Profile picture
, 20 tweets, 8 min read
My Authors
Read all threads
How does the traffic of Flexnet looks like? The sample shared below is available on @apklabio along with a nice pcap capture 👉🏿 apklab.io/apk.html?hash=…
From Wireshark Protocol Hierarchy Statistics we can see that most of the traffic is TCP on IPv4. Few UDP. A nice amount of packets.
Next step for me is always look at the conversations. I want to get a feeling of how many things do we need to check and verify. In this case there are only 12 IPs to check (1 IP is local). Easy to discard a few things here knowing this is an Android phone.
74.125.104.108 > Google
172.217.23.202 > Google
172.217.23.238 > Google
216.58.201.110 > Google
216.58.201.106 > Google
172.217.23.227 > Google
81.177.139.80 > not google. Investigate.
Note: Of course I'm taking the long way here. I knew from the start there was a malware infection on this pcap, so I didn't have to do all this. I could have scrolled down the traffic and spotted the malicious behavior. However in many cases we don't know, so this helps.
So we filter in Wireshark all traffic related to the IP that we are investigating (81.177.139.80). We find out a nice series of HTTP requests that look like the image below. Any HTTP should draw our attention to be honest.
There are four different HTTP requests to this IP (81.177.139.80, rakason[.]ru). The connections are not really periodic as you can see. The Time column is displaying seconds since the previous displayed packet.
All the packets lengths on the previous images are the same. Which raises the question of how successful these connections were? Lack of periodicity is a little suspicious (bots often periodically connect to their C&C). Did this work or not?
The bot sends the parameters in clear text, so thanks to that we can read the data sent. There's a *mode* for the requests, this one is 'register_bot'. The bot sends SDK version, IMEI, country, Number, and Operator. (This is a sandbox, that's why I'm posting the screenshot)
Unfortunately, while we get a 200 OK response, the server may not be active or may have detected this was not a real infection. The *bot_id* we get is -1. We can confirm this by looking at the next requests, as you register your bot once, not multiple times. Let's check.
Looking at the rest of the requests, we see that in all the cases the message originating from the infected phone is the same. The bot is still trying to register, but does not get successful response from the C&C, even though the C&C is up and running.
The Stratosphere Linux IPs can show us also the requests, and that should raise some alarms as well.
At this point the analysis is over. We found the infection, we can block the IP and hostname. However, let's find out a little more about this IP and hostname.
The @RiskIQ tool is fantastic. From here we gather that this IP is been active for a long time, probably a hosting provider. Blocking this IP may require some extra analysis depending on where you are located. IPs like this may host some legitimate content that users may access.
@virustotal at first sight doesn't show maliciousness. But if we look carefully, we can see several malicious files communicating to the IP. We need to check those files to make sure the IP is contacted and that communication is malicious. We see that in the third image.
What about the domain (rakason[.]ru)? From RiskIQ we see that it's been online for quite some time, always hosted on the same IP address. Never reported? Curious. VirusTotal tell us that is malicious, so any threat intel tool checking for this should have raised some alarm.
If we see the communicating files in VirusTotal, we can see that the first submitted file associated with this domain was on January 5th, 2020 [1] and the latest one on May 28th, 2020 [2].
[1] virustotal.com/gui/file/8195a…
[2] virustotal.com/gui/file/89941…
Not surprising, but a little sad, is the fact that the first time this malware was submitted the detections were 19/60 and at the time the latest was submitted they were just slightly better 25/63. I guess we can do better on the detection side.
Well, that's all. Hope if you made it this far, you learned something new or enjoyed the thread. EOM.
Also thanks to @benkow_ for sharing the malware sample in the first place. ❤️
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with _Veronica_

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @verovaleros see all

Profile picture
_Veronica_
@verovaleros
Now on the Green Room at #VB2019, @eldracote @anshirokova will present "Geost botnet. The discovery story of a new Android banking trojan from an OpSec error", a work also done with @MaryJo_E !
The Geost botnet was found by investigating the traffic of a different botnet: #htbot also known as proxyback. This htbot botnet offers a proxy service for users in the underground.
The Geost operators were using htbot to access the command and control servers from Geost (thinking they were hiding themselves).
Read 10 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!