This is my writeup for the Honeynet Project - Forensics challenge 14 - Weird Python there were multiple SSL and HTTP connections.
I initially opened the pcapng in Wireshark and saw that there were multiple SSL and HTTP connections. Rather than combing through wireshark looking at each one I went investigating tools that would analyze HTTP traffic from a PCAP.
I stumbled on pcapperf - a pretty nice web based analyzier. It shows results similar to the network tab in chrome's inspect interface. The site does not operate on pcapng format, so I converted it to pcap using wireshark's save feature.
Using this I was able to see the various sites visited, and also the method the attacker used (Questions 1, 2, 3, 5). Using wireshark I extracted the downloaded game from the fake website.
Answers to the various questions follow.
1) BYOD seems to be a very interesting topic. What did your boss do during the conference?
- Visited Google.fr and Google+
- Reddit.com
- Searched reddit for "byod"
- 9gag.com
- thewayoftheninja.org -> to download n
Links followed:
http://www.reddit.com/r/talesfromtechsupport/comments/2i46ss/satans_cpa_did_sign_the_byod_policy_from_hr/http://www.reddit.com/r/sysadmin/comments/1ue8qd/for_all_you_powershell_fans_nice_blog_about_using/
2) What method did the attacker use to infect your boss? Which systems (i.e. IP addresses) are involved?
Spoof'd the DNS response for "www.harveycartel.org" to be 81.166.122.238
ninja-game.org also resolves to this IP
3) Based on the PCAP, which files were exfiltrated? List the filenames.
- C:\Users\admin\Desktop\sensitive+documents.doc
- C:\Users\admin\Desktop\Tools\odbg201\help.pdf
- C:\Users\admin\Documents\private\affair\holiday\EmiratesETicket1.pdf
- C:\Users\admin\Documents\private\affair\holiday\EmiratesETicket2.pdf
Exfiled to http://ninja-game.org/submit_highscore
Using a combination of wireshark and https://pcapperf.appspot.com/view?hash_str=5349ea30533d7fbdc03257d27e301ed8
4) Can you sketch an overview of the general actions performed by the malware?
The initial download pretends to be the game the user downloaded. It's a self extracting rar that does 2 things
- Runs the python dropper main.pyc
- Runs an older version of the game
The dropper retrieves a payload which then exfils all *.pdf, *.doc, *.docx, *.xls, and *.xlsx files in the current user's home directory.
Used:
Python source
IDA Pro
unwind - https://github.com/evanw/unwind
uncompile 2 - https://github.com/wibiti/uncompyle2
Modified unwind to take into account the modifications that were made to the python's marshaling code.
5) Do you think this is a targeted or an automated attack? Why?
- Targeted to visitors who download the game; an older version of the game was included, not the one download.
6) The malware seems to be written in Python. Is this "normal" Python? What's different?
It's fairly normal.. once you get past the bytecode obfuscation.
-- All code objects had a fake 226 byte code object:
import sys
sys.exit('\r\ndebugger detected.\r\nsignature: 233f3f3b7164642c2424652c276431723a7d021e')
added to stop debugging/reversing without using the embedded python interpreter
Also, all string objects (which included the bytecode) were masked with a rolling xor pad.
i = len(s) - 1
cur = 43
while i >= 0
s[i] = s[i] ^ cur
cur++
i--
7) What does main.pyc do? (Bonus: Can you provide a decompiled version?)
It reads the USERNAME environment variable, and makes a request to http://ninja-game.org/highscores?{USERNAME} to retrieve the main payload.
The main payload is masked using some algorithm
{% include_code lang:python weird_python/dropper_main.py %}
8) How is the final payload protected? How is it decrypted by the dropper? (Bonus: Can you provide a decompiled version?)
{% include_code lang:python weird_python/payload.py %}
The final payload in protected with a simple substitution cipher.
9) Why did Pete leave the company?
His wife has a ticket on the same flights as the boss
10) Your boss mentioned he's going to the Honeynet Workshop in Stavanger, but you're not allowed to join him. Why so?
He's actually going to Dubai