Threat Hunting – Zyklon Trojan

This is a lab that is conducted in a test bed. The resources were downloaded from malware.trafficanalysis.net. The samples provided came from a case study of a specially crafted pcap file from possibly an Office workstation that was a victim of a Malware attack.

We have been provided a pcap, which is uniquely crafted for this exercise. Remodeling has been made to have more details covered by not only one but many endpoints. Previously, we have covered pcap where only one host was involved as a source. The aim to uncover remains the same. However, there are a few simple techniques which will help reduce the time in figuring out the suspicious host when working with multiple endpoints. There are certain assumptions we can make from other hosts, as they might be virtual machines sharing the same host.

Below are links where you can download “pcap” for this exercise:

http://www.malware-traffic-analysis.net/2017/07/22/index.html

SHA-256 – 43f87c33d074b95d4b7b1dec96eea07172e39771790200e76e2a97b5d1e8c45f

Before we begin the investigation to simplify the process, we map out the endpoints we will be working on. To do this go to Statistics à Endpoints.

This will list down all the IP addresses we know we are working with. This could narrow down our research for the internal and external ones. This can also help in primarily analyzing the data transfers and then roll out the possible suspicious traffic based on the packets transmitted or received. You can also use different types of endpoint types, e.g., Bluetooth, NCP, IEEE 802.11, USB, etc. with given drop-down menu at the bottom right corner.

We will use it in this case and observe few clues about the internal IP address scheme. We need to apply the filter based on highest bytes of data transferred. There are also many large packet (Read more...)