DEV Community

Cover image for TRICKBOT - Traffic Analysis - FUNKYLIZARDS
Mihika
Mihika

Posted on

TRICKBOT - Traffic Analysis - FUNKYLIZARDS

let's start:

Downloading the Capture File and Understanding the Assignment

  1. Download the .pcap file from pcap
  2. Familiarize yourself with the assignment instructions.

LAN segment data:

LAN segment range: 10.8.19.0/24 (10.8.19.0 through 10.8.19.255)
Domain: funkylizards.com
Domain Controller: 10.8.19.8 Funkylizard-DC
LAN segment gateway: 10.8.19.1
LAN segment broadcast address: 10.8.19.255

OUR TASK:

Write an incident report based on the pcap and the alerts.
The incident report should contain the following:
Executive Summary
Details (of the infected Windows host)
Indicators of Compromise (IOCs).

Investigating the PCAP

Analyzing Network Traffic with Basic Filters:

(http.request || tls.handshake.type eq 1) && !(ssdp)
Enter fullscreen mode Exit fullscreen mode

Upon inspection, a GET request to 185.244.41.29 on port 80 was detected, fetching a malicious Dynamic Link Library (DLL) file associated with Trickbot malware.

85.244.41.29 port 80 - 185.244.41.29 - GET /ooiwy.pdf

Post infection traffic initially consists of HTTPS/SSL/TLS traffic over TCP port 443, 447, or 449 and an IP address check by the infected Windows host. After infection, the compromised Windows host performs an IP address check. which we can see in this pcap: port 443 - api.ipify.org - GET /

(http.request || tls.handshake.type eq 1 || tcp.flags eq 1) && !ssdp
Enter fullscreen mode Exit fullscreen mode

Shortly after the HTTP request for the Trickbot executable, several attempted TCP connections over port 443 to different IP addresses are observed, before a successful TCP connection to 46.99.175.149 and 182.253.210.130.

The HTTPS/SSL/TLS traffic to various IP addresses over TCP ports 447 and 449 has unusual certificate data. We can review the certificate issuer associated with these two hosts by filtering on:

tls.handshake.type == 11 && ip.addr==46.99.175.149 && ip.addr==182.253.210.130
Enter fullscreen mode Exit fullscreen mode

Select the packet and go to the frame details section and expand the information.
TLS > TLSv1: Certificate > handshake protocol:certificate > certificates(__ bytes) > Certificates[truncated] > SignedCertificate > Issuer > rdnSequence

The state or province name (Some-State) and the organization name (Internet Widgits Pty Ltd) are not used for legitimate HTTPS/SSL/TLS traffic. This is an indicator of malicious traffic, and its not limited to Trickbot.

The Trickbot-infected Windows host will check its IP address using a number of different IP address checking sites. it needs to ascertain its geographical location or to determine if it's running in a virtual environment or a sandbox. This tactic allows the malware to blend in with normal network traffic, making it harder to detect and mitigate its activities. Various legitimate IP address checking services used by Trickbot include:

api.ip[.]sb
checkip.amazonaws[.]com
icanhazip[.]com
ident[.]me
ip.anysrc[.]net
ipecho[.]net
ipinfo[.]io
myexternalip[.]com
wtfismyip[.]com

Again, an IP address check by itself is not malicious. However, this type of activity combined with other network traffic can provide indicators of an infection. you may see above host in the packet.

A Trickbot infection can generates HTTP traffic. this traffic sends information from the infected host like system information and passwords from the browser cache and email clients. This information is sent from the infected host to C2 server used by Trickbot. apply the basic filter :

(http.request || tls.handshake.type eq 1) && !(ssdp)
Enter fullscreen mode Exit fullscreen mode

you see a post request to host 103.148.41.195. view packet content and you see infomation like processes running on the infected host system, system information.

For a comprehensive understanding of Trickbot Malware, I recommend reading Brad Duncan's article on it: Trickbot Malware

Final report:

Executive Summary
On 2021-08-19 at approximately 19:40 UTC, a Windows host used by Monica Steele was infected with Trickbot malware.

Details
MAC address: 00:08:02:1c:47:ae
IP address: 10.8.19.101
Host name: DEKSTOP-M1TFHB6
Windows user account: monica.steele

Indicators of Compromise (IOCs)
Trickbot DLL:
185.244.41.29 port 80 - 185.244.41.29 - GET /ooiwy.pdf

SHA256 hash: f25a780095730701efac67e9d5b84bc289afea56d96d8aff8a44af69ae606404
File size: 323,584 bytes
File description: Trickbot DLL
File name: ooiwy.pdf

Trickbot C2 traffic:

port 443 - api.ipify.org - GET / [IP address check by infected host]
46.99.175.149 on port 443 - HTTPS traffic
182.253.210.130 on port 443 - HTTPS traffic
103.148.41.195 port 443 - POST /rob124/DESKTOP-M1TFHB6_W10019043.0CB9C3AE3FA9B1267DFC20141CDE9D8 4/90/

Top comments (0)