Monday, December 1, 2014

Detailed analysis of an ADP Invoice Phishing Attempt - Wireshark Analysis

In this 6 part series, we will analyze a recent phishing attempt through an email which was sent to me. In post 1, we looked at the email. In this the second post we look at the packet capture and try to analyze it to see what we can learn



Analyzing the Wireshark capture
As we look at the capture we see the following:
1.            A TCP connection was made to 50.87.164.13 on port 80
2.            In packet 4 a "GET" request was made for "/services/invoice1211.php"
3.            Packet 9 shows the server responding with Status "200 OK"

Analyzing the response from the server
1.            The server says Apache. However, I don't see any version information. Maybe this header was crafted.
2.            Content-length states that 2148 bytes were downloaded
3.            Looking into the file which was downloaded we see some Ajax script. The point of interest to me was the image below. This suggest it is looking at my browser before it makes further decision. When I first looked at this I was thinking this would have been an exploit kit. I was wrong. I said I was wrong because at least with an exploit kit, I was expecting it to try to exploit my browser not try to get me to download a file.


Analyzing the "POST" method
1.            A few packets later, we see another connection setup
2.            This time the HTTP method was "POST"
4.            In packet 21 we see what looks like we downloaded a "GIF" image. I find this interesting since no images were seen on the page when the link was clicked.
5.            If we remember in the previous "GET" request the get_params had some variables. If we look below, we can see those variables filling out




Additional Analysis of the PCAP


1.            As we move through the capture we see a file named "invoice1211_pdf82.zip" which was downloaded.

2.            The file size was 10870 bytes


In the third post, we will perform some basic static analysis of the file "invoice1211_pdf82.zip" which was downloaded.


.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.
adp.pcap - 4cfd352a3c890873d20a33d35fffed25  
invoice1211_pdf82.zip - 05fc7646cf11b6e7fb124782daf9fb53 

References:
Wireshark

No comments:

Post a Comment