As we look at the capture we see the following:
1. A TCP connection was made to
50.87.164.13 on port 80
2. In packet 4 a "GET" request was made for "/services/invoice1211.php"
3. Packet 9 shows the server responding with Status "200 OK"
Analyzing the response from the server
2. In packet 4 a "GET" request was made for "/services/invoice1211.php"
3. Packet 9 shows the server responding with Status "200 OK"
Analyzing the response from the server
1. The
server says Apache. However, I don't see any version information. Maybe this
header was crafted.
2. Content-length states that
2148 bytes were downloaded
3. Looking into the file which was downloaded we see some Ajax script. The point of interest to me was the image below. This suggest it is looking at my browser before it makes further decision. When I first looked at this I was thinking this would have been an exploit kit. I was wrong. I said I was wrong because at least with an exploit kit, I was expecting it to try to exploit my browser not try to get me to download a file.
3. Looking into the file which was downloaded we see some Ajax script. The point of interest to me was the image below. This suggest it is looking at my browser before it makes further decision. When I first looked at this I was thinking this would have been an exploit kit. I was wrong. I said I was wrong because at least with an exploit kit, I was expecting it to try to exploit my browser not try to get me to download a file.
1. A few
packets later, we see another connection setup
2. This time the HTTP method was "POST"
4. In packet 21 we see what looks like we downloaded a "GIF" image. I find this interesting since no images were seen on the page when the link was clicked.
5. If we remember in the previous "GET" request the get_params had some variables. If we look below, we can see those variables filling out
2. This time the HTTP method was "POST"
4. In packet 21 we see what looks like we downloaded a "GIF" image. I find this interesting since no images were seen on the page when the link was clicked.
5. If we remember in the previous "GET" request the get_params had some variables. If we look below, we can see those variables filling out
2. The file
size was 10870 bytes
In the third post, we will perform some basic static analysis of the file "invoice1211_pdf82.zip" which was downloaded.
.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.
adp.pcap - 4cfd352a3c890873d20a33d35fffed25
invoice1211_pdf82.zip - 05fc7646cf11b6e7fb124782daf9fb53
References:
Wireshark
No comments:
Post a Comment