CWSandbox Offers Pcaps
Thanks to Thorsten Holz for pointing out that the latest online CWSandbox provides network traffic in Libpcap format for recently submitted malware samples.
I decided to give this feature a try, so I searched the Spam folder for one of my Gmail accounts. I found a suitable "Watch yourserlf in this video man)" email from 10 hours ago and followed the link. I was quickly reminded by Firefox 3 that visiting this site was a Bad Idea.
It took me a little while to navigate past my NoScript and Firefox 3 warnings to get to a point where I could actually hurt myself.
After downloading the "viewer.exe" file, I uploaded it to CWSandbox. That site told me:
The sample you have submitted has already been analysed. Please see the sample detail page for further information.
If you visit that page you'll find a PCAP link.
I took a quick look at the file with Argus and filtered out port 1900 traffic.
Here's a list of HTTP requests as filtered by Tshark.
Kudos to CWSandbox for adding this capability.
I decided to give this feature a try, so I searched the Spam folder for one of my Gmail accounts. I found a suitable "Watch yourserlf in this video man)" email from 10 hours ago and followed the link. I was quickly reminded by Firefox 3 that visiting this site was a Bad Idea.
It took me a little while to navigate past my NoScript and Firefox 3 warnings to get to a point where I could actually hurt myself.
After downloading the "viewer.exe" file, I uploaded it to CWSandbox. That site told me:
The sample you have submitted has already been analysed. Please see the sample detail page for further information.
If you visit that page you'll find a PCAP link.
I took a quick look at the file with Argus and filtered out port 1900 traffic.
$ argus -r analysis_612050.pcap -w analysis_612050.pcap.arg
$ ra -n -r analysis_612050.pcap.arg - not port 1900
23:23:57.745266 e igmp 10.1.7.2 -> 0.0.0.1 2 108 INT
23:23:59.079832 e tcp 74.213.167.192.80 10.1.7.2.1361 2 114 RST
23:23:59.735571 e tcp 10.1.7.2.1037 -> 79.135.167.18.80 78 67219 RST
23:23:59.757777 e tcp 10.1.7.2.1038 -> 79.135.167.18.80 116 101525 RST
23:24:00.103663 e tcp 74.213.167.192.80 10.1.7.2.56963 2 319 RST
23:24:08.147828 e tcp 74.213.167.192.80 10.1.7.2.26155 2 319 RST
23:24:13.463815 e tcp 74.213.167.192.80 10.1.7.2.54775 4 427 RST
23:24:16.556555 e tcp 66.232.105.102.80 10.1.7.2.35029 3 168 RST
23:24:18.791427 e tcp 74.213.167.192.80 10.1.7.2.33765 5 481 RST
23:24:26.456790 e udp 10.1.7.2.61548 <-> 10.1.7.1.53 2 250 CON
23:24:26.458842 e tcp 10.1.7.2.1042 -> 91.203.93.49.80 26 17295 FIN
23:24:26.600712 e tcp 10.1.7.2.1044 -> 91.203.93.49.80 10 1544 FIN
23:24:26.743598 e tcp 10.1.7.2.1045 -> 91.203.93.49.80 10 2099 FIN
23:24:26.854732 e tcp 10.1.7.2.1046 -> 91.203.93.49.80 10 1284 FIN
23:24:26.965697 e tcp 10.1.7.2.1047 -> 91.203.93.49.80 10 1545 FIN
23:24:27.070573 e tcp 10.1.7.2.1048 -> 91.203.93.49.80 14 6828 FIN
23:24:27.180786 e tcp 10.1.7.2.1049 -> 91.203.93.49.80 26 18334 FIN
23:24:27.310872 e tcp 10.1.7.2.1050 -> 91.203.93.49.80 12 4822 FIN
23:24:27.422057 e tcp 10.1.7.2.1051 -> 91.203.93.49.80 14 7415 FIN
23:24:27.527325 e tcp 10.1.7.2.1052 -> 91.203.93.49.80 11 3078 FIN
Here's a list of HTTP requests as filtered by Tshark.
$ tshark -n -r analysis_612050.pcap -R 'http.request == true and tcp.dstport != 1900'
11 2.097490 10.1.7.2 -> 79.135.167.18 HTTP GET /scan.exe HTTP/1.1
12 2.097563 10.1.7.2 -> 79.135.167.18 HTTP GET /cgi-bin/index.cgi?test7 HTTP/1.1
29 2.212609 10.1.7.2 -> 79.135.167.18 HTTP GET /g.exe\330 HTTP/1.1
36 2.266404 10.1.7.2 -> 79.135.167.18 HTTP GET /l.exe HTTP/1.1
119 2.475539 10.1.7.2 -> 79.135.167.18 HTTP GET /g.exe\330 HTTP/1.1
186 3.308669 10.1.7.2 -> 79.135.167.18 HTTP GET /g.exe\330 HTTP/1.1
188 3.390001 10.1.7.2 -> 79.135.167.18 HTTP GET /g.exe\330 HTTP/1.1
230 28.765013 10.1.7.2 -> 91.203.93.49 HTTP GET /bild15_biz.php?NN=a119 HTTP/1.1
256 28.906713 10.1.7.2 -> 91.203.93.49 HTTP GET /adult.txt HTTP/1.1
266 29.049951 10.1.7.2 -> 91.203.93.49 HTTP GET /pharma.txt HTTP/1.1
276 29.160854 10.1.7.2 -> 91.203.93.49 HTTP GET /finance.txt HTTP/1.1
286 29.271530 10.1.7.2 -> 91.203.93.49 HTTP GET /other.txt HTTP/1.1
296 29.376465 10.1.7.2 -> 91.203.93.49 HTTP GET /promo/aol.com-error.html HTTP/1.1
310 29.486416 10.1.7.2 -> 91.203.93.49 HTTP GET /promo/gmail.com-error.html HTTP/1.1
336 29.616847 10.1.7.2 -> 91.203.93.49 HTTP GET /promo/google.com-error.html HTTP/1.1
348 29.727475 10.1.7.2 -> 91.203.93.49 HTTP GET /promo/live.com-error.html HTTP/1.1
362 29.832947 10.1.7.2 -> 91.203.93.49 HTTP GET /promo/search.yahoo.com-error.html HTTP/1.1
Kudos to CWSandbox for adding this capability.
Comments
Anyone know why the Argus output seems to have the source and destination mixed up with the early RST traffic? For example:
23:24:00.103663 e tcp 74.213.167.192.80 10.1.7.2.56963 2 319 RST
Wireshark seems to show 10.1.7.2 as the source, which makes sense.
u have a great work frnd.
keep it up
I'll add this pcap file link to my list of publicly available pcap files.
Thanks for the find Richard!