So I decided to randomly grab a PCAP from https://www.malware-traffic-analysis.net/ and analyze it, specifically the sample https://www.malware-traffic-analysis.net/2022/02/23/index.html
Lets get to it I guess?
I started off looking directly at the HTTP queries to see what sites had been visited as a lot of malware use the HTTP protocol for communications and such, it may be of interest to look into the DNS queries as well, however it should be stated because of caching and other things, you may miss what was visited.
Initially we can see the highlighted packet looks odd, specifically the GET request made. Now, I should state just because a GET request looks weird doesn’t mean it is, it could be a website improperly handling sessions by sending them as part of the GET request (don’t do this unless you want session hijacking), or it simply could be a random encoding scheme or obfuscation scheme implemented by the site. This definitely requires more investigation, as we may have a vulnerability or malicious traffic!
Upon opening this packet up and looking we see a request to ajaxmatters[.]com and upon putting that in https://urlhaus.abuse.ch/ we see it is indeed malicious! This URL is associated with Emotet!
Since we know this is now associated with the Emotet malware, lets look more at the TCP stream to see if there is anything interesting.
Upon looking at the stream in Wireshark, we can see the payload starts with MZ and contains “This program cannot be run in DOS mode.” This definitely sets off red flags for being a malicious binary. And if we extract it and run it through VirusTotal we can see it is indeed malicious.
At this point in time we know whatever victim system was involved with this traffic is infected. Out of curiosity though lets keep digging.
Because the malicious traffic appears to be using HTTP as at least one method of communication, lets take a look at that traffic more to see what else comes up, if anything. We can see below all HTTP files that Wireshark found.
The JPEG file itself to me looks odd for two reasons, first, it has a random name and second its hostname associated with it is an IP address rather than a URL The hostname associated with an IP address instead of a URL is a red flag in my opinion so lets take a look at this image.
Within Wireshark if we follow the stream associated with the JPEG we can see what looks initially like random data, however, after closer inspection we can see what appears to be some DLL names backwards. Is this an executable or DLL as a payload but backwards?
Yep, it is, upon running strings on the payload we can see it has “This program cannot be run in DOS mode.” backwards as a string, and if we look at the bytes making up the payload it starts with ZM (the PE header backwards)
And upon running this payload through VirusTotal.
We know this system is very much infected at this point so I just ended traffic analysis here, although it is recommended to continue to see if it is interacting with other systems on the network so we know how to handle this incident.
Anyways, I thought that was a fun PCAP to dig through so I wanted to share it with you all. As always I hope you learned something or at least had fun, if you have any questions please reach out.