Quick Malware Analysis: PIKABOT INFECTION WITH COBALT STRIKE pcap from 2023-05-23

Thanks to Brad Duncan for sharing this pcap:
https://www.malware-traffic-analysis.net/2023/05/23/index.html

We did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can do the following:

• install Security Onion 2.4 in a VM:
  https://docs.securityonion.net/en/2.4/first-time-users.html
• import the pcap using so-import-pcap:
  https://docs.securityonion.net/en/2.4/so-import-pcap.html#so-import-pcap
• optionally enable the new DNS lookups feature:
  https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see https://securityonion.net.

Our 10th Annual Security Onion Conference is coming up soon, so reserve your seat today! Last day to register is September 29. For more details, please see https://socaugusta2023.eventbrite.com/.

Do you want to deploy the new Security Onion 2.4 to your enterprise but need training? Our first 4-day public training class on Security Onion 2.4 will be in beautiful Augusta GA as part of Augusta Cyber Week! The class is at a very special price AND you get a free ticket to BOTH Security Onion Conference AND BSidesAugusta! For more information, please see https://blog.securityonion.net/2023/07/registration-now-open-for-augusta-cyber.html.

Do you want to deploy Security Onion to your enterprise and want the best enterprise hardware? We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project! For more information, please see https://securityonionsolutions.com/hardware.

Screenshots

First, we start with the overview of all alerts and logs:

Next, we focus on the alerts:

We can switch to ungrouped mode to see more detail:

Notice that the last 4 alerts are for the same TCP stream, so let's pivot to pcap. Notice the user agent string, the bare IP host header, and the executable file that is downloaded:

Back at the alerts, let's take a look at the pcap for the 3 "ET CNC Feodo Tracker Reported CnC Server" alerts:

After reviewing alerts, let's look at all of the protocol metadata:

Next, let's look at the Zeek Notices:

We'll next review HTTP transactions:

Next, here are the SSL/TLS connections:

We'll next review the DNS lookups:

That sankey diagram is a little crowded, so let's maximize it:

Finally, let's look at all connections:

and in maximized format:

Quick Malware Analysis: FORMBOOK from possible MODILOADER pcap from 2023-06-16

Thanks to Brad Duncan for sharing this pcap:
https://www.malware-traffic-analysis.net/2023/06/16/index.html

We did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can do the following:

• install Security Onion 2.4 in a VM:
  https://docs.securityonion.net/en/2.4/first-time-users.html
• import the pcap using so-import-pcap:
  https://docs.securityonion.net/en/2.4/so-import-pcap.html#so-import-pcap
• optionally enable the new DNS lookups feature:
  https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see https://securityonion.net.

Our 10th Annual Security Onion Conference is coming up soon, so reserve your seat today! Last day to register is September 29. For more details, please see https://socaugusta2023.eventbrite.com/.

Do you want to deploy the new Security Onion 2.4 to your enterprise but need training? Here are the top 5 reasons to sign up for our upcoming training class: https://blog.securityonion.net/2023/08/top-5-reasons-to-sign-up-for-our-4-day.html.

Do you want to deploy Security Onion to your enterprise and want the best enterprise hardware? Here are the top 5 reasons to purchase appliances from Security Onion Solutions: https://blog.securityonion.net/2023/08/top-5-reasons-to-purchase-security.html.

Screenshots

First, we start with the overview of all alerts and logs:

Next, let's review the alerts:

Drilling into the "ET POLICY PE EXE or DLL Windows file download HTTP" alert, we see:

If we click on the alert and then choose the Correlate option, then we can see all alerts for this TCP stream:

Clicking on one of those alerts and then clicking PCAP takes us to the full TCP stream:

Switching to ASCII transcript makes it easier to see the HTTP transaction including the EXE file header:

Back at the Alerts screen, we next drill into the "ET INFO HTTP Request to Suspicious *.life Domain" alerts:

Pivoting to PCAP we see:

Back at the Alerts overview, we drill into the "ET MALWARE FormBook CnC Checkin (GET)" alerts:

Now let's take a look at protocol metadata:

Here are the HTTP GET and POST requests:

Here are the DNS lookups:

Here are the connections with GeoIP information:

Finally, here are the SSL/TLS connections:

Quick Malware Analysis: GOZI/ISFB INFECTION WITH COBALT STRIKE pcap from 2023-07-12

Thanks to Brad Duncan for sharing this pcap:
https://www.malware-traffic-analysis.net/2023/07/12/index.html

We did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can do the following:

• install Security Onion 2.4 in a VM:
  https://docs.securityonion.net/en/2.4/first-time-users.html
• import the pcap using so-import-pcap:
  https://docs.securityonion.net/en/2.4/so-import-pcap.html#so-import-pcap
• optionally enable the new DNS lookups feature:
  https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see https://securityonion.net.

Our 10th Annual Security Onion Conference is coming up soon, so reserve your seat today! Last day to register is September 29. For more details, please see https://socaugusta2023.eventbrite.com/.

Do you want to deploy the new Security Onion 2.4 to your enterprise but need training? Our first 4-day public training class on Security Onion 2.4 will be in beautiful Augusta GA as part of Augusta Cyber Week! The class is at a very special price AND you get a free ticket to BOTH Security Onion Conference AND BSidesAugusta! For more information, please see https://blog.securityonion.net/2023/07/registration-now-open-for-augusta-cyber.html.

Do you want to deploy Security Onion to your enterprise and want the best enterprise hardware? We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project! For more information, please see https://securityonionsolutions.com/hardware.

Screenshots

First, we start with the overview of all alerts and logs:

Next, let's review the alerts:

Drilling into "ET MALWARE Ursnif Payload Request (cook64.rar)" alert, we see:

Pivoting to pcap, we see the full TCP stream:

Switching to the ASCII transcript shows the HTTP transaction more clearly:

Next, we drill into the "ET MALWARE Ursnif Payload Request (cook32.rar)" alert:

Pivoting to pcap, we see the ASCII transcript of the HTTP transaction:

Next, we drill into the "ET INFO Dotted Quad Host ZIP Request" alert:

Pivoting to pcap, we see the ASCII transcript of the HTTP transaction:

Next, we drill into the "ET MALWARE Ursnif Variant CnC Beacon 3" alerts:

Pivoting to pcap, we see the ASCII transcript of the HTTP transaction:

Next, let's review the protocol metadata:

Drilling into HTTP logs we see several POST requests going to foreign sites and we see the RAR and ZIP downloads noted earlier:

Drilling into SSL logs, we see lots of traffic going to a site with an interesting name:

Drilling into DNS logs, we see the DNS lookups for the interesting domain names noted earlier:

Finally, the connection logs include GeoIP lookups showing foreign countries noted earlier:

Top 5 Reasons to Sign Up for our 4-day Security Onion Training

Security Onion Solutions has been teaching Security Onion classes since 2014. Since that time, we've taught students around the globe to help them peel back the layers of their enterprise and make their adversaries cry.

Our next class is in October. Why should you sign up? Here are the top 5 reasons!

1. Amazing instructors

Our instructors are not like other instructors that just read from a slide deck. Security Onion Solutions instructors have years of experience in threat hunting, enterprise security monitoring, and log management. They have worked in real-world operational security roles, engineered monitoring strategies and solutions, and handled real-world incidents. They bring their practical experience to the classroom, enabling students in both theory and hands-on application to hunt adversaries in environments large and small.

2. Comprehensive course material and labs

As a student, you will receive over 300 pages of course material filled with tips and tricks to help you peel back the layers of your enterprise and make your adversaries cry. That amazing content is reinforced by the immersive real-world case studies.

3. First public training for 2.4

We recently released Security Onion 2.4 and it has lots of new features and improvements! This class will help you take advantage of all those new features.

4. We teach the only OFFICIAL training for Security Onion

Security Onion Solutions is the only official provider of Security Onion training. If you want the best training, get it from the company that developed the platform!

5. FREE ticket for both Security Onion Conference and BSidesAugusta

As a student, you will receive a FREE non-transferable ticket to both our 10th annual Security Onion Conference and the 10th annual BSidesAugusta!

 

BONUS reason - Support development of the free and open platform!

Security Onion has been a free and open platform since 2008. We've invested many years of development into making Security Onion even better at helping you peel back the layers of your enterprise and making your adversaries cry. If you purchase training from us, you are helping to cover the cost of developing and maintaining the Security Onion platform, now and in the future.

BONUS BONUS reason - Compete in the CTF for a cool prize!

As a student, you get to compete in the class CTF (Capture The Flag) event to show off your new skills. If you win, you get a limited edition t-shirt and bragging rights!

Sign up today

There are a limited number of seats for this amazing class and the registration deadline is 9/22/2023. Don't delay, reserve your seat today!

https://bsidesaugusta.org/training/#so