This is not a post about the capabilities of this particular malware - this is about decoding the network traffic generated from an infected machine. StopMalvertising has a really nice write-up here: Analysis of vawtrak if you want to learn more about the malware.
Like all good malware, once a machine is infected, Vawtrak will send communications to it's C2 servers . In this case, the traffic is encoded:
Observing the behavior of the malware on my system - I noticed that the malware only generated traffic when I had a browser open. Looking at CloudStrike... I could see that the malware has injected itself into my browsers.
Looking at the malware in IDA and Olly provide no useful information, and I could not get the maware to execute within the debugger.
My next step was to use memory analysis to see if that provided any clues. I took a memory dump of my infected machine after I had started IE and then started analysis using volatility.
Using the malfind plugin, I could see several injected processes, but the one I really wanted was in the IE and FireFox processes.
Now that I had a memory address, I reverted back to a clean VM and tried again. Using Olly (opened before I infected the machine), I attached to the IE process and put a breakpoint on what I thought was the infected memory section.
... insert lots of trial and error ...
What I was able to discover is that the traffic I saw was encoded using XOR with a random number generator with the seed included in the first 8 bytes of the payload:
Using python I was able to develop this decoder:
Decoding the above traffic yields:
C:\Users\dkilman\Dropbox>decode.py
id=68F33EA70000006700000000000F00000000&iv=00000022&av=00000000&info=020000020501010100030A28&proxy=none
!SCORE!
Link to the code: http://cybersecuritymave-techie.blogspot.com/2014/07/decodepy.html
Link to a pcap parser that will decode the vawtrak data: https://github.com/dominique97/vaw_decode
No comments:
Post a Comment