Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2022/08/10/index.html
We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html
The screenshots below show some of the interesting Suricata alerts, Zeek logs, and session transcripts.
About Security Onion
Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines. Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.
To learn more about Security Onion, please see:
https://securityonion.net
https://securityonion.net/docs
More Samples
Find all of our Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis
Screenshots
Click the first image to start the screenshot tour:
 |
| Unzip and import both pcap files |
 |
| Review alerts and investigate EXEs |
 |
| Pivot to PCAP for first EXE |
 |
| Review session transcript for first EXE |
 |
| Send first EXE to CyberChef and review strings |
 |
| Review second EXE |
 |
| Session transcript for second EXE |
 |
| Send second EXE to CyberChef and review strings |
 |
| Review third EXE |
 |
| Session transcript for third EXE |
 |
| Send EXE to CyberChef and review strings |
 |
| Protocol metadata |
 |
| HTTP logs |
 |
| Malware Hash Registry Detection and SSL Certificate Validation failures |
 |
| x509 certficates |
 |
| Files transferred via HTTP and SSL |
 |
| DNS lookups |
 |
| Connections (including destination.geo.country_name and destination_geo.organization_name) |
No comments:
Post a Comment