In this instance, IEX runs a command that decompresses and reads a gzip stream. This is the alias for Invoke-Expression, which is a PowerShell cmdlet 4. This is the payload that the C2 server (67.207.93.135) sends to the infected machine (192.168.99.53).īy following the TCP stream, we see that the C2 server sends a PowerShell command to the infected machine. This makes them the conversation pair with more traffic. By looking at all the conversations, we notice that 67.207.93.135 and 192.168.99.53 exchanged more than 25,000 packets (28 MB). The target machine’s IPv4 is 192.168.99.53, whereas the C2 server’s IPv4 is 67.207.93.135 as described in the lab setup 3. First, we need to find out the IP addresses of the machines involved. The next step is to zoom in onto the conversation between the infected machine and the C2 server. A quick search on the Internet shows that this is a known Zeus C2 domain. : This is suspicious because it modifies the legit domain by replacing the “l” with a “1”.This is the IPv4 site-local address for the network protocol Simple Service Discovery Protocol. This is used to download updates to the Weather app Live Tile. OCSP is a protocol that checks whether an SSL certificate has been revoked. All 117 of them request the same JPG file. The first thing that stands out is that more than 95% of all HTTP requests are made to. Statistics > HTTP > Requestsġ17 HTTP requests (more than 95% of all HTTP requests) with the same string are made to a suspicious domain. What to select on the Wireshark GUI is listed under each screenshot. Next, we list HTTP requests by HTTP host. We launch Wireshark and open zeus_1hr.pcap. We will use Wireshark 3.2.5 for the analysis. We download zeus_1hr.pcap from here to our Kali Linux 2020.3 instance. Then, we will analyze the conversations between the infected system and the C2 2 server. We will first get an overview of the malicious activity on this system by listing HTTP requests 1. This is the setup of the lab for the Zeus malware on Active Countermeasures.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |