Splunk vs. Neris Botnet

Neris Botnet

Botnet is a network of compromised computers that communicate with a central C&C server with the HTTP protocol. Neris Botnets are known to distribute malicious .exe files for infections. When reviewing HTTP content type it’s important to look for ‘application/octet-stream’ which indicates the transfer of binary data. You may also see a text file, probably because this includes configurations or instructions for the malware.

Q1 Unusual patterns of activity were observed in Suricata logs. One external IP initiated access and was fond downloading a suspicious executable file. What is the IP address from which this unauthorized access originated?

• Eventtype field groups similar events together based on specific search patterns. This will allow you to search for specific types of events with a low chance of altering the raw data, which is a risk when using complex search queries each time. In this lab, the eventtype suricata_eve_ids_attack seems to a good option.

• Statistics this tab is used to perform quantitative analysis on data to help summarize and analyze large datasets in values such as averages, sums, counts, and more. There are multiple fields, in your query pick the ones that are most applicable.

• Src_ip = 195.88.191.59

Q2 What is the domain name of the attacker server?

• Domain: nocomcom.com, found in previous values under HTTP hostname, also known as the Command & Control domain in this scenario.

Note: this domain is identified as the source from which the malware is downloaded, markingg the beginning of the initial attack. The victim hosts would essentially be communicating back and forth with this server.

• GET or retrieve data from a server.
• POST or submit data to a server to create or update a resource.
• PUT or update a resource with the request payload.
• DELETE or rmeove a specific resource from the server.
• HEAD can be used to retrieve metadata.
• OPTIONS describes the communication options for the resource.
• PATCH can apply modifications to a resource.
• CONNECT can establish a tunnel to a server.
• TRACE can be used for diagnostic purposes such as testing the path to a resource.

Q3 What is the IP address of the targeted system in this breach?

Q4 Identify the unique files downloaded to the compromised host. How many of these files could be potentially malicious?

Answer: all 5, why? .exe are typically executable programs, which are common payloads for malware distribution, especially when you see its in the /temp directory. The .txt as well, appears less suspicious and help botnets evade detection by automated systems.

Q5 What is the SHA256 hash of the malicious file disguised as a .txt file?

• Virus Total is a tool used for threat detection and investigation. You can upload suspicious files to Virus Total to check for malware, this checks multiple antivirus systems to see if there are any reports on the samples behavior and potential issues. This includes URL and domain scanning, IP address reputation lookup, and is capable of being integrated into other tools using an API to streamline the investigation process and improve the overall security posture.

SHA256 hash: 6fbc4d506f4d4e0a64ca09fd826408d3103c1a258c370553583a07a4cb9a6530