Wednesday, September 18, 2024

Quick Malware Analysis: SNAKE KEYLOGGER (VIP RECOVERY) INFECTION, SMTP EXFIL pcap from 2024-09-16

Thanks to Brad Duncan for sharing this pcap from 2024-09-16 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.


We did a quick analysis of this pcap on the NEW Security Onion 2.4.100:

https://blog.securityonion.net/2024/08/security-onion-24100-now-available.html


If you'd like to follow along, you can do the following:



The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis


About Security Onion


Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net


Screenshots


First, we start with the overview of all alerts and logs:


Next, let's look at just the Alerts:


Let's drill into the Snake alert:


Now let's pivot to PCAP to see that entire TCP stream:


We can switch to ASCII transcript to make it a little more readable:


Now let's review the protocol metadata:


We'll start with X.509 certificates:


Next, we look at the related SSL/TLS connections:


Here are the DNS lookups:


Next, we can look at all of the connections:


Here are the HTTP transactions related to the Snake alert we saw in the beginning:


Finally, let's review SMTP transactions:


Pivoting to PCAP, we can see usernames and passwords being exfiltrated via SMTP:


In the second PCAP, we can see session cookies being exfiltrated via SMTP:




No comments:

Post a Comment

Note: Only a member of this blog may post a comment.