Monday, December 1, 2014

Detailed analysis of an ADP Invoice Phishing Attempt - Dynamic Analysis

In this 6 part series, we will analyze a recent phishing attempt through an email which was sent to me. In the first post we looked at the email. The second post we did an analysis using Wireshark. In the third post we did some basic static analysis. In this post we will perform some basic dynamic analysis. 



Now that we've done some work on the basic analysis. Let's look to see what we can learn via some basic dynamic analysis

For the dynamic analysis, we will have a number of tools running at the same time.  These tools are



1.            InetSim
First step was to setup InetSim and ensure it is listening on all the relevant ports.




2.            tcpdump was executed to ensure all communication between the hosts were captured.




3.            Sysinternals procmon

A filter was set to see all activity related to "invoice1211_pdf.exe"




















Next step was to execute "invoice1211_pdf.exe"


Once the program was executed we see that it created a few files and then wrote to those files then close the files.



5.            Dumpit

After execution started, a memory dump was done of the system .



6.            SysInternals Process Explorer was then used to verify the creation of the process(es) related to "invoice1211_pdf.exe"



As we can see from above "invoice1211_pdf.exe" was created as a child process of explorer.exe. Once I was satisfied that I had enough information about this process, I can kill it whenever needed.






Further Analysis ... Digging Deeper ... Offline Analysis
Revisiting InetSim
As we take a closer look at the InetSim log we see the following



From this we know the following
1.            The program tries to first do a DNS lookup for "projetglory.awardspace.com"
2.            Once the name is resolved, it then does a HTTP GET for "http://projetglory.awardspace.com/fichiers/miniuk1.pmg"
3.            It then does a DNS Lookup for "shahlart.com"
4.            Once this name is received it then does a similar HTTP GET for " http://shahlart.com/miniuk1.pmg".

My belief is that it tries to download the file from the second domain if the first one fails. As can be seen above, the file is being hosted at two different domains.



Revisiting the packet capture - TShark



1.            Packet 3 and 4 shows the DNS request and response for "projetglory.awardspace.com" respectively. This is similar to what was reported by InetSim.
2.            Packets 5 to 7 shows the TCP connection being setup with the host which hosting "projetglory.awardspace.com".

3.            Once the connection was established the HTTP GET request was made to download "/fichiers/miniuk1.pmg"

4.            In packet 11 we see this request was successful via the "HTTP/1.1 200 OK"





5.            In packet 15 and 16, we see the DNS request and response for shalhart.com.
6.            Once the name was resolved we see in packet 17-19 a connection was setup to shalhart.com.
7.            In packet 20 a HTTP GET request was made for " miniuk1.pmg". This all confirms what was shown in the InetSim log file


So far I think we've gained a lot of information from the analysis which can can use towards developing our Indicators of Compromise (IOC)

In the next post we will perform memory analysis using volatility. 



.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.

adp.pcap - 4cfd352a3c890873d20a33d35fffed25  
invoice1211_pdf82.zip - 05fc7646cf11b6e7fb124782daf9fb53 

http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/
https://www.wireshark.org/docs/man-pages/tshark.html

No comments:

Post a Comment