Shown above: Warning message I initially saw on my lab host. In this case, Microsoft Office would not run the macro unless I disabled some key security functions. The EXE or DLL infects the vulnerable Windows host and is made persistentįortunately, this chain is rarely effective against an up-to-date version of Windows with default security settings.Vulnerable Windows host retrieves a Windows EXE or DLL through web-based traffic.Victim enables macros on a vulnerable Windows host.Victim receives a malicious Microsoft Office document (usually an Excel spreadsheet or Word document).This method is used by different families of malware.
WIRESHARK DOWNLOAD HASH UPDATE
Shown above: Windows registry update and location of the malware persistent on my infected host. The malware was made persistent through an update to the Windows registry as shown below. The directory and new file name are different for each infection. Shown above: The initial location of the malicious EXE on my infected lab host.Īfter a minute or two, the malware was deleted from C:\Users\Public\svchost32.exe and saved under a randomly-named directory under C:\Program Files (x86)\ using a random file name.
WIRESHARK DOWNLOAD HASH DOWNLOAD
Shown above: Screenshot of the spreadsheet used for this infection.Įnabling macros on this spreadsheet caused my vulnerable host to download a malicious Windows executable (EXE) and save it as C:\Users\Public\svchost32.exe where it was initially run. This is much more effective against older versions of Windows like Windows 7. Default settings in recent versions of Microsoft Office would prevent these type of macros from causing an infection. It has macros designed to infect a vulnerable Windows host, so I infected one in my lab. This infection was caused by a malicious Excel spreadsheet. So if you're new to this type of analysis, beware. Worst case? If you extract the malware from the pcap and accidentally run it, you might infect your Windows computer. If you're using a Windows host to review the pcap, your antivirus (or Windows Defender) may delete the pcap or malware. Why? Because this pcap contains HTTP traffic sending Windows-based malware. Using Wireshark - Exporting Objects from a PcapĪnother requirement: use a non-Windows environment like BSD, Linux, or macOS.Using Wireshark - Display Filter Expressions.Customizing Wireshark - Changing Your Column Display.
WIRESHARK DOWNLOAD HASH SERIES
To help, I've written a series of tutorials. That's why I encourage people to customize Wireshark after installing it. However, default settings for Wireshark are not optimized for web-based malware traffic. Wireshark is my tool of choice to review packet captures (pcaps) of infection activity. This type of analysis requires Wireshark. Shown above: Screenshot of the pcap for this quiz opened in Wireshark. Meanwhile, I'll provide the requirements for this quiz and some background on the infection. Don't open or review the alerts yet, because they give away the answer. Download the pcap from this page, which also has the alerts. Today's diary is a traffic analysis quiz where you try to identify the malware based on a pcap of traffic from an infected Windows host.