Scribd Logo
Upload

Welcome to Scribd!

  • 2016 02 28 Traffic Analysis Exercise Answers

    Uploaded by

    Bilal Emre Özgün
    5 views2 pages

    Original Title

    2016-02-28-traffic-analysis-exercise-answers

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views2 pages

    2016 02 28 Traffic Analysis Exercise Answers

    Uploaded by

    Bilal Emre Özgün

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    SUMMARY:

    On Sunday 2016-02-28 at 22:43 UTC, a Windows host was infected with TeslaCrypt
    ransomware delivered by Angler exploit kit (EK) after viewing a compromised
    website, www[.]mysecretdeals[.]nl during casual web browsing. The compromised
    website had injected script from the pseudo-Darkleech campaign [1] that pointed to
    the Angler EK.

    RECOMMENDED ACTIONS:

    Wipe and re-image the Windows host, then have the user restore any documents or
    personal items from a data backup.

    HOST INFORMATION:

    MAC address: 00:c0:4f:f6:3e:74 (Dell_f6:3e:74)


    IP address: 172.16.181.176
    Host name: WIN-DJ3W602WC9M

    INDICATORS OF COMPROMISE (IOC):

    188.121.54.128 - www[.]mysecretdeals[.]nl - Compromised website with pseudo-


    Darkleech script
    85.143.222.170 - netmakevitelaoversttelsestidspunkt[.]timepassion[.]com - Angler EK
    192.185.39.66 - biocarbon[.]com[.]ec - TeslaCrypt post-infection traffic

    OTHER NOTES:

    - Prior to viewing www[.]mysecretdeals[.]nl, the user viewed misspluss[.]hu. The


    missplus[.]hu site was compromised and had injected script related to the admedia
    campaign [2]. Traffic went as far as the gate at img[.]zolotcevasunya[.]info but
    no EK traffic was noted.

    REFERENCES:

    [1] http://researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-
    darkleech-to-pseudo-darkleech-and-beyond/
    [2]
    https://isc.sans.edu/forums/diary/Angler+exploit+kit+generated+by+admedia+gates/
    20741

    IMAGES:

    2016-02-28-traffic-analysis-exercise-answers-image-01.jpg
    Finding the MAC address and host name for the IP address.

    2016-02-28-traffic-analysis-exercise-answers-image-02.jpg
    Alerts when running the pcap through Security Onion running the ET Pro ruleset.
    This shows Angler EK and TeslaCrypt traffic.

    2016-02-28-traffic-analysis-exercise-answers-image-03.jpg
    Filter the pcap on the IP address from the Angler EK alerts.

    2016-02-28-traffic-analysis-exercise-answers-image-04.jpg
    And you can find the referer that caused the Angler EK. This is the compromised
    website.

    2016-02-28-traffic-analysis-exercise-answers-image-05.jpg
    If you export HTTP objects from the pcap...
    2016-02-28-traffic-analysis-exercise-answers-image-06.jpg
    And select the index page for the compromised website www[.]mysecretdeals[.]nl...

    2016-02-28-traffic-analysis-exercise-answers-image-07.jpg
    Scroll through the HTML file, and you'll find pseudo-Darkleech script injected just
    after the </header> and <body> tags.

    2016-02-28-traffic-analysis-exercise-answers-image-08.jpg
    Checking on the TeslaCrypt callback traffic from the pcap in Wireshark using the IP
    address from the Security Onion alerts.

    You might also like