Professional Documents
Culture Documents
Malware Network Communication
Malware Network Communication
https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
• Sample 2: Locky
- communicates with the CnC, and full communication is encrypted:
https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
• Sample 3: BISKVIT
- Downloading files and components
- Communicates with the command and control server through REST APIs using the JSON
format.
https://bullguard.atlassian.net/wiki/spaces/BTD/pages/693731505/BISKVIT+trojan?preview=/6
93731505/706773065/BISKVIT%20trojan.pdf
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/
https://www.malware-traffic-analysis.net/2018/08/17/index.html
https://www.netfort.com/blog/detect-cryptocurrency-mining-activity/
https://phys.org/news/2017-05-network-traffic-early-indication-malware.html
THE MALWARE CHANGE THE FIREWALL
• Sample 1: Rules changes (forensics)
- netsh.exe firewall set opmode mode=disable profile=all / netsh firewall set opmode
disable
- netsh firewall add allowedprogram 1.exe 1 ENABLE
- netsh advfirewall firewall add rule name="explore" dir=in action=allow
program="%USERPROFILE%\appdata\roaming\ugi\voogfu.exe"
• Sample 1:
- 209.141.59.124 port 80 - 209.141.59.124 - GET /1.exe
- 47.74.40.118 port 80 - securityupdateserver4.com - POST /tasks.php
- 47.74.40.118 port 80 - securityupdateserver4.com - GET /modules/x64payload.core
- 47.74.40.118 port 80 - securityupdateserver4.com - GET /modules/x86payload.core
https://www.malware-traffic-analysis.net/2018/index.html
• Sample 2:
- The dropper of Ryuk is simple and fairly straightforward. It contains 32 and 64 bit
modules of the ransomware, embedded one after the other in the dropper’s binary. At
the beginning of its execution, the ropper generates a lettered random file name using
the srand function and GetTickCount for seed generation.
https://bullguard.atlassian.net/wiki/spaces/BTD/pages/696615039/Ryuk+ransomware?preview
=/696615039/706773060/Ryuk%20ransomware.pdf
• Sample 1:
- IEXPLORE.EXE process is responsible for establishing connection with the CnC and
downloading submodules (in to registry keys)
https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/
• Sample 1:
- While drive-by mining typically happens via the standard HTTP protocol—either via
HTTP or HTTPS connections—we have witnessed more and more examples of miners
communicating via WebSockets instead.
https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/
https://www.malware-traffic-analysis.net/2018/08/06/index.html
TOOLS
• Flare is a network analytic framework: https://github.com/austin-taylor/flare
• https://www.malware-traffic-analysis.net/2018/index.html