DEV Community

Cover image for Emotet, Formbook - TRAFFIC ANALYSIS - SUNNYSTATION
Mihika
Mihika

Posted on • Edited on

Emotet, Formbook - TRAFFIC ANALYSIS - SUNNYSTATION

let's start:
Downloading the Capture File and Understanding the Assignment

  1. Download the .pcap file from https://www.malware-traffic-analysis.net/
  2. Familiarize yourself with the assignment instructions.

LAN segment data:
LAN segment range: 172.16.0[.]0/24 (172.16.0[.]0 through 172.16.0[.]255)
Domain: sunnystation[.]com
Domain controller: 172.16.0[.]52 - SUNNYSTATION-DC
File Server: 172.16.0[.]53 - SUNNYFILESERVER
LAN segment gateway: 172.16.0[.]1
LAN segment broadcast address: 172.16.0[.]255

TASK
What hosts/user account names are active on this network?
What type of malware are they infected with?

Identifying Active IP Addresses

We can identify active devices on the network by looking for IP addresses that frequently transmit or receive data. Wireshark provides filters to achieve this.

  1. Apply the filter dhcp to capture DHCP messages exchanged during device initialization.

This will reveal IP addresses assigned to devices on the network.

DHCP traffic

the following IP addresses appear to be active across multiple protocols:
172.16.0.170
172.16.0.149
172.16.0.131

Finding Host Information (Username, Hostname)

Now that you have IP addresses, let's gather additional details about the devices.

  1. Use the filter kerberos.CNameString to find Kerberos authentication packets.
  2. Select a packet and expand the kerberos field in the packet details pane. Look for the as-req field, then expand req-body, cname, and finally CNameString. This often contains the username for the device.
  3. Hostnames might also be included within Kerberos traffic.

kerberos traffic to find the username

kerberos traffic

kerberos traffic

172.16.0.170   00:12:f0:64:d1:d9     DESKTOP-W5TFTQY    everett.french
172.16.0.131   2c:27:d7:d2:06:f5     DESKTOP-VD151O7    tricia.becker
172.16.0.149   00:1b:fc:7b:d1:c0  DESKTOP-KPQ9FDB   nick.montgomery

Enter fullscreen mode Exit fullscreen mode

Detecting Malware

172.16.0.149

  1. Apply the filter http.request to capture HTTP requests sent by devices.
  2. Examine each request closely, focusing on suspicious URLs. For instance, in your analysis, 172.16.0.149 sent a request to
www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/
Enter fullscreen mode Exit fullscreen mode

which is linked to Emotet malware.

http traffic related to 172.16.0.149

URLhaus Indicator

packet content www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/

Right-click on this packet and follow the TCP stream associated with the suspicious HTTP request to inspect packet content. The first two bytes appearing as "MZ" after the HTTP response headers could indicate a malicious file.

To extract and analyze this potential malware:

  1. Go to File > Export Objects > HTTP in Wireshark.
  2. Select the file associated with the suspicious hostname (e.g.,
www.ajaxmatters.com
Enter fullscreen mode Exit fullscreen mode

) and content type (e.g., application/x-msdownload). This file type is often used for DLLs and EXEs.

  1. Save the extracted file.
  2. Open a terminal, navigate to the file location, and run the command shasum -a 256 to calculate the SHA-256 hash, a unique identifier for the file.

SHA256 hash for Emotet DLL: 14b57211308ac8ad2a63c965783d9ba1c2d1930d0cafd884374d143a481f9bf3
Next, we'll identify Command and Control (C2) server communication, which allows the malware to receive instructions from the attacker. I have tried these filters:

  • ip.addr==172.16.0.149 && tls.handshake.type eq 1
  • ip.addr==172.16.0.149 && tcp.analysis.flags
  • dns traffic
  • smtp traffic
  • Common C2 protocols include HTTP, HTTPS, DNS, IRC, and custom protocols
  • C2 traffic often exhibits recognizable patterns such as periodic communications, communications with unusual times of day, or a high volume of traffic to a particular destination. Look for patterns that deviate from normal network behavior or unknown IP addresses.

Bad TCP traffic

The capture shows the compromised host (172.16.0.149) using the TCP Window Update with Zero Window technique repeatedly. This technique is often used by attackers to exploit vulnerabilities in TCP implementations and force the remote server to send more data than it normally would.

Bad TCP traffic

The destinations use ports commonly associated with email services (587) and web traffic (443, 80). Emotet malware is known to steal credentials and exploit these ports to send spam and steal sensitive information .

SMTP traffic

The client attempts to connect to multiple SMTP servers (74.208.5.15, 116.254.112.253, 142.250.138.109, 46.97.120.162, 27.34.147.95, 122.17.147.238, 192.185.4.31) one after another. This behavior is often associated with spammers. Some of the captured traffic includes the AUTH LOGIN command, which is used to authenticate with the SMTP server using a username and password. This suggests the malware may be attempting to steal credentials to further compromise system.

spambot traffic

The captured traffic showing a login attempt with Base64 encoded credentials is concerning. In a secure SMTP connection, the credentials would be sent using a more secure method like SASL (RFC 4405) which encrypts the data transmission.

Malicious email

Malicious email

There is an email from the spambot traffic over unencrypted SMTP you can export from the pcap in Wireshark by using File --> Export Objects --> IMF
I am using morzilla thunderbird to view this malicious email.

172.16.0.170

applying the filter: ip.addr==172.16.0.170 && http.request || tls.handshake.type eq 1
find a suspicious server, URLhaus indicates dalgahavuzu.com is Emotet from its epoch 5 botnet

http traffic related to 172.16.0.170

URLhaus Indicator

To find c2 Traffic, we can do the same as we did with the first window host:
applying this filter : ip.addr==172.16.0.170 && tcp.analysis.flags

172.16.0.131

http request related to 172.16.0.131

Applying the filter : ip.addr==172.16.0.131 && http.request
An image file: Ocklqc.jpg, returned from 156.96.154.210 is a binary that represents a Windows DLL file with the bytes in reverse order. extracting it and uploaded on virustotal indicate it malicious, but it didn't specify the type of malware.
received other get request, but all share a pattern. An encoded resource in a “uar3” file path. Researching the domain names links them to XLoader, formerly FormBook(Joe Sandbox).

applying the filter : ip.addr==172.16.0.131 && dns

spambot traffic

Top comments (0)