Deep Dive Into SectopRat

Image
Hello World, In this Article we will gonna look through a newly version of SectopRat Its written in Dotnet So It wasn't so hard. Thanks for @Arkbird   and JAMESWT  For Their Original Tweets.  Quick Introduction: SectopRat is a RAT Tool was Firstly Discovered by MalwareHunterTeam  in November 15,2019 It has capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox, It Sends Stolen User Data in a Json File.  In Depth Reversing: Sectop Weapozies WMI ( Windows Management Instrumentation ) in Order to Collect System Information.   Here it Gets OS Name and Version:  Sectop Has a Class named "GetSystemInfo" that Implements most of its System Profiling.  It Collects:        . OS Name and Version       . Graphics Card Name and Vram Size       . CPU Version and Number Of Cores       . Physical Memory Size       . Mac Address  Other Things It Collects Like Screen Resolution:  Sectop Also Steals Browser History From B

Intro to Malware Traffic Analysis

Hello World, In this Blog post I will gonna Introduce to Analyzing Malware Pcaps using Wireshark by going through a challenge from (CyberDefenders). 


In This Challenge we are given 14 Questions we will go through each question and seeing how to solve it in details. 

Intro to Exploit Kits:


Before we deep dive and solve this challenge its good to know what really exploit kits are and how do they work. Exploit Kits are Collection of Exploits mostly operates by searching for vulnerable browser-based applications like websites they exploits vulnerabilities in these websites and then deliver malwares and payloads. Questions that should be answered when Analyzing a Exploit Kit PCAP is What is the Infected Website as we said there should be a website that has been infected other questions may be like what is the ip address of the infected machine ?, what is the website that redirects to the exploit kit deliverer etc... This is My First Attempt to analyze an Exploit Kit so correct if I was wrong or sth. For the sake of this challenge I used Wireshark and Virus Total. 

What is the IP address of the Windows VM that gets infected?




typically in exploit kits the infected website will make so many http request with other websites u can filter with (http.request) so here we can see that 172.16.165.165 is the source for all of this http traffic so we can assume that its the infected website. 

answer: 172.16.165.165

What is the IP address of the compromised web site?


we can filter with (http.request) and see the packets: 




we can see many get requests to IP Address 82.150.140.30 and most likely this is the infected 
website we can see the domain name by double clicking u can see its coming from 
http://www.ciniholland.nl/ 



or u can upload the pcap to virus total go to detials under dns requests u 
see the ip address of the the infected website: 




answer: 82.150.140.30

What is the domain name of the compromised web site?

this should be simple we already answered it above 

answer: www.ciniholland.nl

What is the IP address of the server that delivered the exploit kit and malware?


for this question I Choosed to use virus total go to details and then under Interesting 
HTTP Requests we can see two requests from http://stand.trustandprobaterealty.com we 




its delivering two flash exploits coming from IP Address 37.200.69.143:80 

answer: 37.200.69.143 

What is the domain name that delivered the exploit kit and malware?

this also should be simple we can see it from virus total 
answer: stand.trustandprobaterealty.com 

What is the redirect URL that points to the exploit kit (EK) landing page?

I can assume that the how it will the referred website will be in an html file so 
we can see the packets with content type (html/text) I mean sth like: 



We Can't Be Sure So I Checked Most of Them and Found one by Right 
Clicking Follow HTTP Stream




it refers to the website http://stand.trustandprobaterealty.com/ that delivers the 
payload seeing the seeing the host field we can see it comes the the referrer is 
24corp-shop.com/. 



answer: http://24corp-shop.com/ (because he needs the full url not only the domain) 

Other than CVE-2013-2551 IE exploit, what other exploit(s) sent by the EK? 


we already see in question 6 that http://stand.trustandprobaterealty.com 
delivered two flash exploits we can also see by going to Export Objects (HTTP) 
another two Java Exploits 



also the hint box can really hint us to this u can also check save this files and check them on virus total. 

answer: Flash,Java 

What is the hostname of the Windows VM that gets infected?


This Question can be solved by filtering with (nbns OR bootp) and this approach
will answer also the third question (What is the MAC address of the infected VM?) using nbns: 





U Can See The Name under NetBios Name Service ==> Additional records ==> Name and 

answer: K34EN6W3N-PC. 

What is the Mac Address of the Infected VM:

Filtering with (bootp) we can see the mac address and the hostname under Dynamic Host Configuration Protocol ==> Client Mac Address 





answer: f0:19:af:02:9b:f1

How many times was the payload delivered?


The Payload here was file with mime (x-msdownload). we can answer this
question using two approaches first one we go to Export Objects (HTTP)
and count them they see they are three 





or by filtering with http.content_type == "application/x-msdownload"



answer: 3 


The compromised website has a malicious script with a URL. What is this URL?

filter with http.host == www.ciniholland.nl I usually check the first packet 
and by checking it I see it contains a url for the domain that we said it refers to the 
payload deliverer 




 
answer: http://24corp-shop.com/

Extract the exploit file(s). What is (are) the MD5 file hash(es)?


Answering this is Simple u just need to check for the exploit hashes using a
program like (HashMyFiles) or just using Virus Total. 

answer: 7b3baa7d6bb3720f369219789e38d6ab, 1e34fdebbf655cebea78b45e43520ddf 


Question 11,14 really I didn't solve them because they needed knowledge for
snort and setuping it so actually I didn't have time for that any way hope this gave
u a good intro for network traffic analysisits one of the topics that I am not
that good in but I am trying to be good by solving CyberDefenders Challenges :). 






Popular posts from this blog

Deep Dive Into SectopRat

Image
Hello World, In this Article we will gonna look through a newly version of SectopRat Its written in Dotnet So It wasn't so hard. Thanks for @Arkbird   and JAMESWT  For Their Original Tweets.  Quick Introduction: SectopRat is a RAT Tool was Firstly Discovered by MalwareHunterTeam  in November 15,2019 It has capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox, It Sends Stolen User Data in a Json File.  In Depth Reversing: Sectop Weapozies WMI ( Windows Management Instrumentation ) in Order to Collect System Information.   Here it Gets OS Name and Version:  Sectop Has a Class named "GetSystemInfo" that Implements most of its System Profiling.  It Collects:        . OS Name and Version       . Graphics Card Name and Vram Size       . CPU Version and Number Of Cores       . Physical Memory Size       . Mac Address  Other Things It Collects Like Screen Resolution:  Sectop Also Steals Browser History From B
Read more

Deep Dive Into HERMES Ransomware

Image
Quick Overview: HERMES is a Ransomware which spreads by spear-phising emails. It was first detected on October 2017. Its attributed to the  Lazurus APT group  it has high connections to Ryuk Ransomware and its believed that they are written by the same author. Among most Ransomwares, it's common that it encrypts the files using AES and Encrypts the AES Random Key using RSA , in the upcoming parts we will include some more insights into it. In Depth-Reversing: . HERMES Drops A Copy From its Self under Name "svchosta.exe" in the Temp Folder And it executes using this command Inhibit System Recovery: . Similarly like most ransomwares it deletes shadow copies to acheive this it drops a batch file similar to the Ryuk one , which strengthens it's similarity to Ryuk And it executes using this command Unpacking and API Resolving: HERMES allocates a section in memory for the unpacked PE file , this technique can be defined as  Self Injection  . This image explains it very well
Read more