Scenario:
An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.
Tools:
Wireshark
BrimSecurity
Apacket
Questions:
#1 How many packets does the capture have?
We start off by opening are pcap file and the easy way to answer this question would be to scroll to the bottom and view the end packet. However, we can also view the Statistics >> Capture File Properties where we see the total count is 4003.
#2 At what time was the first packet captured?
As the question asks for UTC time, we have to change our time format to UTC in order to pass the first packet time stamp. 20:37:07.
#3 What is the duration of the capture?
Looking in Brim security we can see our time frame at the top and calculate the total for 1:03:41 being the length of the packet capture.
#4 What is the most active computer at the link level?
This information can be found within wireshark and A packets. Within A packets we can view this information under the Ethernet tab where we see 00:08:02:1c:47:ae has communicated with the most endpoints.
Within Wireshark, we can find this information by navigating to statistics >> Ethernet.
#5 Manufacturer of the NIC of the most active system at the link level?
This was found in A packets quite easily under the Ethernet section. Hewlett-Packard Company.
Within Wireshark, I added our mac address as the eth.addr filter and looked at any packet at the link layer. This is represented as the Ethernet II in the Wireshark network stack.
#6 Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?
For this challenge we can utilize a mac address lookup and research our company name which we already know to be Hewlett Packard.
#7 The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?
From within wireshark we can find this information under statistics --> IPv4. At first I thought the answer was 4 but it dawned on me that perhaps the broad cast address is not counted. Sure enough, 3 was the answer for devices within the private /24 network.
#8 What is the name of the most active computer at the network level?
Given that we have identified not only the IP address but the mac address of that host which we believe to be the most involved we can look for a DHCP inform record. This will have the host information provided within the packet as apart of the IP address assignment process and protocol. BEIJING-5CD1-PC
#9 What is the IP of the organization's DNS server?
We can see this from within A packets under the DNS tab. Or within Wireshark by filtering for DNS. 10.4.10.4.
#10 What domain is the victim asking about in packet 204?
We can look under the DNS queries section of packet 204 where we see the domain name proforma-invoices.com.
#11 What is the IP of the domain in the previous question?
We can look at the connection information in A packet to find 217.182.138.150.
#12 Indicate the country to which the IP in the previous section belongs.
Based on the previous photo we can see the country flag is France. Alternatively we would look this up to determine what country this IP block is assigned to.
#13 What operating system does the victim's computer run?
For this question, I looked at http traffic to our target server and checked the user agent header and found Windows NT 6.1.
#14 What is the name of the malicious file downloaded by the accountant?
Looking in A packet I figured we just have to look for HTTP GET requests and sure enough we see tkraw_protection99.exe.
In Wireshark, we can also find this by simply filtering for all HTTP GET traffic.
#15 What is the md5 hash of the downloaded file?
This can quickly be found by carving the file from Wireshark via File >> Export Objects >> HTTP. By uploading the file to virus total we are provided the hash. Alternatively we can run md5sum locally on linux. 71826ba081e303866ce2a2534491a2f7
#16 What is the name of the malware according to Malwarebytes?
We determine the observed name provided by Malwarebytes from the detections tab in virus total.
#17 What software runs the webserver that hosts the malware?
We can find this within A packet by navigating to the network tab and selecting our target web server. Alternatively in Wireshark we are able to view our HTTP stream and view the response where the server type is identified as litespeed.
#18 What is the public IP of the victim's computer?
By looking for DNS queries to the bot.whatismyipaddress.com we find the ip address of 66.171.248.178. From here we filter for traffic with this ip address. We find an HTTP request with text data showing us an IP address that proves correct. 173.66.146.112.
#19 In which country is the email server to which the stolen information is sent?
A quick IP lookup reveals our answer is the United States.
#20 What is the domain's creation date to which the information is exfiltrated?
From here I took a step back to look at the big picture and determine exfiltration means. Well, SMTP is a pretty rich protocol for sending information half way around the world. So I follow the unencrypted TCP stream of the SMTP protocol and found base 64 content which we can only assume is the email decoded for TCP/IP data transfer. So taking this base64 payload we add it to cyber chef and confirm the contents are credentials and thus we assume the domain associated with the SMTP server to be our target. macwinlogistics.in (23.229.162.69) creation date 2014-02-08.
#21 Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?
Looking at the header for our SMTP packets we can see the identified email server. Exim 4.91.
#22 To which email account is the stolen information sent?
Further down in the SMTP packet we can see the email used.
#23 What is the password used by the malware to send the email?
Looking at the SMTP packet again we can see the initial Auth attempt where there is base64 data. Decoding this data in Cyber chef provides us with the password.
#24 Which malware variant exfiltrated the data?
Extracting the subject field of the SMTP packet provides us with this information after we utilize base64 to decode this data.
Reborn v9
#25 What are the bankofamerica access credentials? (username:password)
We revisit the email decoded from base64.
#26 Every how many minutes does the collected data get exfiltrated?
For this question we search the SMTP packets and see a 10 minute repeating pattern.
Comments