Quick Malware Analysis: FORMBOOK from possible MODILOADER pcap from 2023-06-16

Thanks to Brad Duncan for sharing this pcap:
https://www.malware-traffic-analysis.net/2023/06/16/index.html

We did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can do the following:

• install Security Onion 2.4 in a VM:
  https://docs.securityonion.net/en/2.4/first-time-users.html
• import the pcap using so-import-pcap:
  https://docs.securityonion.net/en/2.4/so-import-pcap.html#so-import-pcap
• optionally enable the new DNS lookups feature:
  https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see https://securityonion.net.

Our 10th Annual Security Onion Conference is coming up soon, so reserve your seat today! Last day to register is September 29. For more details, please see https://socaugusta2023.eventbrite.com/.

Do you want to deploy the new Security Onion 2.4 to your enterprise but need training? Here are the top 5 reasons to sign up for our upcoming training class: https://blog.securityonion.net/2023/08/top-5-reasons-to-sign-up-for-our-4-day.html.

Do you want to deploy Security Onion to your enterprise and want the best enterprise hardware? Here are the top 5 reasons to purchase appliances from Security Onion Solutions: https://blog.securityonion.net/2023/08/top-5-reasons-to-purchase-security.html.

Screenshots

First, we start with the overview of all alerts and logs:

Next, let's review the alerts:

Drilling into the "ET POLICY PE EXE or DLL Windows file download HTTP" alert, we see:

If we click on the alert and then choose the Correlate option, then we can see all alerts for this TCP stream:

Clicking on one of those alerts and then clicking PCAP takes us to the full TCP stream:

Switching to ASCII transcript makes it easier to see the HTTP transaction including the EXE file header:

Back at the Alerts screen, we next drill into the "ET INFO HTTP Request to Suspicious *.life Domain" alerts:

Pivoting to PCAP we see:

Back at the Alerts overview, we drill into the "ET MALWARE FormBook CnC Checkin (GET)" alerts:

Now let's take a look at protocol metadata:

Here are the HTTP GET and POST requests:

Here are the DNS lookups:

Here are the connections with GeoIP information:

Finally, here are the SSL/TLS connections: