HawkEye — CyberDefenders

Scenario/Challenge Details

An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.

Tools used

  1. Wireshark
  2. Brim
  3. VirusTotal

First we need to load the PCAP file into Wireshark and Brim.

Q1. How many packets does the capture have?

We can get the total number of captured packets from the packet statistics. We get that using Statistics > Capture File Properties. We can get that statistics from the Measurement part of the properties

Screenshot showing the total number of captured packets in the PCAP file

Q2. At what time was the first packet captured?

From the Capture File Properties we can get the timestamp of the first packet capture, under the Time part of the properties

Screenshot showing the total time duration of captured packets in the PCAP file

Q3. What is the duration of the capture?

From that same part of the properties, we can get the total duration of the capture.

Screenshot showing the total time duration of captured packets in the PCAP file

Q4. What is the most active computer at the link level?

To get the MAC Address of the most active computer, we can get that using the packet statistics of the PCAP from Statistics > IPv4 Statistics > All Addresses.

Showing all the statistics of all the IPv4 addresses

We can the internal address 10.4.10.132 as the computer with most network traffic. We can apply this address using ip.src_host == 10.4.10.132.

Q5: Manufacturer of the NIC of the most active system at the link level?

From the same log, we can see that WireShark resolved the MAC Address as HewlettP_1c:47:ae. Thus we can deduce that the NIC manufacturer is Hewlett-Packard.

Q6: Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?

Now that we know the manufacturer of the NIC, a google search can reveal the HQ of the manufacturer.

Q7: The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?

We can see all the IPv4 addresses involved in the network capture from Statistics > IPv4 Statistics > All Addresses. We can that there’s 4 addresses 10.4.10.x but since one of them is 10.4.10.255 which is a broadcast address that can’t be assigned to any computer. Thus we have 3 addresses.

Showing all the addresses used by the organization

Q8: What is the name of the most active computer at the network level?

Using Brim, we can know that this capture has some DHCP traffic. Searching for DHCP packets in Wireshark, we can see a DHCPINFORM packet. If we inspect the packet, we can the client sent the Host Name option, from there we can get the host-name of the computer.

Q9: What is the IP of the organization’s DNS server?

We can get the DNS server by filtering on DNS queries. A filter that can be used is dns.flags == 0x100. This should give all the DNS Standard Queries and analyzing all the destinations, we can be sure that the DNS server address is 10.4.10.4

Q10: What domain is the victim asking about in packet 204?

We can find the 204th packet using Go > Go To Packet. From there we can enter “204” to jump to that packet. It also happens to be a DNS query packet. We can see the queried domain from the packet details.

Q11: What is the IP of the domain in the previous question?

From the details of the previous packet, we can see that query response is packet number 206. Open that packet detail to get the resolved IP address of the domain: 217.182.138.150

Q12: Indicate the country to which the IP in the previous section belongs.

Searching the IP in VirusTotal gives the country where it belongs

VirusTotal showing the country to where the IP belongs

Q13: What operating system does the victim’s computer run?

We can get the OS running on the computer by inspecting HTTP User-Agent of the said computer. In this capture, we’ve multiple HTTP logs but only the one that proforma-invoices.com seems to be made from browser. Thus we can get the OS running on the machine from said header. It turns out our victim runs “Windows NT 6.1”

Getting the running OS on the system from HTTP User Agent

Q14: What is the name of the malicious file downloaded by the accountant?

Since we need to get information about a file, we can use Wireshark to export said objects. Use File > Export Objects > HTTP to get a list of objects that has been downloaded using HTTP.

Listing of all the data that has been downloaded using HTTP

Q15: What is the md5 hash of the downloaded file?

From the previous list, we can save the malicious file on our disk. After that we can use hash it using any of our hashing tools

Using HashTools to hash the malicious file downloaded in the previous step

Or alternatively, we can log at the HTTP logs in Brim, find the request to the malicious file. The request details will have the MD5 hash of the file.

Using Brim to get the MD5 hash of the malicious file

Q16: What is the name of the malware according to Malwarebytes?

Now that we have the hash of the file, we can search for it in VirusTotal to know what it’s called by Malwarebytes

Q17: What software runs the webserver that hosts the malware?

From the HTTP object list, selecting the malicious file will also select the packet that marks the start of the HTTP stream. We can get the entire stream using Follow > HTTP Stream. From the followed HTTP headers data, we can get the webserver running on the server.

Q18: What is the public IP of the victim’s computer?

From the HTTP object list, we can see that there communication with another site that’s called bot[.]whatismyipaddress[.]com, which is a known service that can be used to get the Public IP Address of a computer. Selecting the HTTP object record will also select the packet that marks the start of the HTTP stream. We can get the entire stream using Follow > HTTP Stream. From the followed HTTP headers data, we can get the public IP.

Now before we proceed, we need to understand the remaining traffic a bit more. Using Brim, we can see that there’s a lot of other traffic like Samba, SMTP and Kerberos. Kerberos is an authentication protocol that’s not used for data exfiltration. Samba can be used but looking at the traffic, we can see that no meaningful file transfer is happening and thus we can be sure that SMTP was used for data exfiltration. We can find all the SMTP logs in Wireshark using the smtp filter, select one of the packet and follow it using Follow > TCP Stream.

Q19: In which country is the email server to which the stolen information is sent?

Analyzing the SMTP traffic, we can get that data is being exfiltrated using E-Mail messages to sales.del@macwinlogistics[.]in.

Showing all the becons where data is being exfiltrated using e-mails

Thus we to find where the server is located, we can search for the DNS query and response for that domain

DNS query for the mail-server domain
DNS response for the mail-server domain

And we can search for that resolved IP in VirusTotal to find it’s location

Q20: What is the domain’s creation date to which the information is exfiltrated?

Searching for the domain macwinlogistics[.]in in VirusTotal gives the domain registration

Q21: Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?

From the SMTP TCP Stream, we can get all the headers and data is being sent between the SMTP server and the malware. When the malware firsts connects to the SMTP server, we can see it sent a header that contains the software that’s running on the SMTP server.

Showing the initial headers and communication between SMTP server and malware

Q22: To which email account is the stolen information sent?

Using Brim, we can easily analyze where the exfiltrated data is being sent

Highlight showing the email address that being used for data exfiltration

Q26: Every how many minutes does the collected data get exfiltrated?

From the same logs, we can see that a new e-mail is sent every 10 minutes

Highlight showing the time difference between each e-mail

For next 3 questions, we need to inspect and decode any one of the e-mail message to understand what’s being exfiltrated by the malware. SMTP uses Base64 encoding for communication, thus every content needs to be decoded for analysis

Q23: What is the password used by the malware to send the email?

In the SMTP network logs, we can decode the authentication flow to get the password of the user as: Sales@23

Authentication flow for the exfiltration e-mail

Q24: Which malware variant exfiltrated the data?

The malware variant can be found by decoding the subject line of the selected e-mail

Highlight showing the Base64 encoded e-mail subject line

Copying the text between 3rd to 4th “?” and then decoding it gives the malware variant which is Reborn v9

Highlight showing the malware variant that infected the compter

Q25: What are the bankofamerica access credentials? (username:password)

For this we would need to decode the entire block of content of the e-mail message.

Highlight showing the Base64 encoded body of the e-mail

We decode it and analyze the body, to get the required credentials

Decoded text showing stolen credentials

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store