Scenario/Challenge Details
An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.
Tools used
- Wireshark
- Brim
- VirusTotal
First we need to load the PCAP file into Wireshark and Brim.
Q1. How many packets does the capture have?
We can get the total number of captured packets from the packet statistics. We get that using Statistics > Capture File Properties. We can get that statistics from the Measurement part of the properties
Q2. At what time was the first packet captured?
From the Capture File Properties we can get the timestamp of the first packet capture, under the Time part of the properties
Q3. What is the duration of the capture?
From that same part of the properties, we can get the total duration of the capture.
Q4. What is the most active computer at the link level?
To get the MAC Address of the most active computer, we can get that using the packet statistics of the PCAP from Statistics > IPv4 Statistics > All Addresses.
We can the internal address 10.4.10.132 as the computer with most network traffic. We can apply this address using ip.src_host == 10.4.10.132.
Q5: Manufacturer of the NIC of the most active system at the link level?
From the same log, we can see that WireShark resolved the MAC Address as HewlettP_1c:47:ae. Thus we can deduce that the NIC manufacturer is Hewlett-Packard.
Q6: Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?
Now that we know the manufacturer of the NIC, a google search can reveal the HQ of the manufacturer.
Q7: The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?
We can see all the IPv4 addresses involved in the network capture from Statistics > IPv4 Statistics > All Addresses. We can that there’s 4 addresses 10.4.10.x but since one of them is 10.4.10.255 which is a broadcast address that can’t be assigned to any computer. Thus we have 3 addresses.
Q8: What is the name of the most active computer at the network level?
Using Brim, we can know that this capture has some DHCP traffic. Searching for DHCP packets in Wireshark, we can see a DHCPINFORM packet. If we inspect the packet, we can the client sent the Host Name option, from there we can get the host-name of the computer.
Q9: What is the IP of the organization’s DNS server?
We can get the DNS server by filtering on DNS queries. A filter that can be used is dns.flags == 0x100. This should give all the DNS Standard Queries and analyzing all the destinations, we can be sure that the DNS server address is 10.4.10.4
Q10: What domain is the victim asking about in packet 204?
We can find the 204th packet using Go > Go To Packet. From there we can enter “204” to jump to that packet. It also happens to be a DNS query packet. We can see the queried domain from the packet details.
Q11: What is the IP of the domain in the previous question?
From the details of the previous packet, we can see that query response is packet number 206. Open that packet detail to get the resolved IP address of the domain: 217.182.138.150
Q12: Indicate the country to which the IP in the previous section belongs.
Searching the IP in VirusTotal gives the country where it belongs
Q13: What operating system does the victim’s computer run?
We can get the OS running on the computer by inspecting HTTP User-Agent of the said computer. In this capture, we’ve multiple HTTP logs but only the one that proforma-invoices.com seems to be made from browser. Thus we can get the OS running on the machine from said header. It turns out our victim runs “Windows NT 6.1”
Q14: What is the name of the malicious file downloaded by the accountant?
Since we need to get information about a file, we can use Wireshark to export said objects. Use File > Export Objects > HTTP to get a list of objects that has been downloaded using HTTP.
Q15: What is the md5 hash of the downloaded file?
From the previous list, we can save the malicious file on our disk. After that we can use hash it using any of our hashing tools
Or alternatively, we can log at the HTTP logs in Brim, find the request to the malicious file. The request details will have the MD5 hash of the file.
Q16: What is the name of the malware according to Malwarebytes?
Now that we have the hash of the file, we can search for it in VirusTotal to know what it’s called by Malwarebytes
Q17: What software runs the webserver that hosts the malware?
From the HTTP object list, selecting the malicious file will also select the packet that marks the start of the HTTP stream. We can get the entire stream using Follow > HTTP Stream. From the followed HTTP headers data, we can get the webserver running on the server.
Q18: What is the public IP of the victim’s computer?
From the HTTP object list, we can see that there communication with another site that’s called bot[.]whatismyipaddress[.]com, which is a known service that can be used to get the Public IP Address of a computer. Selecting the HTTP object record will also select the packet that marks the start of the HTTP stream. We can get the entire stream using Follow > HTTP Stream. From the followed HTTP headers data, we can get the public IP.
Now before we proceed, we need to understand the remaining traffic a bit more. Using Brim, we can see that there’s a lot of other traffic like Samba, SMTP and Kerberos. Kerberos is an authentication protocol that’s not used for data exfiltration. Samba can be used but looking at the traffic, we can see that no meaningful file transfer is happening and thus we can be sure that SMTP was used for data exfiltration. We can find all the SMTP logs in Wireshark using the smtp filter, select one of the packet and follow it using Follow > TCP Stream.
Q19: In which country is the email server to which the stolen information is sent?
Analyzing the SMTP traffic, we can get that data is being exfiltrated using E-Mail messages to sales.del@macwinlogistics[.]in.
Thus we to find where the server is located, we can search for the DNS query and response for that domain
And we can search for that resolved IP in VirusTotal to find it’s location
Q20: What is the domain’s creation date to which the information is exfiltrated?
Searching for the domain macwinlogistics[.]in in VirusTotal gives the domain registration
Q21: Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?
From the SMTP TCP Stream, we can get all the headers and data is being sent between the SMTP server and the malware. When the malware firsts connects to the SMTP server, we can see it sent a header that contains the software that’s running on the SMTP server.
Q22: To which email account is the stolen information sent?
Using Brim, we can easily analyze where the exfiltrated data is being sent
Q26: Every how many minutes does the collected data get exfiltrated?
From the same logs, we can see that a new e-mail is sent every 10 minutes
For next 3 questions, we need to inspect and decode any one of the e-mail message to understand what’s being exfiltrated by the malware. SMTP uses Base64 encoding for communication, thus every content needs to be decoded for analysis
Q23: What is the password used by the malware to send the email?
In the SMTP network logs, we can decode the authentication flow to get the password of the user as: Sales@23
Q24: Which malware variant exfiltrated the data?
The malware variant can be found by decoding the subject line of the selected e-mail
Copying the text between 3rd to 4th “?” and then decoding it gives the malware variant which is Reborn v9
Q25: What are the bankofamerica access credentials? (username:password)
For this we would need to decode the entire block of content of the e-mail message.
We decode it and analyze the body, to get the required credentials
