Wednesday, June 12, 2024

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.


We did a quick analysis of this pcap on the NEW Security Onion 2.4.70. If you'd like to follow along, you can do the following:



The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis


About Security Onion


Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net


Do you want to deploy Security Onion to your enterprise and want the best enterprise hardware? Here are the top 5 reasons to purchase appliances from Security Onion Solutions: https://blog.securityonion.net/2023/08/top-5-reasons-to-purchase-security.html


Screenshots


First, we start with the overview of all alerts and logs:


Next, let's focus on just the alerts:


Drilling into the first alert, we see that they are occuring on a regular interval:


We can correlate those alerts to the corresponding HTTP logs to get a little more information:


Back at the alerts, let's drill into the "ET MALWARE Win32/SSLoad Payload Request (GET)" alerts:


We can then pivot to full packet capture to see the entire TCP stream:


We could then send the stream to CyberChef which would allow us to do more analysis or even carve the downloaded file out of the stream:


Back at the alerts, let's drill into the "ET INFO Dotted Quad Host DLL Request" alert:


Pivoting to PCAP, we can see the DLL file:


We can send the stream to CyberChef where we might look for interesting strings:


Back at Dashboards, let's look at the Zeek protocol metadata logs:


We'll start with the HTTP logs:


Then the DNS logs:


Next, we'll look at the SSL/TLS logs:


Zeek notices for invalid SSL certificates:


File metadata:


Files transferred over SMB:


x509 certificates seen in SSL/TLS traffic:


Browser User Agent strings seen in network traffic:


PE logs for Windows executables:


Zeek Weird logs showing protocol anomalies:


SMB mapping logs:


Connection logs including GeoIP information:






No comments:

Post a Comment

Note: Only a member of this blog may post a comment.