Multi-Stage Malware Analysis (Pushdo & Gozi)
Case 04
Evidence Provided
- One pcap-file
Fourth case for the Cyberops course. This time we tackled a "HaiTek Ltd" scenario, investigating a full packet capture from a compromised workstation. The goal was to reconstruct the incident using Security Onion, Wireshark and Kibana.
After importing the pcap, we filtered through the alerts and immediately spotted high-severity indicators for unencrypted binary downloads. We traced the traffic in Wireshark and saw the host grabbing two suspicious executables: trow.exe and wp.exe. This looked like a classic drive-by download or scripted drop rather than a complex exploit.
Almost immediately after the download, the host checked its external IP via OpenDNS and initiated a check-in with a Pushdo C2 server. We also observed encrypted HTTPS traffic to a secondary IP. Since we couldn't decrypt the packet payload, we used JA3 fingerprinting to identify the SSL signature. This confirmed the presence of the Gozi banking trojan running alongside the botnet client.
A really cool find was the malware attempting to connect to a known sinkhole (AnubisNetworks). The server responded with a specific cookie value ("sinkz"), essentially confirming that the threat actor's infrastructure was already being tracked by security researchers. We validated the findings by checking the file hashes in VirusTotal and flagging the C2 IPs in AbuseIPDB.
Overall, this case was excellent practice in multi-stage malware analysis.
You can view the full incident report below. Thanks JJ for the solid teamwork.