Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2022/10/14/index.html
We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html
The screenshots below show some of the interesting Suricata alerts, Zeek logs, and session transcripts. We start with the Suricata alerts and then move onto Zeek metadata. Along the way, we find an interesting download over HTTP and use CyberChef to carve it out and determine the password for the file. Finally, we look at all connections including the destination country and organization name.
About Security Onion
Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines. Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.
To learn more about Security Onion, please see:
https://securityonion.net
https://securityonion.net/docs
More Samples
Find all of our Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis
Screenshots
Click the first image to start the screenshot tour:
|
Suricata NIDS alerts |
|
Zeek metadata |
|
DNS lookup
|
|
X509 certificates |
|
HTTP transactions |
|
ASCII transcript for HTTP transaction |
|
First HTTP transaction shows password that we'll use to open the downloaded file |
|
Second HTTP transaction is a password-protected ZIP file |
|
Opening the password-protected ZIP file using the password discovered earlier and extracting the embedded ISO image |
|
Opening the ISO image |
|
Interesting files inside the ISO image |
|
CMD script from ISO image |
|
Log of file transfers |
|
SSL connections |
|
Zeek notices for invalid SSL certs |
|
All connections including destination country and organization name |
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.