Cuckoo – Network Analysis


Previous Post: Cuckoo Memory Analysis with Volatility

In this section we will deal with a recent malware example and also do some basic network analysis. I will try just a new malware from: Malware Clean MX – realtime.  Below is the screenshot. We will test a suspected trojan downloader. This is the first line below and it is a live threat and most of the antivirus software does not recognize it yet.

malwaremx

 

Clicking the link downloads an executable file. Now we will submit it to Cuckoo.
# cd /root/cuckoo
# utils/submit.py samples/finstall.exe

After the analysis is complete we check the cuckoo report. It has a Virustotal detection ratio of 5/56. This is a low ratio.

When I check the import section in the static analysis I see that it seems pretty suspicious. It calls the dlls: KERNEL32.dll, USER32.dll, SHELL32.dll, etc.

After that I checked the dropped files and see that it has dropped some files:

droppedfiles

Now lets check the DNS requests: As you see below we can see Chinese domains.

dns.msftncsi.com 131.107.255.255
bd.baidudalian.com 222.186.60.70
int.dpool.sina.com.cn 123.125.29.252
show.man1234.com 122.227.42.227
down.cncpa.net 222.186.129.21
d.qq66699.com 121.10.117.139
tj.9158.com 115.231.82.101
wdl1.cache.wps.cn 218.60.107.12
www.bangshijz.com 42.121.255.144

I finally want to check the network dump file and see the details there. To do it I like to use NetworkMiner. If you do not have it the installation is very easy.

NetworkMiner Installation (Debian/Ubuntu):

$ sudo apt-get install libmono-winforms2.0-cil 
$ wget sf.net/projects/networkminer/files/latest -O ./nm.zip
$ sudo unzip ./nm.zip -d /opt/
$ cd /opt/NetworkMiner*
$ sudo chmod +x NetworkMiner.exe
$ sudo chmod -R go+w AssembledFiles/
$ sudo chmod -R go+w Captures/

After installation also define the PATH variable so that you can run it anywhere. In your user folder edit .bashrc add the line below at the end of it (The numbers at the end will change according to the latest version.)
PATH=$PATH:/opt/NetworkMiner_1-6-1

Now you can check dump.pcap  file. Here is the command:
# NetworkMiner.exe pathoffile/dump.pcap

Here is an example screenshot showing the download and URL of MM-liao8398.exe.

networkminer

Above you can also see that you can see many details with NetworkMiner like:
– Hosts, Frames, Files, Images, Messages, Credentials, Sessions, DNS, Parameters, Keywords, Cleartext and Anomalies.

As you can see NetworkMiner is very useful checking the contents of  a pcap file. What is more extracts all the files. You can also analyse the extracted files.

I will just check the downloaded exe file here. First file info:
# file storage/analyses/40/files/5662260763/MM-liao8398.exe
storage/analyses/40/files/5662260763/MM-liao8398.exe: PE32 executable (GUI) Intel 80386, for MS Windows

Now the strings details with http:
# strings storage/analyses/40/files/5662260763/MM-liao8398.exe | grep http
http://tj.9158.com/Opendownloadernewxml.aspx
http://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%253Dhttp%25253A%25252F%25252Fqun.qzone.qq.com%25252Fgroup&css=&mibao_css=&s_url=http%253A%252F%252Fqun.qzone.qq.com%252Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
http://tj.9158.com/DownloadInsertinfo.aspx?
http\shell\open\command
http://tj.9158.com/logtest.aspx
http
http://

As you see above this file most probably will download more files from tj.9158.com. What is more there are also strings like “open shell command”.

? The end of post ?