Moloch is an open source packet capture and search system that allows analysts and responders to examine large network packet captures. By default, Moloch organizes the packet captures into the various sessions contained within the capture. Moloch can be utilized as a network monitoring system that can be leveraged through importing packets into the Elasticsearch infrastructure. From here, responders can examine network activity in near real time. Another method that Moloch can be leveraged through is loading offline packet captures for indexing.
Installation instructions for Moloch can be found at https://molo.ch/#download. Moloch can be installed on a variety of Linux desktop or server platforms. The server option provides larger teams with the ability to share data concerning packet captures as well as to evaluate running captures. Desktop installations are an option for responders that will be handling offline data and who do not need to share the results.
For the purposes of this chapter, Moloch will be used to examine an offline packet capture obtained from Malware Traffic Analysis at https://www.malware-traffic-analysis.net/2019/07/22/index.html. The packet capture needs to be transferred to the Moloch system first. This can be done via any Secure File Transfer Protocol client directly to the Moloch directory: /data/moloch/raw. From here, execute the following command to have Moloch ingest the packet capture:
dfir@ubuntu:~/data/moloch/bi/moloch-capture -r /data/moloch/raw/ 2019-07-22-Amadey-infection-with-Pony-and-Ursnif-and-Cobalt-Strike.pcap
This will take the offline packet capture and process it. Once completed, open a web browser and navigate to the IP address of the server or workstation with the port 8005. This will open the Moloch interface. Once there, the following view will appear:
Moloch is a feature-rich platform. The following steps provide an overview of some of the features available in examining offline packet captures:
- An examination of the packet capture from the dashboard identifies several different sessions where the internal system at 10.3.13.101 is communicating with external IP addresses. To narrow down the search results to internet traffic over HTTP, the following search query should be entered into the search bar:
- A good way to determine the presence of files within a packet capture is to identify the number of packets per session. In this case, click on the down arrow next to the column header, Packets. This will sort the number of packets from largest to smallest:
- The far right of the dashboard contains URLs and associated information concerning the sessions. An analysis of the queries thus far has indicated that several executable files, including an executable named a22, appear to have been accessed by the system under analysis:
- Moloch provides additional information for the session. In the same session row as the info URL, ectcnepal[.]org/wp-includes/customize/a22.exe, click the green box at the far left. This opens the following:
- Further down, under the heading HTTP, is valuable data concerning the connection:
An analysis of this HTTP information indicates that the a22.exe file was downloaded from the site indicated. From here, a responder can use additional tools to extract the file for further analysis.
Another feature that is useful with Moloch is the ability to visualize connections. At the top of the Moloch web application is Connections. Click on Connections and the following appears:
Next, let's have a look at the Wireshark tool.