HANCITOR - TRAFFIC ANALYSIS - SOL-LIGHTNET

mihika

Mihika

Posted on June 13, 2024

HANCITOR - TRAFFIC ANALYSIS - SOL-LIGHTNET

let's start:

Downloading the Capture File and Understanding the Assignment

  1. Download the .pcap file from PCAP
  2. Familiarize yourself with the assignment instructions.

LAN segment data:

LAN segment range: 10.20.30[.]0/24 (10.20.30[.]0 through 10.20.30[.]255)
Domain: sol-lightnet[.]com
Domain controller: 10.20.30[.]2 - Sol-Lightnet-DC
LAN segment gateway: 10.20.30[.]1
LAN segment broadcast address: 10.20.30[.]255

OUR TASK:

Write an incident report based on the pcap and the alerts.
The incident report should contain the following:
Executive Summary
Details (of the infected Windows host)
Indicators of Compromise (IOCs).

Analyzing Network Traffic with Basic Filters:

Filter: `(http.request || tls.handshake.type eq 1) && !(ssdp)`
Enter fullscreen mode Exit fullscreen mode

49.51.133.162 port 80 - gengrasjeepram.com - GET /sv.exe
This appears to be a request to download an executable file (sv.exe) from the domain gengrasjeepram.com. Analysing packet content, it's an executable file and the context, it's potentially malicious. Upon Research, associated to Hancitor Malware.

port 80 - api.ipify.org - GET /
This seems to be a request to api.ipify.org, which is a legitimate service to check the public IP address of a device. exposing the the public IP address of the compromised host.

81.177.6.156 port 80 - twereptale.com - POST /4/forum.php
81.177.6.156 port 80 - twereptale.com - POST /mlu/forum.php
81.177.6.156 port 80 - twereptale.com - POST /d2/about.php
These are POST requests to various endpoints on the domain twereptale.com. The repetitive nature suggests potential malicious activity, possibly sending system information or other data to the server.

148.66.137.40 port 80 - xolightfinance.com - GET /bhola/images/1
148.66.137.40 port 80 - xolightfinance.com - GET /bhola/images/2
These are requests to retrieve image files from the domain xolightfinance.com. While the files themselves may not be malicious, the fact that they are requested from a potentially malicious domain raises suspicion.

No other indicators of malicious activity were found.

For a deeper understanding of Hancitor malware and its infection traffic, consider reading Brad Duncan's insightful article on Unit 42: Examining Traffic from Hancitor Infections

Final report:

Executive Summary
On Thursday 2020-01-30 at 00:55 UTC, a Windows 10 client used by Alejandrina Hogue was infected with Hancitor malware.

Details
Host name: DESKTOP-4C02EMG
Host MAC address: 58:94:6b:77:9b:3c (IntelCor_77:9b:3c)
Host IP address: 10.20.30.227
User account name: alejandrina.hogue

Indicators of Compromise (IOCs)
49.51.133.162 port 80 - gengrasjeepram.com - GET /sv.exe
SHA256 hash: 995cbbb422634d497d65e12454cd5832cf1b4422189d9ec06efa88ed56891cda

port 80 - api.ipify.org - GET /
81.177.6.156 port 80 - twereptale.com - POST /4/forum.php
81.177.6.156 port 80 - twereptale.com - POST /mlu/forum.php
81.177.6.156 port 80 - twereptale.com - POST /d2/about.php
148.66.137.40 port 80 - xolightfinance.com - GET /bhola/images/1
148.66.137.40 port 80 - xolightfinance.com - GET /bhola/images/2

💖 💪 🙅 🚩
mihika
Mihika

Posted on June 13, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related