TCP dump analysis

1. Introduction

In this exercise you'll learn how to extract content of a tcp dump with different tools. A tcp dump sample of a ftp session is provided. You have to identify the malware that was downloaded to find a matching yara rule later

303KB

malware.pcap

malware tcp dump sample

2. tcp flow

The pcap file contains an ftp session where a file has been downloaded. We will now go through different approaches how to extract the file(s) from the pcap.

Please follow instructions below

cd /home/hacker/Downloads
mkdir -p ./ftp/tcpflow
cp malware.pcap ./ftp/tcpflow
cd /home/hacker/Downloads/ftp/tcpflow
apt-get install tcpflow
tcpflow -r malware.pcap -o ./output

This will extract files from the pcap dump to the ./output folder

To get the MD5 filehashases from the output directory I use the following command: find -type f -exec md5sum '{}' +

We can now check this MD5 Filehashes against the virustotal database:

We could successful identify the md5 hash of the malware: 6fdb9a5243232703b13cadc5cccfa253

Let's go ahead and see what other tools we have, there's much more to explore! In the community tab of virus total we get a hint that it is the wannacry malware

3. Network miner

We can install network miner with the following command:

apt-get install hl-networkminer

For some reason I didn't get networkminer to start, so I had to install it manually:

sudo apt install mono-devel 

wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip
sudo unzip /tmp/nm.zip -d /opt/
cd /opt/NetworkMiner*
sudo chmod +x NetworkMiner.exe
sudo chmod -R go+w AssembledFiles/
sudo chmod -R go+w Captures/ 

To run network miner use the following command: mono NetworkMiner.exe --noupdatecheck

That worked and now we can load the pcap file:

4. chaosreader

Another method of extracting the file from the pcap is chaosreader.

Please follow the instructions below.

cd /home/hacker/Downloads/ftp
mkdir chaosreader
cp malware.pcap chaosreader
cd chaosreader
apt-get install chaosreader
/usr/bin/chaosreader -h
/usr/bin/chaosreader -v malware.pcap

Let's compare the MD5 hashes of the extracted files: md5sum *

The malisciousfile with the previously identified md5 hash is not available

5. binwalk

Let's try another nice utility

cd /home/hacker/Downloads
mkdir -p ./tcpdump/binwalk
cp malware.pcap ./tcpdump/binwalk
cd /home/hacker/Downloads/tcpdump/binwalk
binwalk -e malware.pcap

let's visualize the generated files using tree

The malisciousfile with the previously identified md5 hash is not available

6. Foremost

Foremost is a tool that I've allready used in the forensic Exercises. It has also an option to extract files from a pcap file. Let's try that out.

cd /home/hacker/Downloads/tcpdump
mkdir foremost
cd foremost
cp ../tcpdump.pcap .
foremost -i ./tcpdump.pcap -o ./output
tree .

Let's check the MD5 hashes

md5sum *

Foremost was able to extract two exe binaries, but none of them contained the malware hashvalue we have identified previousely.

7. Wireshark

Of course we can also use wireshark to extract the maliscious binary! Let's start wireshark and open the pcap file. After it is opend we need to set the filter to ftp-data

Select protocol --> Follow TCP Stream (RETR Windows-Update.exe)

8. Security Questions

Once the data has been extracted from a pcap or any other format, you can then use yara.

Please respond to the following questions

• is the malware packed?

• what kind of malware is it?

• try out different yara rules

Answers

I've used the following command to check the extracted binary with yara

yara -r /opt/applic/yara-rules/index.yar /home/hacker/Downloads/tcpdump | grep binary.raw

As we can see the binary is packed and it is as previousely mentioned the WannaCry Ransomware!