Friday, October 20, 2023

Quick Malware Analysis: TA577 PIKABOT INFECTION WITH COBALT STRIKE pcap from 2023-10-17

Thanks to Brad Duncan for sharing this pcap:
https://www.malware-traffic-analysis.net/2023/10/17/index.html

We did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can do the following:

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see https://securityonion.net.

Screenshots

First, we start with the overview of all alerts and logs:


Next, let's focus on just the alerts:


Notice that there are several alerts for one TCP stream:


Let's pivot to PCAP for that TCP stream:


Now switch to ASCII transcript to see the EXE download:


Next, let's look at an overview of all protocol metadata:


Drilling into HTTP transactions, we see the EXE that we saw in the alerts but we also see another interesting file:


This file is a zip file:


Here's another look at all files transferred via HTTP:


Here are all the DNS lookups:


Here are the SSL/TLS transactions:


Here are the invalid SSL/TLS certs:


Finally, here is an overview of all network connections:



No comments:

Post a Comment

Note: Only a member of this blog may post a comment.