DEV Community

Cover image for DRIDEX - Traffic Analysis - DUALRUNNING

Posted on

DRIDEX - Traffic Analysis - DUALRUNNING

let's start:

Downloading the Capture File and Understanding the Assignment

  1. Download the .pcap file from PCAP
  2. Familiarize yourself with the assignment instructions.

LAN segment data:

LAN segment range: 172.16.1[.]0/24 (172.16.1[.]0 through 172.16.1[.]255)
Domain: dualrunning[.]net
Domain controller: 172.16.1[.]2 - Dualrunning-DC
LAN segment gateway: 172.16.1[.]1
LAN segment broadcast address: 172.16.1[.]255


Write an incident report based on the pcap and the alerts.
The incident report should contain the following:
Executive Summary
Details (of the infected Windows host)
Indicators of Compromise (IOCs).

Analyzing Network Traffic with Basic Filters:

Basic Filter: (http.request || tls.handshake.type eq 1) && !(ssdp)
Enter fullscreen mode Exit fullscreen mode

Upon inspection, a GET request to on port 8088 was detected, It's an Excel file, and the URL from which this file was requested is linked to the Dridex malware. port 8088 - - GET /wp-content/Receipt 9650354.xls?evagk=2MyeEdhGPszYX
Enter fullscreen mode Exit fullscreen mode

and just below we can see URL for initial Dridex DLL port 8088 - - GET/templates/file6.bin
Enter fullscreen mode Exit fullscreen mode

Dridex infection traffic consists of two parts:
Initial infection activity.
Post-infection C2 traffic.

You can Identify the C2 traffic, by identifying this pattern. This C2 traffic communicates directly with an IP address, so there are no server name or host name associated with it. It also has unusual certificate issuer data.

And we Found the following traffic directly to IP addresses instead of domain names. This is most likely Dridex HTTPS C2 traffic::
• port 443 - HTTPS traffic
• port 443 - HTTPS traffic
• port 443 - HTTPS traffic
• port 453 - HTTPS traffic
• port 443 - HTTPS traffic

Apply this Filter to review certificate issuer for those suspected IP addresses.

Filter: tls.handshake.type eq 11
Enter fullscreen mode Exit fullscreen mode

Select the packet and go to the frame details section and expand the information.

TLS > TLSv1: Certificate > handshake protocol:certificate > certificates(__ bytes) > Certificates[truncated] > SignedCertificate > Issuer > rdnSequence
Enter fullscreen mode Exit fullscreen mode

We also detected suspicious activity from the malicious source IP to our compromised host Despite the Host line in the HTTP request headers indicating, there was no corresponding traffic over TCP port 2318 in the pcap.

To investigate further, use the Wireshark filter ip.addr eq && tcp.flags eq 0x0002 to find TCP SYN segments for the start of all TCP streams to Follow TCP streams from each TCP SYN segment to analyze the directory listing for the infected user's Documents directory.

For a deeper understanding of Dridex malware and its infection traffic, consider reading Brad Duncan's insightful article on Unit 42: Wireshark Tutorial: Dridex Infection Traffic.

Final report:

Executive Summary
On 2021-07-14 at approximately 20:31 UTC, a Windows host used by Samantha Reed was infected with Dridex malware.

MAC address: 00:13:d4:10:05:25
IP address:
Host name: DEKSTOP-F3P7XLU
Windows user account: samantha.reed

Indicators of Compromise (IOCs)
Dridex C2 traffic: port 443 - HTTPS traffic port 443 - HTTPS traffic port 443 - HTTPS traffic port 453 - HTTPS traffic port 443 - HTTPS traffic port 443 - HTTPS traffic

Top comments (0)