Graphing Suspicious URL Relationships
Now you can display all previous activity using HTTP requests and a simple sniffer and find out what really the computer downloaded while browsing certain websites. For this you can use one of the previously mentioned utility such as wireshark, tshark or TCPDump.
Next and for fast and clear result you can also consider Junpack-n to graph URL relationships in packet captures and determine the steps that led to a compromise. jsunpack-n emulates browser functionality when visiting a URL. It’s purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:
- PDF files – samples/sample-pdf.file
- Packet Captures – samples/sample-http-exploit.pcap
- HTML files
- SWF files
This project contains the source code which runs at the website http://jsunpack.jeek.org/. Users can upload files, or enter script contents and URLs to decode. If you choose to install jsunpack-n on your own system, you can run it with the following command to fetch and decode a URL:
$ ./jsunpackn.py -u URL
Optionally, you can specify the -a option, which fetches further decoded URLs or paths. If you wish to decode a local file instead, you can simply run:
$ ./jsunpackn.py samples/sample-pdf.file
As a result you can have a graph that describes the real URL relationships as follows:
You can use the tool for a quick and clear graphing domain report.
Malware Analyst’s Cookbook: http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033