DEV Community

Cover image for OskiStealer - Traffic Analysis - Spoonwatch
Mihika
Mihika

Posted on

OskiStealer - Traffic Analysis - Spoonwatch

let's start:

Downloading the Capture File and Understanding the Assignment

  1. Download the .pcap file from pcap.
  2. Familiarize yourself with the assignment instructions.

LAN segment data:

LAN segment range: 192.168.1[.]0/24 (192.168.1[.]0 through 192.168.1[.]255)
Domain: spoonwatch[.]net
Domain controller: 192.168.1[.]9 - SPOONWATCH-DC
LAN segment gateway: 192.168.1[.]1
LAN segment broadcast address: 192.168.1[.]255

OUR TASK:

Write an incident report based on the pcap and the alerts.
The incident report should contain the following:

Executive Summary: State in simple, direct terms what happened (when, who, what).
Details: Details of the victim (hostname, IP address, MAC address, Windows user account name).
Indicators of Compromise (IOCs): IP addresses, domains and URLs associated with the infection. SHA256 hashes if any malware binaries can be extracted from the pcap.

Identifying the Infected Host

This is my method for finding the infected host in a PCAP file, though it may not always guarantee accurate results.

  1. In Wireshark, go to Statistics > Endpoint > IPv4.
  2. Identify the IP associated with the most transferred packets within your LAN. This is likely the compromised host.

In Wireshark, Go to Statistics > Endpoints > IPv4

Investigating the PCAP

The compromised host communicated with the malicious server. Applying Brad Duncan's popular basic filter:

(http.request || tls.handshake.type eq 1) && !(ssdp)

Identifying OskiStealer malware Activity

Using this filter, we found direct communication between the source IP 192.168.1.216 and the destination IP 2.56.57.108. Several POST requests were sent to 2.56.57.108.
The IP address 2.56.57.108 is associated with an EXE sample tagged as OskiStealer at bazaar.abuse.ch However, these transferred files were found to be non-malicious by the popular platform VirusTotal.

Packet Analysis

Viewing the packet content indicates malicious activity. The analysis returned DLL files from the .jpg URLs. Despite not being inherently malicious, they are considered Indicators of Compromise (IOCs) because they signify a specific type of infection.

viewing post request dll file disguised as an image file

There was also a ZIP file transferred. We can extract this ZIP file and edit it in a hex editor, removing the header and footer from the binary to focus on the payload data. This payload may contain valuable information such as sensitive data or communication details. After editing, we save the file and examine the payload. You may find several folders and files with names like "password.txt," "system.txt," "screenshot.jpg," and "cookies," indicating stolen data.

If you need guidance on extracting files, you can refer to this video: Extracting ZIP files from PCAP with Wireshhark & NetworkMiner

you can also view those dll file in the NetworkMiner.

DLL files transferred to malicious IP 2.56.57.108.

viewing file details from those files

Final report:

Executive Summary
On 2022-01-07 at approximately 16:07 UTC, a Windows host used by Steve Smith was infected with OskiStealer malware.

Details
MAC address: 95:5c:8e:32:58:f9
IP address: 192.168.1.216
Host name: DESKTOP-GXMYNO2
Windows user account: steve.smith

Indicators of Compromise (IOCs)
2.56.57.108/osk//1.jpg 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
2.56.57.108/osk//2.jpg a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
2.56.57.108/osk//3.jpg 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
2.56.57.108/osk//4.jpg 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
2.56.57.108/osk//5.jpg e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
2.56.57.108/osk//6.jpg 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
2.56.57.108/osk//7.jpg c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

Top comments (0)