ANALYSIS TECHNIQUES FOR MALWARES WHICH USE HTTPS
Hello, in this blog post entry I write about malwares which uses https traffic for communication with c2 analysis techniques. We can use Network Miner Wireshark, Fiddler ( very useful tool) for analysing HTTPS traffic for obtaining some IOC. First I have created a meterpreter reverse https payload for compromising the target system in a lab network and opened a http server with python simplehttpserver module for transferring the binary to the analysis machine.
Ok we need to set up a handler for getting back connect via HTTPS protocol so I used exploit multi handler module with HTTPS payload;
In the next step I downloaded the binary with simple powershell code to Win10 analysis machine and execute the binary for traffic analysis;
I filtered the SSL traffic in Wireshark as you see that the traffic is SSL because 4 way handshake proof it. I saved the malware traffic for analysis.
I open the new pcap file with network miner like this way;
I examined and investigated self signed certificate issuer and CN information;
From CN part and finger print of the self sign certificate I have obtained some IOCs. Fiddler is very good tool for analysis malware https traffic. You can use BurpSuite ( is a Great tool ) but you need generate self sign certificate and import it to your system instead of this I prefer Fiddler for this case in Win 10 analysis machine;
As you see that we can display the whole of the URL and we can intercept the HTTPS traffic with Fiddler.
When we inspect the traffic we can see MZ header so thats mean a binary was transferred through traffic or an shellcode was been sended. So it’s an important detail for us.
When we disassembled the malicious file with Ghydra we can see some windows API like connect wsock32 API and more. I go to connect function address for analysis;
It starts with prelog from from 406840 to 406849. In 40684a address 3. parameter is moved to EBX and then ESI and EDI has been pushed the stack higly likely string operations. [EBX+4] kept and function variable on the stack and it is moved to eax. If eax value -0x1 program flow jump to LAB_4069ef otherwise it goes on its normal execution routine. This operation can check the error state. In 406872 WSOCK32.DLL is called. In x64dbg we can put a breakpoint for this API but this blog post normally is not about reverse enginnering so we can talk abaout reversing this binary in the following blogpost. When I jump to another address I see user agent is ApacheBench, it is another IOC for me.
Thank u for reading, See u…
