Now that we've done some work on the basic analysis. Let's
look to see what we can learn via some basic dynamic analysis
For the dynamic analysis, we will have a number of tools
running at the same time. These tools
are
1. InetSim
First step was to setup InetSim and ensure it is listening on all the relevant ports.
First step was to setup InetSim and ensure it is listening on all the relevant ports.
2. tcpdump
was executed to ensure all communication between the hosts were captured.
3. Sysinternals
procmon
A filter was set to see all activity related to
"invoice1211_pdf.exe"
Next step was to execute "invoice1211_pdf.exe"
Once the program was executed we see that it created a few
files and then wrote to those files then close the files.
5. Dumpit
After execution started, a memory dump was done of the
system .
6. SysInternals
Process Explorer was then used to verify the creation of the process(es)
related to "invoice1211_pdf.exe"
As we can see from above "invoice1211_pdf.exe" was
created as a child process of explorer.exe. Once I was satisfied that I had
enough information about this process, I can kill it whenever needed.
Further Analysis ... Digging Deeper ... Offline Analysis
Revisiting InetSim
As we take a closer look at the InetSim log we see the following
Revisiting InetSim
As we take a closer look at the InetSim log we see the following
From this we know the following
1. The program tries to first do a DNS lookup for "projetglory.awardspace.com"
2. Once the name is resolved, it then does a HTTP GET for "http://projetglory.awardspace.com/fichiers/miniuk1.pmg"
3. It then does a DNS Lookup for "shahlart.com"
4. Once this name is received it then does a similar HTTP GET for " http://shahlart.com/miniuk1.pmg".
My belief is that it tries to download the file from the second domain if the first one fails. As can be seen above, the file is being hosted at two different domains.
1. The program tries to first do a DNS lookup for "projetglory.awardspace.com"
2. Once the name is resolved, it then does a HTTP GET for "http://projetglory.awardspace.com/fichiers/miniuk1.pmg"
3. It then does a DNS Lookup for "shahlart.com"
4. Once this name is received it then does a similar HTTP GET for " http://shahlart.com/miniuk1.pmg".
My belief is that it tries to download the file from the second domain if the first one fails. As can be seen above, the file is being hosted at two different domains.
Revisiting the packet capture - TShark
1. Packet 3
and 4 shows the DNS request and response for "projetglory.awardspace.com"
respectively. This is similar to what was reported by InetSim.
2. Packets 5 to 7 shows the TCP connection being setup with the host which hosting "projetglory.awardspace.com".
2. Packets 5 to 7 shows the TCP connection being setup with the host which hosting "projetglory.awardspace.com".
3. Once the
connection was established the HTTP GET request was made to download "/fichiers/miniuk1.pmg"
4. In packet
11 we see this request was successful via the "HTTP/1.1 200 OK"
5. In packet
15 and 16, we see the DNS request and response for shalhart.com.
6. Once the name was resolved we see in packet 17-19 a connection was setup to shalhart.com.
7. In packet 20 a HTTP GET request was made for " miniuk1.pmg". This all confirms what was shown in the InetSim log file
6. Once the name was resolved we see in packet 17-19 a connection was setup to shalhart.com.
7. In packet 20 a HTTP GET request was made for " miniuk1.pmg". This all confirms what was shown in the InetSim log file
So far I think we've gained a lot of information from the
analysis which can can use towards developing our Indicators of Compromise (IOC)
In the next post we will perform memory analysis using volatility.
.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.
adp.pcap - 4cfd352a3c890873d20a33d35fffed25
invoice1211_pdf82.zip - 05fc7646cf11b6e7fb124782daf9fb53
References:
http://www.inetsim.org/
http://www.tcpdump.org/manpages/tcpdump.1.html
http://technet.microsoft.com/en-ca/sysinternals/bb842062
http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/
https://www.wireshark.org/docs/man-pages/tshark.html
.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.
adp.pcap - 4cfd352a3c890873d20a33d35fffed25
invoice1211_pdf82.zip - 05fc7646cf11b6e7fb124782daf9fb53
References:
http://www.inetsim.org/
http://www.tcpdump.org/manpages/tcpdump.1.html
http://technet.microsoft.com/en-ca/sysinternals/bb842062
https://www.wireshark.org/docs/man-pages/tshark.html
No comments:
Post a Comment