && frame contains php

Press Enter to see only HTTP requests for PHP pages.

The only strange PHP request is the Facebook Like click shown below. This looks like a false positive--harmless traffic that triggered Suricata because of its structure.

Retrieving Downloaded files with Wireshark

From the Wireshark menu bar, click File, "Export Objects", HTTP..., as shown below.

Click "Save All", as shown below.

Navigate to the Downloads, folder, create a new folder, and save the files inside it.

In your operating system's file explorer, open the folder you just created and examine the files.

None of these are malware--the actual malware in that file was transmitted witn encryption and Wireshark can't extract it.

Flag IR 304.3: Words in Image (5 pts)
However, just to record your success, find the charte_02.jpg image and double-click it to see the words on it.
The words are covered by a green rectangle in the image shown below. Those words are the flag.

Flag IR 304.4: EXE File Name (5 pts extra)
WORK ON A DISPOSABLE SYSTEM: THIS IS REAL MALWARE!
Download this file: IR304.4.zip
Unzip it with the password infected
Analyze it with tools of your choice. It downloads an EXE file. That file's name is the flag.
Hint: The file has a size of 699,392 bytes

Flag IR 304.5: EXE File Name (5 pts extra)
WORK ON A DISPOSABLE SYSTEM: THIS IS REAL MALWARE!
Extract the EXE file you found in ED 304.4 and analyze it on VirusTotal. What name does McAfee antivirus give to this file? That's the flag.

Flag IR 304.6: Mutex (10 pts extra)
Continue investigating the EXE file you found in ED 304.4. This file opens a mutex with a name containing the word "Mutex". That's the flag.

Posted 9-17-18
Ported to new flag system 10-4-19
Extra credit portions added 10-5-19
304.4 and 304.5 updated and format updated 8-18-2020
304.1 updated 9-24-20
304.6 explanation clarified 10-1-20
malware file hosted locally 3-19-24