Brim Packet Analysis Suspected Malware Compromise

Using Suricata and Zeek data within BRIM to analyze a suspected malware compromise to a device on the network with no initial information to go off. Discovering the compromised machine along with the attacker’s devices within data streams. Deep dive into packet analyses.


Legal Notice && Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continuing, you acknowledge the aforementioned user risk/responsibilities.


BRIM

Open-source software to combine and analyze pcap data from both Suricata and Zeek/Bro captures. Data is structured in clear JSON-like structures for ease of use and search.

Download BRIM: https://www.brimdata.io/

Malware-Traffic-Analysis PCAP: https://www.malware-traffic-analysis.net/2015/02/08/index.html

Zeek in Action, Video 1, Suspected Malware Compromise Reference: youtube.com/watch?v=xpPEHtACrek

Investigate Suricata Alerts by Source and Destination

Note: No prior knowledge of the attacker or victim IP address

Notice the IP address beging used between src_ip - dest_ip

172.16. address space is within RFC 1918 Private Address spaces - reserved for NAT

Information Surmised:

  • 172.16.137.40 - workstation in question
  • Unknown Traffic Alert
  • A Network Trojan Alert
  • Generic Protocol Command Decode
  • Device Retriveing External IP Address Detected

Possible Network Trojan

Pivot to Logs

  • Right Click “Alerts” click pivot to logs to view Sircata Alerts

Sircata is reporting “ET JA3 Hash - Possible Malware - Dridex” under alerts

Possible Dridex Trojan

Unique DNS Queries

Using the queries to investigate the unique DNS queries:

These are all be derived from the Zeek logs/data. Nothing stands out as out of the norms.

HTTP Requests

Using the queries to investigate the unique HTTP Requests:

Request are orginiating from “172.16.17.40” device once again point to the workstation in question.

File Activity

Using the queries to investigate the unique File Activities:

No data to be displayed in the form of file activities.

HTTP Post Requests

Using the queries to investigate the unique HTTP Post Request:

No data to be displayed from HTTP Post Requests.

Windows Network Activity

Using the queries to investigate the unique Windows Network Activity:

No data to be displayed from Windows Network Activity.

Unique Network Connections

Using the queries to investigate the unique Unique Network Connections:

Summary of activity pulled from Zeek logs.

Activity occurring on port 3478, 12101, 12103, 20208 is unusual and warrants investigation

Open New Query using right click “New Search with this value” to find information on port 3478

We could be seeing session traversal tools used with network access translation (NAT) from alerts from Zeek.

conn = community id = reference between Zeek and Surcata

Details of “conn”

Details:

Query Destination IP

Same two alerts from prior and a DNS request from stun.interntcalls.com

Investigate port 12101 Using the Back butons to return to ports and follow port 12101

Two Zeek connections logs which viewing the “details” presents opportunity to pivot to pcap.

Download PCAP Right Click to “Download Packets”

The only thing that is within the packet is x1 SYN packet

History under details states = “S” just a SYN packet

Port 12103

Again, just x1 SYN packet which does not contain any information that can help investigation. The data being used by the attacker must be convulted within standard network traffic within HTTP, HTTPS or DNS.

HTTP Request

Investigating HTTP Request within the queries:

To return activty from HTTP Request data is not complete and returning to the “Activity Overview” and “HTTP” and “Pivot to Logs” under right click.

Clicking the “Packets” button at the top to retrieve the .PCAP and open in Wireshark.

After following the “TCP Stream” within wireshark cleartext shows after the “Checkip.dyndns.org” states the “Current IP Address: 212.38.170.7” to make note of.

Investigate Original Zeek Logs

Remove data in the field to return to original data and sort A-Z to view oldest to newest activity:

Investigate some “conn” logs by “Filter by Value” under right click:

This is a simple way of looking at the activity on the network capture to search across data for anomalies.

The events involving the 12101 ports begin at this point:

Piviot on the “CONN” id: 9n6GGiROkKsvIoT20N6VGbeiIK8=

Associated Surciata alert for JA3 Engine

Under “Details” we are provided with a “RU” for country code which Russian and KHM as the region. Yields a suspicious response which is outside the region of the user.

Notice alert on event shows a Self Signed Certificate to be noted:

Taking note of the Time of the event when actions began of “2015-02-08T18:32:17.212” and investigate original zeek logs for area:

Conclusion

Overview

  • Mike-PC - 172.16.137.40
  • Compromised at an earlier time and connected to network. Connections are being made to both Poland and Russia.

Scenario Questions You review the pcap and take notes. First, you document the following:

  • Date and time of the activity: 2015-02-08T18:32:17.212
  • IP address of Mike desktop computer: 172.16.137.40
  • Host name of Mike’s desktop computer: Mike-PC
  • MAC address of Mike’s desktop computer: 08:00:2b:ef:ab:7c

Investigation Notes

  • Within these logs we can conclude that the device had gone to check it’s IP address then receiving SYN requests from a Russian address.

  • The initial Dridex compromise is not found within the logs.

  • TCP connects are outbound to Poland and Russian sites.

  • The TLS/SSL data on the stream is completely encrypted aside from the required cleartext from certificates.