MALWARE Analysis with Wireshark // TRICKBOT Infection

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you guys want to check out some malware analysis i do let's have some fun so go ahead and click the link in the description down below and you can follow right along in this pcapp now that link is going to send you over to my buddy's webpage and that's brad duncan and he's got a full repository full of pcaps full of different types of malware infections and he gave us permission to go and use these so thank you brad now when you go ahead and download the pcap you're going to have to open it up locally on your machine now the password to do so is infected yes we're dealing with live malware so be careful you are able to open it up in wireshark and this will not infect your machine however what you don't want to do okay this is the warning do not extract objects from this file and execute them locally don't do that but you can interact with them through the pcap and you'll be safe all right so first when i'm looking at malware one of the things that i like to do is just take a look at dns all right so let's go ahead and set a filter for that i'm going to come up here to apply display filter dns and we're going to filter in on all the calls that this station is making so here you can see first of all we're here at uh 28.229 that's our ip that of the machine that allegedly has this infection that we're investigating and if i come over here i can see that there's lots of no such names that are being looked up and we're doing some lookups there but something that's going to catch my eye is often when i see a machine that's doing what is my ip lookup now an end user won't often do that right so the reason why a malware infection will is the malware wants to know what is the external ip address so when it goes through the nat and enters the world what address will it be coming from so basically how can i tell my attacker to phone home what ip am i actually coming from so that's something that i'll look for it won't do it in all cases but that would be something to kind of trigger my little radar maybe i have some strange traffic going on next let's go ahead and say okay there's dns the next thing i want to do is i want to go to http okay so just take a look at some low hanging fruit just analyze through a few different http calls now the reason why this is going to catch my attention is because a lot of times today you and i do we browse the web we go out to different sites and we do so over secure web we're going to be doing this over port 443 not port 80 anymore there might be a few applications that still use 80 but if i start to see a lot of calls over port 80 i'd be interested in where these calls are going to who we're talking to what are the user agents or with the server names that we're talking to and what direction is traffic going in so let's go and start with the first one all right we we set the filter for http let's go ahead and right click on the first one and i'm going to say follow tcp stream now there's a few things that jump out at me here okay so this is coming from user agent curl so it's directly using that curl call and it's not using a standard user agent if this person was using a chrome browser or firefox all right or mozilla you would see a very long user agent string there but this one's pretty short and also when i see it come back the server's name is cowboy wonderful and cowboy is giving us an iep address 173 166 146. so what i'm going to do is i'm actually going to copy that i'm going to say close and i'm just going to come up here to the top and i'm going to set a filter for that ip i'm just curious does this station then go talk to that ip address that came back from cowboy all right i'm going to put that ip in there and in this case i don't see that i don't see the client went out to talk to that advertised ip well i'm just going to store that away for later all right so i'm just going to go ahead and remove this let's come back into our http take a look at these calls so notice that the client does a get and then after that you know a little while later it starts doing posts all right so let's start investigating these posts i'm going to right click this post and i'm going to say follow tcp stream and let's take a look a little closer what i'm looking at so first of all there's my user agent now this is looking like a little bit more normal of a user agent but check out the hosts that i'm talking to so that's something that identify when i'm talking to a web server i say okay here's my user agent but what host am i talking to if i talk to youtube then i would be going to youtube.com if i go to xyz news or whatever news then i would be identifying that here in the host field but here i just go straight to an ip address all right so i'm going to note that for later and notice the kind of stuff that i'm sending again remember i'm posting this i'm not pulling it i'm not getting it i'm posting it so here i can see form data bill info card info and i'm also talking to cowboy hmm all right let's go ahead and close this next step i'm going to come in and i want to know where is this 3689 106 address so where in the world am i talking to if i expand ip i can go and take a closer look and notice i'm going to indonesia okay well this activates the part of wireshark where i'm i'm using the goip lookup where i can actually see where in the world an ip physically is located according to the geoip databases now if you want to learn how to do that i'll go ahead and link that in the description down below i have another video on how to actually enable the go ip option within wireshark okay so i'll teach you how to do that in another video okay so i'm hitting indonesia with this post let's go ahead and keep going now i'm going to go back and i'm going to reset my http filter again and that was that first call let's go ahead and take a look at this next call right click follow tcp stream this time wow so i export the pop3 mail.catbomber.net and here's a username and a password interesting wow what am i trying to export well down here yeah i even identify things i'm trying to send out those outlook passwords nice here's my email client here's a username and password go check it out just go ahead and access my email let's come down here to the right you can see stream nine let me go up to stream 10 and here i'm trying to export open vpn passwords and configs i thankfully don't see any there and if i keep going here and also open ssh private keys nice okay mr attacker you can just have this stuff let's call let's go and close this thankfully i didn't see any of those things next okay http just kind of crawling through these different calls if i come down here i'm going to jump forward in time a few hundred milliseconds and again this is a post okay so let's go ahead and right click this guy let's see what else we're posting out here and here we have some nice system information and we're sending it out to this address on this port number here's all of our system processes so just in case you wanted to know a bit more about how to exploit me here you go that's the process list test also in system information here's my name here's my domain here's my ip here's the subnet mask i use my default gateway my dns what else do you want to know about me this is my software version i'm running that's kind of old that's windows 7 on this system and then i have net view all come down here take a look at some active directory stuff here i've got my domain controller cap on or dc oh usernames and passwords anybody so here's the username here's guest here's another username timothy philip and again i'm exporting all of this out to cowboy nice well it wasn't just this one station this cat bomb w7 pc if i go up another stream i'm gonna actually kick up a couple of them in fact you know what i'm gonna go and close this down head back to my web http i'm gonna come down here and what i'm looking for i'm actually going to come down to this bottom post right click it and if i come down to follow stream this is where i do the same thing but notice now the cat bomber dc the domain controller has been infected so now it's exporting its stuff right so wonderful uh 28.8 that was the dns system that was just identified in the other system great so now my domain controller's been impacted okay so let's go ahead and close all right so clearly i have an attack i'm exporting this system information out there but something else i can notice ooh phenom pen okay anybody cambodia good all right so that's where we're exporting it to now if i clear out that filter one other thing i can look for since i see that this malware is at least partially using open web is i can come up here to my file export objects http now this is where i can come down and i can see that i've got imgpaper.png so here's actual file that's being requested from this 162 address okay imgpaper.png so i'm going to go ahead and close this now remember i warned you before do not export and run this file locally do not say save and execute it no then you'll be infected with this malware we don't want that so let's say close what i'm going to do is i'm just going to do a frame contains img paper all right so that'll show me the one call where that get happens i'm going to right click it going to go to follow tcp stream and notice about this file so allegedly the name of this file is imgpaper.png so this is the it appears like an image but if i take a closer look i can see down here that the beginning of this file is actually the code for a binary file in windows in fact when this system begins to transmit this file over to me we can see it's a 503 k this program cannot be run in dos mode that tells me that this is a binary executable on windows so basically this server is saying oh windows 7. here's an executable for you to run go ahead and execute it and then we'll be up to even more bad things right so this was hiding under the png name so that's not good right so let's go ahead and close that okay so how is that something that i could quickly filter for what if it wasn't that file name next time but it was still hiding and executable was hiding under a different file name well that's something that i can come up here and i can just do a display filter and one that i've used in the past is frame contains and this is where i do my quotation mark dos capital dos mode all right so show me all packets that have the dos mode string in there so the packets the two that i get the first one here it says if i expand this this program cannot be run in dos mode so this is the beginning of an executable file running across the wire and the second one is the same so there's two files that i received from a server out there and if i head check my guip i can see where it's coming from oh from nodesdirect right there in the united states fantastic they're giving me these executable files now one thing that i could do is i could extract these i could save these and i could upload them to virustotal and then that would give me more information about the type of infection but before i do that there's one last trick that i'm going to show you looking at this malware and that is if i jump all the way to the top there's a really interesting thing that wireshark does that we can utilize when we're looking at malware and that is this first sin synack hack go ahead and jump all the way to the top with me check out this client hello now there's a few things that look weird about this client hello let me go ahead and collapse this first of all we're running off to another country germany wonderful okay so if i take a look at tls first of all it's tls 1.0 so the version i don't like to see that anymore in modern networks i want to see 1.2 1.3 or better depending on when you're watching this video but tls 1.0 at the time of this recording is very archaic this is old tls we shouldn't have any legitimate clients that are using this version and i see that i also do not have another tls extension where a higher version could be negotiated sometimes you'll see a station initially just use version tls 1.0 just to get in the door and talk to a server but then it offers through a tls extension some other versions to use but in this case that's not being done now ja3 what this is is it's basically a string that shows the different options within this client hello in this code format so don't worry too much about what these numbers actually are right now but just know that each client hello has a signature so we can fingerprint the type of application that is sending this tls hello based on the different options that are sent so in this case we look at version we look at even the ports that are used uh we can take a look at the cipher suites that are offered we can look at the extensions length all of these go into creating a fingerprint for us so what we do is we take that full string and then we throw it through an md5 hash that hash value is right here ja3 so let's do this let's do a right click we're going to do a copy value and i want you to come out here and this is ja3er.com i'll link that in the description down below and what you could do is you could just paste this ja3 hash into their search and you can hit search for it and what this will do is it'll look at the repository for any fingerprints of tls clients that are initiating a connection using that hash value and that hash is made from all of the little values that it sees in that client hello and here right away we see that this is a trickbot infection okay so that client was overtaken by a trickbot malware and that trickbot initiated a secure connection using that signature that we could identify as being from trickbot so i hope you like coming through this malware example with me let me know in the description down below if you like this kind of video of taking a look at the packet level as far as infections and intrusions and exploits like this and i can start to make a bit more content like this now you did see me rip through a bunch of different screens so to help you get some more training on how to use wireshark and do this type of analysis go ahead and click here for lesson one of my wireshark master class

Info

Channel: Chris Greer

Views: 37,358

Rating: undefined out of 5

Keywords: intro to wireshark, wireshark, how to use wireshark, wireshark class, tcp/ip analysis, introduction to wireshark, chris greer, wireshark course, free wireshark training, getting started with wireshark, wireshark for beginners, wireshark tutorial, wireshark tutorial 2021, wireshark training, wireshark tips, pcapng, http wireshark, cybersecurity, malware analysis, packet level analysis, protocol analysis, wireshark malware

Id: Brx4cygfmg8

Channel Id: undefined

Length: 14min 53sec (893 seconds)

Published: Thu May 05 2022