Introduction Thanks to everyone who participated in our forensic quiz originally posted on April 1st, 2021. We received 22 submissions through our contact page, and two people had all the correct answers. Unfortunately, we can only pick one winner for the contest. In this case, our winner was the first to submit the correct information. Join us in congratulating this month's winner, Alex Rodriguez-Vargas! Alex will receive this month's prize: a Raspberry Pi 4 kit. Several people came close and almost had everything. This exercise required reviewing both the pcap and malware recovered from the infected Windows host. You can still find the pcap and malware at this Github repository. The pcap of infection traffic for this quiz was generated from a spreadsheet retrieved when I recorded this Youtube video. The pcap in this month's quiz starts during HTTPS traffic to the "unsubscribe" page seen in the video.
Answers IP address of the infected Windows computer:
Host name of the infected Windows computer:
User account name on the infected Windows computer:
Date and time the infection activity began in UTC (the GMT or Zulu timezone):
The family or families of malware on the infected computer:
To help in your analysis of this activity, please review the Prerequisites section in our original blog for this quiz. BazaLoader (BazarLoader) Activity From the malware archive in the Downloads directory under wilmer.coughlin, there is an Excel spreadsheet named subscription_1617056233.xlsb. This spreadsheet has malicious macros. I submitted it to the Triage Hatching sandbox, and it generated the following traffic:
In the pcap, this URL caused a redirect. First it redirected to:
But that follow-up URL did not return any malware. This happened while I was still recording the Youtube video. At the video's 10 minute mark, I enable macros on the malicious spreadsheet, but nothing apparently happened. So the call center operator had me re-open the spreadsheet and enable macros again. That second time, the campo URL redirected to:
The above URL returned a Windows executable (EXE) file. This EXE from the pcap has the same SHA256 hash as the file located in our malware archive at:
Of note, opening the spreadsheet and enabling macros generated the following artifacts:
Traffic caused by BazaLoader (BazarLoader) in this pcap is:
Of note, the last entry above is an IP address check by the infected Windows host. I don't normally see that with BazaLoader activity, but I could not positively attibute it to any of the other malware activity in this pcap.
Cobalt Strike Activity Cobalt Strike was sent through encrypted HTTPS traffic generated by BazaLoader. A DLL for Cobalt Strike was saved to the infected host at:
The run method for the above Cobalt Strike DLL is:
This generated the following Cobalt Strike traffic:
There were a great deal of HTTP requests generated by the Cobalt Strike, about 40 to 60 HTTP requests every minute. Of note, the domain onedrive.live[.]com does not resolve to 217.12.218[.]46, which means this is a deception intentionally generated by the malware. During the Cobalt Strike traffic, seven HTTP requests to checkip.amazonaws[.]com appear as the infected Windows host periodically checks its IP address.
Anchor Activity Anchor DNS malware uses DNS queries to stealthily communicate to C2 servers. Our pcap contains DNS activity that follows patterns reported for Anchor. The associated domains are:
The domain xyskencevli[.]com did not resolve, but sluaknhbsoe[.]com did. The pcap contains several DNS queries with long strings for sub-domain of sluaknhbsoe[.]com.
This type of DNS tunneling does not rely on direct contact with the the C2 domain. Malware families like Anchor use this method to disguise tunneling from an Windows infected host. However, we can easily spot the unusual DNS queries from the pcap. Of note, the following binaries are included in the malware archive:
The malware archive also contains a scheduled task at:
This shows a task to run the following command:
The task is designed to keep Anchor DNS malware persistent on the infected Windows host.
Indicators of Compromise (IOCs) SHA256 hash: ae6dbc08e0e21b217352175f916cfd5269c4fd8d5de6bff2d0a93a366f78e8d1
SHA256 hash: 291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
SHA256 hash: cc74f7e82eb33a14ffdea343a8975d8a81be151ffcb753cb3f3be10242c8a252
SHA256 hash: 3ab8a1ee10bd1b720e1c8a8795e78cdc09fec73a6bb91526c0ccd2dc2cfbc28d
SHA256 hash: a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634
SHA256 hash: 9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513
HTTPS traffic that returned malicious spreadsheet:
BazaLoader traffic:
IP address checks by the infected Windows host:
Cobalt Strike traffic:
Domains used by Anchor malware:
Final words Another case of type of infection, one where BazaLoader leads to Cobalt Strike and Anchor, was reported here last month. It even reports the same domains used by Anchor DNS that we see in this month's quiz. Thanks to all who participated, and congratulations again to Alex Rodriguez-Vargas for winning this month's contest! You can still find the pcap and malware at this Github repository. --- Brad Duncan |
Brad 436 Posts ISC Handler Apr 14th 2021 |
Thread locked Subscribe |
Apr 14th 2021 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!