Malware Traffic Analysis 6

c42-MTA6-1022-UTC: What is the attachment file name?

Homicide-case#9347728.zip

c42-MTA6-1022-UTC: The attachment contains malware. When was the malware first submitted to virustotal?

Checking the Hash on Virustotal:

https://www.virustotal.com/gui/file/240a0e11f0ce82aa368e51457dcf37e2f6260465bce4db946dd5f6e39c874916/detection

2015-09-11

c42-MTA6-1022-UTC: The malware was communicating with multiple external servers. Provide the number of unique URLs contacted by the malware? (VirusTotal graph is your friend).

48

c42-MTA6-1022-UTC: Provide the FQDN contacted by the malware?

icanhazip.com

c42-MTA6-1422-UTC: What was the malicious document’s creation time? (one space between date and time).

Since Windows has no build-in file tool, we can check the signature online:

Seems to be a Word document.

2015-06-24 11:31:00

c42-MTA6-1422-UTC: Which stream contains the macro? (provide stream number).

How oledump works: https://blog.didierstevens.com/programs/oledump-py/

3

c42-MTA6-1422-UTC: What is the technique used to hide the actual VBA code? (two words with one space in between).

https://attack.mitre.org/techniques/T1564/007/

VBA Stomping

c42-MTA6-1422-UTC: What is the sha256 hash of the executable malware?

To dump and decompres the stream containing the macro:

python.exe "oledump.py" -s 3 -v c42-MTA6-1422-UTC.extract.file.doc

https://isvbscriptdead.com/vbs-obfuscator/
https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office

Gonna go the easy way here and execute in a Sandbox. (vmonkey did not produce any good results)

09cce2a039bf72e9c9896e475556563c00c467dc59d2535b0a0343d6741f9921

c42-MTA6-1557-UTC: What is the full URL of the fake login page?

hp://www.smkind.co[.]za/Images/Buttons/13v.php**

c42-MTA6-1839-UTC: How many domains are present in the JS file?

Obfuscated js:

Deobfuscation:

Tool used to deobfuscate JavaScript: https://lelinhtinh.github.io/de4js/

c42-MTA6-1839-UTC: The JS code is checking for a specific HTTP response code. What is the response code being checked?

200

The victim received multiple emails and opened only one of them. Which one did he open? (provide the full eml file name).

What is the victim machine hostname?

FRANKLION-PC

What is the name of the exploit kit used to deliver the malware? (one word).

Angler

https://www.theregister.com/2016/08/16/angler_8734564567/
https://blog.malwarebytes.com/threat-analysis/2016/03/large-angler-malvertising-campaign-hits-top-publishers/

Which IP address served the exploit?

216.245.212.78 [randt.smittysautomart.org]

What is the FQDN of the compromised website that redirected the victim to the attacker’s server hosting the Exploit Kit?

prideorganizer.com