DEV Community

Cover image for BazarLoader - Traffic Analysis - ANGRYPOUTINE
Mihika
Mihika

Posted on

BazarLoader - Traffic Analysis - ANGRYPOUTINE

let's start:

Downloading the Capture File and Understanding the Assignment

  1. Download the .pcap file from pcap.
  2. Familiarize yourself with the assignment instructions.

LAN segment data:

LAN segment range: 10.9.10[.]0/24 (10.9.10[.]0 through 10.9.10[.]255)
Domain: angrypoutine[.]com
Domain controller: 10.9.10[.]9 - ANGRYPOUTINE-DC
LAN segment gateway: 10.9.10[.]1
LAN segment broadcast address: 10.9.10[.]255

OUR TASK:

Write an incident report based on the pcap and the alerts.
The incident report should contain the following:
Executive Summary
Details (of the infected Windows host)
Indicators of Compromise (IOCs).

Identifying the Infected Host

This is my method for finding the infected host in a PCAP file, though it may not always guarantee accurate results.

  1. In Wireshark, go to Statistics > Endpoint > IPv4.
  2. Identify the IP associated with the most transferred packets within your LAN. This is likely the compromised host.

Investigating the PCAP

Analyzing Network Traffic with Basic Filters:

(http.request || tls.handshake.type eq 1) && !(ssdp)

Applying the Basic filter for analysising network traffic

Upon inspection, a GET request to 194.62.42.206 port 80 was detected, fetching a malicious Dynamic Link Library (DLL) file for BazarLoader from the following URL:
/bmdff/BhoHsCtZ/MLdmpfjaX/5uFG3Dz7yt/date1?BNLv65=pAAS

This URL, containing '/bmdff/', consistently yields a 64-bit DLL for BazarLoader. Notably, this pattern has persisted over the past several weeks, indicating association with the TA551 (Shathak) campaign.
Further analysis reveals BazarLoader's command and control (C2) activity. Initially, BazarLoader retrieves BazarBackdoor via HTTPS traffic from 167.172.37.9 over TCP port 443. Subsequently, BazarBackdoor itself generates C2 activity, utilizing HTTPS traffic to communicate with 94.158.245.52 over TCP port 443.

Identifying BazarLoader C2 traffic

It's important to note that Bazar C2 activity often directs traffic to legitimate domains. While this behavior isn't inherently malicious, it's reminiscent of various malware families conducting connectivity checks or ensuring uninterrupted internet access on infected Windows hosts.

For a comprehensive understanding of BazarLoader's network reconnaissance tactics, I recommend reading Brad Duncan's article on the case study:
Case Study: From BazarLoader to Network Reconnaissance

Final report:

Executive Summary
On 2021-09-10 at approximately 23:17 UTC, a Windows host used by Hobart Gunnarsson was infected with BazarLoader through the TA551 (Shathak) campaign.

Details
MAC address: 00:4f:49:b1:e8:c3
IP address: 10.9.10.102
Host name: DESKTOP-KKITB6Q
Windows user account: hobart.gunnarsson

Indicators of Compromise (IOCs)
BazarLoader DLL:
194.62.42.206 port 80 - simpsonsavingss.com - GET /bmdff/BhoHsCtZ/MLdmpfjaX/5uFG3Dz7y /date1?BNLv65=pAAS

SHA256 hash: eed363fc4af7a9070d69340592dcab7c78db4f90710357de29e3b624aa957cf8
File size: 284,816 bytes
File description: BazarLoader DLL
File name: date6.dll

BazarLoader C2 traffic:

167.172.37.9 port 443 - HTTPS traffic
94.158.245.52 port 443 - HTTPS traffic

Top comments (0)