Scenario
Today’s diary is a traffic analysis quiz where you try to identify the malware based on a pcap of traffic from an infected Windows host. Download the pcap from this page, which also has the alerts. Don’t open or review the alerts yet, because they give away the answer.
Background on the infection
This infection was caused by a malicious Excel spreadsheet. It has macros designed to infect a vulnerable Windows host, so I infected one in my lab. Default settings in recent versions of Microsoft Office would prevent these type of macros from causing an infection. This is much more effective against older versions of Windows like Windows 7.
Enabling macros on this spreadsheet caused my vulnerable host to download a malicious Windows executable (EXE) and save it as C:\Users\Public\svchost32.exe where it was initially run.
After a minute or two, the malware was deleted from C:\Users\Public\svchost32.exe and saved under a randomly-named directory under C:\Program Files (x86)\ using a random file name. The directory and new file name are different for each infection. The malware was made persistent through an update to the Windows registry as shown below.
This method is used by different families of malware. The chain of events:
- Victim receives a malicious Microsoft Office document (usually an Excel spreadsheet or Word document)
- Victim enables macros on a vulnerable Windows host
- Vulnerable Windows host retrieves a Windows EXE or DLL through web-based traffic
- EXE or DLL is saved to disc
- The EXE or DLL infects the vulnerable Windows host and is made persistent
Fortunately, this chain is rarely effective against an up-to-date version of Windows with default security settings. In this case, Microsoft Office would not run the macro unless I disabled some key security functions.
PCAP Analysis
So based on our background scenario on the malware we know that it downloads an .exe, so we go straight to HTTP traffic to find this request.
Breaking down the HTTP request per host, we have several hosts contacted:
We first have a GET request to the host: hxxp://aromaterapiaclinicabrasil[.]com.br/wp-cgi/87411326.jpg
Checking the response in HTTP stream, we can see that an .exe is downloaded based on the magic bytes.
A GET request to www.magentos2[.]info for GET /rcgc/?FTjl4Xs=JJ1UQfwH5/u8wijNPDMpILe9jWpyTymRAT2uguMS0ZyuBY0ybSztHQpeQh9ZYsJqpdJQ&PDH=0pdd-fqhSb7LGnE0
which returns a 404 Not Found
POST request to geneprofile, with potentially encoded/encrypted data. Server response is a 410 Gone Code.
There are 2 similar attempts that are returned as 410.
POST requests for /rcgc then move to the ladydriven[.]us
GET and POST requests for /rcgc continue on for the hosts jojobet84[.]com, magentos2[.]info, genesprofile[.]com and are responded with HTTP status codes 302, 403, 404, 405, or 410. No 200 (success) codes observed other than the initial download of the .exe from aromaterapiaclinicabrasil[.]com.br
Based on this activity, it looks like the macro was allowed to run which in turn downloaded the .exe and then the malware began to reach out to the various sites. There is about 50 seconds difference from the malware being downloaded and then the malicious traffic starting. The communication after that first site could be related to C2 activity or attempting to exfiltrate data.
File Analysis
File looks to be a PE32 executable (GUI) Intel 80386, for MS Windows based on file command.
Strings on the .exe shows that this is not obfuscated or packed based on being able to view Windows API functions.
Grabbing the SHA256 hash of the file:
399013dde1bc2ce10effb58c3e970c8bf82d597c3b5f606a0e4ad79567515b2c
VirusTotal, 58/67. Categorized as a Trojan and used for C2 (Command and Control). Family labels: zusy, formbook, and fareit.
Looking into the HTTP requests under the behavior tab, we see some of the hosts that were in our PCAP as well as the /rcgc requests
Hybrid Analysis report of file confirms our VirusTotal results.
Using MalwareBazaar, this malware hash can best be identified as belonging to the signature for formbook trojan.
Alert Review
Now looking into the alerts to see if we were right….
Alerts show activity related to FormBook! Those first couple of alerts are related to the download since aromaterapiaclinicabrasil[.]com.br IP address is 162.214.51.208.
Thanks for reading!
