Friday, November 3, 2023

Quick Malware Analysis: ICEDID variant with BACKCONNECT, ANUBIS VNC, COBALT STRIKE & SCREENCONNECT pcap from 2023-10-18

Thanks to Brad Duncan for sharing this pcap:
https://www.malware-traffic-analysis.net/2023/10/18/index.html


We did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can do the following:


The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis


About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see https://securityonion.net.


Screenshots

First, we start with the overview of all alerts and logs:


Next, we focus on just alerts:


Drilling into the first group of alerts, we see that the alerts are firing about every 5 minutes:


Let's exclude those alerts and focus on the remaining alerts:


Here is a group of alerts for the same TCP stream:


Pivoting to PCAP and then to ASCII transcript, we can see the executable file:


Next, let's focus on this alert:


Pivoting to transcript we see the fake browser in the User Agent string:


Next, let's review this group of alerts for the same TCP stream:


Pivoting to transcript, we see the executable:


Sending the transcript to CyberChef makes it easy to see some of the executable's capabilities:


Now let's look at all of the protocol metadata:


Here are the interesting HTTP transactions:


Here are the interesting DNS lookups:


Here are SSL/TLS connections:


Here is some interesting traffic:


Pivoting to transcript, we can see that this is VNC:


Here are all of the connections:



No comments:

Search This Blog

Featured Post

Security Onion 2.4.111 now available!

In October, we released version 2.4.110: https://blog.securityonion.net/2024/10/security-onion-24110-hurricane-helene.html Last week, Surica...

Popular Posts

Blog Archive