DEV Community

Cover image for DRIDEX - Traffic Analysis - DUALRUNNING
Mihika
Mihika

Posted on

DRIDEX - Traffic Analysis - DUALRUNNING

let's start:

Downloading the Capture File and Understanding the Assignment

  1. Download the .pcap file from PCAP
  2. Familiarize yourself with the assignment instructions.

LAN segment data:

LAN segment range: 172.16.1[.]0/24 (172.16.1[.]0 through 172.16.1[.]255)
Domain: dualrunning[.]net
Domain controller: 172.16.1[.]2 - Dualrunning-DC
LAN segment gateway: 172.16.1[.]1
LAN segment broadcast address: 172.16.1[.]255

OUR TASK:

Write an incident report based on the pcap and the alerts.
The incident report should contain the following:
Executive Summary
Details (of the infected Windows host)
Indicators of Compromise (IOCs).

Analyzing Network Traffic with Basic Filters:

Basic Filter: (http.request || tls.handshake.type eq 1) && !(ssdp)
Enter fullscreen mode Exit fullscreen mode

Upon inspection, a GET request to 185.21.216.153 on port 8088 was detected, It's an Excel file, and the URL from which this file was requested is linked to the Dridex malware.

185.21.216.153 port 8088 - insiderushings.com:8088 - GET /wp-content/Receipt 9650354.xls?evagk=2MyeEdhGPszYX
Enter fullscreen mode Exit fullscreen mode

and just below we can see URL for initial Dridex DLL

185.21.216.153 port 8088 - buyer-remindment.com:8088 - GET/templates/file6.bin
Enter fullscreen mode Exit fullscreen mode

Dridex infection traffic consists of two parts:
Initial infection activity.
Post-infection C2 traffic.

You can Identify the C2 traffic, by identifying this pattern. This C2 traffic communicates directly with an IP address, so there are no server name or host name associated with it. It also has unusual certificate issuer data.

And we Found the following traffic directly to IP addresses instead of domain names. This is most likely Dridex HTTPS C2 traffic::
• 202.29.60.34 port 443 - HTTPS traffic
• 72.11.131.199 port 443 - HTTPS traffic
• 207.244.250.103 port 443 - HTTPS traffic
• 45.145.55.170 port 453 - HTTPS traffic
• 84.232.252.62 port 443 - HTTPS traffic

Apply this Filter to review certificate issuer for those suspected IP addresses.

Filter: tls.handshake.type eq 11
Enter fullscreen mode Exit fullscreen mode

Select the packet and go to the frame details section and expand the information.

TLS > TLSv1: Certificate > handshake protocol:certificate > certificates(__ bytes) > Certificates[truncated] > SignedCertificate > Issuer > rdnSequence
Enter fullscreen mode Exit fullscreen mode

We also detected suspicious activity from the malicious source IP 81.17.23.125 to our compromised host 172.16.1.239. Despite the Host line in the HTTP request headers indicating 81.17.23.125:2318, there was no corresponding traffic over TCP port 2318 in the pcap.

To investigate further, use the Wireshark filter ip.addr eq 81.17.23.125 && tcp.flags eq 0x0002 to find TCP SYN segments for the start of all TCP streams to 81.17.23.125. Follow TCP streams from each TCP SYN segment to analyze the directory listing for the infected user's Documents directory.

For a deeper understanding of Dridex malware and its infection traffic, consider reading Brad Duncan's insightful article on Unit 42: Wireshark Tutorial: Dridex Infection Traffic.


Final report:

Executive Summary
On 2021-07-14 at approximately 20:31 UTC, a Windows host used by Samantha Reed was infected with Dridex malware.

Details
MAC address: 00:13:d4:10:05:25
IP address: 172.16.1.239
Host name: DEKSTOP-F3P7XLU
Windows user account: samantha.reed

Indicators of Compromise (IOCs)
Dridex C2 traffic:

202.29.60.34 port 443 - HTTPS traffic
72.11.131.199 port 443 - HTTPS traffic
207.244.250.103 port 443 - HTTPS traffic
45.145.55.170 port 453 - HTTPS traffic
84.232.252.62 port 443 - HTTPS traffic
81.17.23.125 port 443 - HTTPS traffic

Top comments (0)