The initial HTTP request accesses the URL http://www.msftncsi.com/ncsi.txt, incorporating the keyword âURL threat intelligenceâ.
Due to the inability to determine the URLâs security, it is possible to query a threat intelligence database to check whether it is a malicious URL. According to cloud sandbox analysis, it is safe. It can basically be determined to be a secure website.
You can also view the packet of the return message and judge based on the return result. The packet returns only the phrase Microsoft NCSI, which does not seem to be a malicious website.
Directly visiting the site also shows the webpage only has one sentence. It is recommended to perform this operation in a sandbox environment to avoid connecting to a malicious website.
One personâs knowledge is limited, so we need to leverage the power of the internet, such as using Baidu; by searching online, it can be discovered that this site is used by Microsoft to test network connectivity, proving it to be a safe visit.
Since we are analyzing a virus attack, we should start with the packet containing file transfers. Therefore, you can directly look at the packets coming in from the external network to the internal network to find packets containing file transfers.
Through investigation, the first file transfer packet was found, which included a file named 2018_11Details_zur_Transaktion.doc.
Reviewing the corresponding request packet, it was found that the file download URL is: http://ifcingenieria.cl/QpX8It/BIZ/Firmenkunden/
Based on the visit address, it is temporarily impossible to determine whether it is a malicious website. Here, you can utilize a URL threat intelligence database to determine this. According to cloud sandbox analysis, this URL is a suspicious website.
You can directly use the feature of exporting the graded byte stream in the file transfer packet to export the files in the packet.
Upload the exported file to a cloud sandbox for inspection. The file was found to be the malicious file Firmenkunden.
Read the detection results to analyze the behavior of the malicious file.
In the low-risk activities section of the detection report, network-related behavior can be found, indicating that this malicious file will access timlinger.com (IP: 216.37.42.32). Therefore, whether the connection to this address is included in the traffic packet can determine whether the malicious file has been executed.
Continuing the analysis of the traffic packet, communication with 216.37.42.32 can be found, which confirms that the malicious file has already run.
Reviewing the communication content, it was found that the malicious file Firmenkunden accessed timlinger.com, which aligns with the network behavior in the cloud sandboxâs analysis report.
From the return packets of access to timlinger.com, it can be seen that another file, 6169583.exe, was downloaded.
Export the file, then upload it to the cloud sandbox for inspection. This file was identified as a malicious file.
Threat intelligence indicates that this malicious file also accesses some IP addresses.
Network communication was detected with 24.206.17.102.
Network communication was detected with 67.43.253.189.
Based on its network behavior, it is confirmed that the file has been executed.
Use stream tracing for HTTP packet analysis.
This return packet is all garbled text, and due to limited technical skills, I will not analyze it further.
By reviewing the network communication situation to confirm the range, computers exhibiting virus network behavior are listed as attacked computers.
Disconnect attacked computers from the network to prevent further virus spread.
Use antivirus software to scan the entire disk of the victim host. Ensure the removal of downloaded malicious files (2018_11Details_zur_Transaktion.doc, 6169583.exe), as well as the files released after downloading (473.exe, nirmalacolorer.exe, etc.), and delete the service nirmalacolorer.
(1) Install antivirus software and update it promptly. (2) Use an antivirus security gateway to prevent viruses from entering the internal network. (3) Set network policies on the firewall to prohibit communication with virus-related IPs. (4) Conduct security education to improve employeesâ network security awareness and discourage clicking on unspecified sources.
The article mainly discusses the analysis of flow packets, some simple Wireshark usage skills: filtering, file export, stream tracing, and threat intelligence interpretation.