Malware Traffic Analysis | Steelcoffee Writeup

Photo by Foodie Factor on Pexels.com

Hey everyone. I’m doing something a little different this time. I recently learned of an awesome website (https://www.malware-traffic-analysis.net/) which has a whole bunch of .pcap files for you to analyze and practice your malware traffic analysis skills. It’s like a CTF in the sense that the exercises on the website do give you questions to answer based on your analysis of the .pcap files.

Steelcoffee is linked here: https://www.malware-traffic-analysis.net/2020/04/24/index.html

Scenario

LAN segment data:

  • LAN segment range: 10.0.0.0/24 (10.0.0.0 through 10.0.0.255)
  • Domain: steelcoffee.net
  • Domain controller: 10.0.0.10 – SteelCoffee-DC
  • LAN segment gateway: 10.0.0.1
  • LAN segment broadcast address: 10.0.0.255

Questions

There are three clients in this month’s exercise pcap.

Which two clients are Windows hosts, and what are the associated user account names?
Which one of these two Windows clients was infected?
What type of malware was that Windows client infected with?

Analysis

First we need to download and unzip the files. After we unzip them with the correct password, we’ll open up wireshark and networkminer. Lets also open the alerts.jpg file.

As it turns out, we really won’t need the alerts.jpg, but we’ll get to that in time. The first question is asking us which hosts are windows clients, and what their user account names are. Knowing that we are looking for windows hosts, we can look at the protocol hierarchy in wireshark and see if there is any kerberos traffic. We can analyze kerberos traffic in search of the account names that are logged into the windows hosts on the network. If you aren’t already familiar, kerberos is an authentication protocol which issues tickets to authenticated users so that they can access resources over an untrusted network like the internet.

Here is a link to a great article to get somewhat familiarized with kerberos: https://www.fortinet.com/resources/cyberglossary/kerberos-authentication.

We only have a small number of kerberos packets, but lets go ahead and see what we’ve got.

The second kerberos packet is an AS-REQ (Authentication Service Request) being sent to the KDC (Key Distribution Center) from the IP address of 10.0.0.149. Within the packet, the “CNameString” field contains the username “alyssa.fitzgerald”. We have our first windows host and username. Looking a little bit futher down the traffic, we see another IP, 10.0.0.167, also sending an AS-REQ to the KDC.

Again, within the CNameString field, we see a username.

Now that we have the first question answered, we can move on to the next tasking where we need to figure out which of the two windows hosts was infected by malware. To help answer this question, we can utilize networkminer. Networkminer is an awesome network forensic tool that can extract a LOT of information from a raw .pcap files. Since we know that we are talking about windows hosts, the most likely source of an infection would probably be a malicious .exe file. Lets see what we can find in the files tab on networkminer.

There is an executable named “8888.png”, which was downloaded by the elmer.obrien on IP 10.0.0.167. We can take the SHA-256 hash of the executable and search it on virustotal to see if it actually is a malicious executable.

Virustotal identifies this file as a known malicious file, typically named “CMSTP.exe”. is a legitimate executable in normal circumstances, and it is used to install or remove a Connection Manager service profile, according to Microsoft (https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp). This functionality can be abused by attackers to gain remote access, load and execute malicious DLL’s, and it can also evade common defenses since CMSTP.exe is a trusted binary on windows systems. You can read more about how attackers abuse this binary on the MITRE ATT&CK page here: (https://attack.mitre.org/techniques/T1218/003/). There is also a great article here: (https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp/), which shows you a step-by-step guide to experiment with this exploitation technique yourself. As always, only experiment with this technique in a controlled environment where you have explicit permission to do so, such as on your own machines in a homelab.

Doing a google search for “CMSTP.exe 8888.png” returns some results referencing the qbot or qakbot trojan. According to TrendMicro, this trojan has been around since at least 2007 and is used for stealing victim data. It made a resurgence in mid-2020, mostly affecting the healthcare sector in the US. The malware was delivered through email spam which enticed users to click a malicious link, downloading a .vbs script which then downloaded the final payload. Digging a little further in networkminer and wireshark, we do in fact see a .zip file called “judgement_04222020_318389448.zip” which was downloaded by elmer.obrien.

This .zip file contains a .vbs script which, when run, reaches out to one of a handful of specific domains to download the final payload, the “8888.png” executable. Once the payload has been introduced to the target(s), one would expect to see some communication between infected hosts and the attacker’s C2 servers for future actions.

Conclusion

I hope you enjoyed this post and learned something from it. Malware traffic analysis and malware analysis in general are two things which I’m not super well-versed in, but I do want to continue to sharpen my skills in those specialties. I really enjoyed working on this, and I would definitely expect to see more posts of this sort here in the future. Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: