Name: Mark Hillick Description: 1. As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applets? I began the analysis by opening the file with Wireshark (www.wireshark.org). In looking for the two .jar files that are mentioned in the question, I ran the the following "Wireshark Capture Filter" http.request.uri contains jar which produced two http requests from Ms. Moneymany's browser for .jar files. 1. q.jar 2. sdfg.jar These two Java applets are later reproduced when the executable file (file.exe) is extracted and unpacked. 2. What was Ms. Moneymany’s username on the infected Windows system? Administrator - I wasn't completely sure how to do this but I figured that the malware would send information back to the attacker. I, therefore, did a search for 'guid' amongst the outgoing traffic from the client using the query "ip.src==192.168.23.129 && http.request.uri contains guid" and it resulted in a http request containing 'guid=ADMINISTRATOR'. This request resulted in a 404 response, however, this is irrelevant as the data has already left and been sent to the attacker. (I am not very confident about this answer.) 3. What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click? Second URI that http request is for is /xxx.xxx. Within the http headers, you can see the referer points to http://nrtjo.eu/true.php, indicating that this second request was brought about by the true.php script on http://nrtjo.eu/true.php. 4. As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on -Y΄91ed‘. Within 'Wireshark', I then ran the simple filter "http contains exe". This produced two results. Frames 216 and 273 - i.e. TCP streams 8 and 9. The attachment 'file.exe' is referenced in the 'content-disposition' header (within the HTTP Response Headers). The malware is suggesting to the client OS what to save the file as (name & extension). In two http responses, it is possible to see the 'Content Disposition' header containing 'file.exe'. From my experience, it is easier to extract a file like this from Network Miner. As a result, I analyzed the capture in the 'Network Miner' application. I selected the option to "open the file.exe files in a folder". I opened 'file.exe.octet-stream' in both "Filealyz.exe and DM5 FastSum", thus producing a MD5 sum of 5942BA36CF732097479C51986EEE91ED. 5. What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in ΄mainstream‘ malware. UPX - When looking at the packet capture (within Wireshark) from 'tcp.stream eq 9', there are several references to UPX below the http response headers (where the binary is dumped in ascii). I confirmed this through the "Filealyz.exe" tool, which indicated to me that the executable was 'upx' packed. 6. What is the MD5 hash of the unpacked version of the malicious Windows executable file? I ran 'upx -d file.exe.octet-stream', which changed the file from 67kb in size to 81kb (through unpacking it). The resulting MD5 sum is 0F37839F48F7FC77E6D50E14657FB96E, confirmed through both "Filealyz.exe and MD5 FastSum". 7. The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host? Based on the challenge description (specifically the section referring to analysis of the executable being "outside the scope of this particular puzzle"), I believe that this information can be retrieved solely by analyzing the pcap file (Lenny's comment would appear to confirm this). This rules out the requests to nrtjo.eu as the IP address 59.53.91.102 was obtained via a DNS request to 192.168.23.2. to freeways.in as the IP address 212.252.32.20 was also obtained via a DNS request to 192.168.23.2. There are two other Internet IP addresses that connection attempts are made to - 65.55.195.250 though this connection attempt was made prior to the executable being downloaded. The executable wasn't downloaded until 43-46 seconds into the packet capture. Therefore, the final remaining Internet IP address is 213.155.29.144 and coincidentally connections were made to this external IP address between 46-47 second time period. There was no DNS lookup for this IP address. These connections are to a destination port of 444 and the protocol in use is SNPP (Simple Network Paging Protocol), which is used by pagers so they can receive messages over the Internet, i.e. the executable is dialing home to inform the 'bad-guy' that the executable has been successfully launched and a system compromised. I confirmed this by renaming the unpacked file.exe.octet.stream to file.exe. I then started Wireshark on my external interface before manually launching (this was on a VM) where I captured the http 'get' request for a php script located on 213.155.29.144. Interestingly, there was a DNS query for current.cvd.clamav.net prior to the HTTP GET (to 213.155.29.144). I uploaded the file to VirusTotal to see what the coverage was like. This executable was surely a well-known piece of malware at this stage? There was 80% coverage for the 'unpacked' version http://www.virustotal.com/analisis/f097ad77b99b3744994a646d6a3577cea2faa8b9e656fcccbbd73244e227c850-1272016938 while the 'packed' version had 90% coverage http://www.virustotal.com/analisis/9459b0d6f7cdec6860c458944386896f78cb60befdd04fbeab0df5b6661a3f81-1272598704 Interestingly, does this mean that it is easier to hide a malicious file by 'not' packing it? Is a 'flag' (within the AV software) raised once 'UPX' packing is detected, i.e. is it a similar signature detection? ------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------ Tools Used ----------------- Wireshark - http://www.wireshark.org Network Miner - http://networkminer.sourceforge.net/ DM5 Fastsum - http://http://www.fastsum.com/ Filealyz.exe - http://www.safer-networking.org/en/download/ Additional Text: Thanks folks for the challenge. I wish I had more time to script it and actually check my answers but work pressures made it impossible to spend much time on this challenge. Thanks again and keep it up