Thursday, June 27, 2024

Quick Malware Analysis: DARKGATE pcap from 2024-05-14

Thanks to Brad Duncan for sharing this pcap from 2024-05-14 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.


We did a quick analysis of this pcap on the NEW Security Onion 2.4.80:

https://blog.securityonion.net/2024/06/security-onion-2480-now-available.html


If you'd like to follow along, you can do the following:



The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis


About Security Onion


Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net


Do you want to deploy Security Onion to your enterprise and want the best enterprise hardware? Here are the top 5 reasons to purchase appliances from Security Onion Solutions: https://blog.securityonion.net/2023/08/top-5-reasons-to-purchase-security.html


Screenshots


First, we start with the overview of all alerts and logs:


Next, let's look at just the alerts:


Drilling into the Darkgate HTTP POST alerts and pivoting to the full TCP stream we see:


Switching to the ASCII transcript makes it easy to see what was POSTed and how the server responded:


Going back to the alerts, we drill into the first Powershell alert and then pivot to the ASCII transcript:


We can send the TCP stream to CyberChef to carve out the zip file:


Back at the alerts, we drill into the second Powershell alert and we can see the actual Powershell command used to download the zip file shown above, extract it, and then execute the script contained inside:


Now let's look at the protocol metadata:


HTTP:


Software:


File transfers:


DNS lookups:


Invalid SSL/TLS certs:


SSL/TLS metadata:


X.509 certificates:


Connections:



No comments:

Post a Comment

Note: Only a member of this blog may post a comment.