This article discusses an analysis of network traffic captured during a Koi Loader/Koi Stealer malware incident. Utilizing tools such as TShark and Wireshark, the author examines the captured PCAP file to identify indicators of compromise (IoCs) and malicious traffic patterns. The findings reveal suspicious HTTP requests and notable file activities, suggesting the presence of advanced threats and potential data exfiltration. Affected: Koi Loader, Koi Stealer, network environments.
Keypoints :
- The analysis focuses on a recent PCAP file related to Koi Loader and Koi Stealer.
- Tools used include TShark, Wireshark, and Malwoverview for examination of the traffic.
- The triage process provides insights into the protocols, packet details, and local IPs.
- Significant HTTP traffic directed to an IP address indicates potential malicious activity.
- Repeated patterns in the HTTP requests could signify automated scripts or data exfiltration.
- Various files analyzed demonstrate sophisticated techniques to bypass security controls.
- Obtained IoCs include IP addresses and malicious file hashes for tracking and mitigation.
MITRE Techniques :
- Execution (T1203) – The malware executes via access to web content (e.g., PHP scripts).
- Exploitation for Client Execution (T1203.001) – Specific web content is accessed to execute malicious scripts.
- Command and Control (T1071) – HTTP requests are sent directly to the IP address to manage the malware.
- Data Exfiltration over Command and Control Protocol (T1041) – Suspicious POST requests indicate potential data being sent to an external server.
Indicator of Compromise :
- [IP Address] 78.142.29.118
- [URL] hxxp://78.142.29.118/wp-content/includes/rhetoriclc.php
- [URL] hxxp://78.142.29.118/wp-content/includes/vilifiescq.php
- [URL] hxxp://78.142.29.118/wp-content/includes/chromiolej6xPS.php
- [SHA256] 2e69bb883e300b3141415c26fbc5d64ce27f0b0c1d9f0536036acb33dd5d64be