Scenario

An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.

This is my first challenge on this platform and honestly i loved how the challenges are structured. They are more real life based. In this challenge, we are given a pcap file for investigation. I solved the challenges using the following tools and sites:

• Wireshark
• BrimSecurity
• Apackets
• whatismyip

Questions

Before i start tackling the challenges, i like to look at two things once i load the pcap to wireshark:

1. Capture file properties
2. Protocol hierarchy (Simply put, this is a tree of all the protocols in the capture. Each row contains the statistical values of one protocol.)

If you are using Brim security, you can get a summary of the protocols by selecting Activity Overview or running the following query:

count() by _path | sort -r

With that said, we can get started😁

How many packets does the capture have?

This information can be found be found on Statistics > Capture file properties

or by checking the Statusbar

4003

At what time was the first packet captured?

This information can be found be found on Statistics > Capture file properties

However, the format required was UTC. So we can convert this using wireshark by navigating to View > Time Display Formats > UTC Date and Time of Day or ctrl+alt+7. More information on Time Display formats can be found here

2019-04-10 20:37:07 UTC

What is the duration of the capture?

This information can be found be found on Statistics > Capture file properties

01:03:41

What is the most active computer at the link level?

To find the most active machine on the link level, we can check Statistics > Endpoints > Ethernet. You can click the packets tab to sort the number of packets.

If you use a site like A-packets, you can get this info in the Ethernet tab.

00:08:02:1C:47:AE

Manufacturer of the NIC of the most active system at the link level?

Well, with wireshark, we can’t clearly see the full name of the Manufacturer.

However, we can use a MAC checker from DNSChecker.org to get the full name

A-Packets makes it easier:

Hewlett-Packard

Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?

Doing a quick google search gives you the answer.

Palo Alto

The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?

From the question given, we know we are looking for IP addresses that fall in the range of:

• Class A: 10.0.0.0 — 10.255.255.255
• Class B: 172.16.0.0 — 172.31.255.255
• Class C: 192.168.0.0 — 192.168.255.255

In this case, we can get a general overview of the IPv4 addresses used by checking Statistics > Endpoints > IPv4

This shows us that the company uses 10.4.10.0/24. Considering 10.4.10.255 is the broadcast address, we are left with 3 computers.

If you use A-packets for analysis, under the Network tab, you can find a summary of the network

3

What is the name of the most active computer at the network level?

By now we know the most active computer with MAC of 00:08:02:1C:47:AE has an IP of 10.4.10.132. In order to get the hostname, we can try filter the dhcp protocol.

In this case, we get two packets with DHCP Inform & DHCP ACK messages. A DHCP Inform message is sent by a DHCP client to obtain other network configuration parameters such as the gateway address and DNS server address after the DHCP client has obtained an IP address. When the server received these messages will respond with DHCP ACK (unicast) with the configuration parameters.

Another way you could get the host name is by filtering NBNS (NetBIOS Name Service) protocol.

This should reveal the NBNS traffic. Select the first frame, and you can quickly correlate the IP address with a MAC address and hostname as shown from the screenshot above. 10.4.10.2 is the DHCP server.

Beijing-5cd1-PC

What is the IP of the organization’s DNS server?

If we apply the dns filter, we can see the victim machine querying 10.4.10.4 alot. For instance if i select the second packet displayed, we see its response to the previous packet.

If you choose to use A-Packets for investigation, we can get the DNS server using two methods:

• Select the Network tab and hover over pizzajukebox-dc.pizzajukebox.com, we can see it is the DNS, LDAP server

• By selecting the server tab, you can easily identify the DNS server

10.4.10.4

What domain is the victim asking about in packet 204?

This was preety easy. you can manually scroll to the 204 packet or you can apply the following filter

frame.number == 204

Inspecting the packet details, we see the victim machine querying proforma-invoices.com

proforma-invoices.com

What is the IP of the domain in the previous question?

From the previous question, we can see the victim queried A record of the mentioned domain. The response can be found in packet 206 with the IP.

The A record indicates the IP address of a given domain.

217.182.138.150

Indicate the country to which the IP in the previous section belongs.

Using A-packets, we can easily identify the IP’s origin on the Connections Tab

Alternatively, you can do a lookup on whatismyip

France

What operating system does the victim’s computer run?

In order to get the Victim’s OS, we can try filtering HTTP requests made by the victim. In this case, if we follow the HTTP stream, we can find the OS information under the user agent.

In this case, its Windows NT 6.1. Windows NT 6.1 represents Windows 7. For User-Agent lines, Windows NT strings represent the following versions of Microsoft Windows as shown below:

• Windows NT 5.1: Windows XP
• Windows NT 6.0: Windows Vista
• Windows NT 6.1: Windows 7
• Windows NT 6.2: Windows 8
• Windows NT 6.3: Windows 8.1
• Windows NT 10.0: Windows 10

Windows NT 6.1

What is the name of the malicious file downloaded by the accountant?

If we filter GET requests, we can see that the accountant downloaded tkraw_Protected99.exe from proforma-invoices.com

tkraw_Protected99.exe

What is the md5 hash of the downloaded file?

We can export this file (File > Export Objects > HTTP) and get the hash value as follows:

1
2
3

analyst@oste:~$ md5sum tkraw_Protected99.exe
71826ba081e303866ce2a2534491a2f7
analyst@oste:~$

71826ba081e303866ce2a2534491a2f7

What is the name of the malware according to Malwarebytes?

You can upload the binary to Virus total or you can just do a search using the hash value. According to Virus total, 52 security vendors and 1 sandbox flagged this file as malicious. Malwarebytes identified the malware as Spyware.HawkEyeKeyLogger

If you’d like to read more about this malware:

• Malwarebytes - Spyware.HawkEyeKeyLogger
• Howtofix - Spyware.HawkEyeKeyLogger

Spyware.HawkEyeKeyLogger

What software runs the webserver that hosts the malware?

Earlier, we saw the accountants computer requesting the file from proforma-invoices.com, the malicious server responded with a 200 OK. Inspecting the headers, we can easily get the webserver information.

Alternatively, if you are analysing the pcap file using A-Packets, you can get this information by hovering over proforma-invoices.com

LiteSpeed

What is the public IP of the victim’s computer?

While looking through the domains logged in the pcap file, i found a suspicious domain called bot.whatismyipaddress.com. The accountants computer was querying the org’s DNS server and we get the domains public IP

With this in mind, we can filter out traffic related to the bot and accountants machine.

We can now see the accountants machine tried to check its public ip 7 times, 10 minutes apart between each request.

173.66.146.112

In which country is the email server to which the stolen information is sent?

Doing a quick lookup on whatismyip, we can get this information.

United States

What is the domain’s creation date to which the information is exfiltrated?

Earlier when i looked at the protocol hierarchy, i came across SMTP. It is common for malware to exfiltrate data using this protocol, for example Agent Tesla Trojan. So i filtered out SMTP traffic

Right of the bat, we can be able to see some readable text and some base64 encoded username and password. looking at the MAIL FROM & RCPT TO mails, they seem to belong to macwinlogistics.in.

Doing a whois lookup, we can easily get the answer.

1
2
3
4
5
6
7
8
9

analyst@oste:~$ whois macwinlogistics.in
Domain Name: macwinlogistics.in
Registry Domain ID: D8113179-IN
Registrar WHOIS Server:
Registrar URL: www.godaddy.com
Updated Date: 2022-02-16T07:01:27Z
Creation Date: 2014-02-08T10:31:26Z
Registry Expiry Date: 2023-02-08T10:31:26Z
Registrar: GoDaddy.com, LLC

2014-02-08

Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?

When we first filtered SMTP traffic, in the first frame displayed, we can get the mail server info.

Exim 4.91

To which email account is the stolen information sent?

Since we have many SMTP packets, we can refine our filter to get packets containing RCPT TO using the following filter

smtp.req.command eq RCPT

sales.del@macwinlogistics.in

What is the password used by the malware to send the email?

Applying smtp.auth.password as our filter we get only packets containing the password.

The passwords are base64 encoded though. Wireshark has the ability to decode this…You simply need to head over to Edit > Preferences > Protocols > SMTP and check Decode Base64 encoded AUTH parameters. If you click ok, You should now be able to see the clear text credentials

Sales@23

Which malware variant exfiltrated the data?

Decoding the subject line of the email, gives us the name of the Keylogger and version.

1
2
3

ubuntu@oste:~$ echo SGF3a0V5ZSBLZXlsb2dnZXIgLSBSZWJvcm4gdjkgLSBQYXNzd29yZHMgTG9ncyAtIHJvbWFuLm1jZ3VpcmUgXCBCRUlKSU5HLTVDRDEtUEMgLSAxNzMuNjYuMTQ2LjExMg== | base64 -d
HawkEye Keylogger - Reborn v9 - Passwords Logs - roman.mcguire \ BEIJING-5CD1-PC - 173.66.146.112
ubuntu@oste:~$

Reborn v9

What are the bankofamerica access credentials? (username:password)

Thanks to wiresharks IMF disector, we can be able to see clear text of the mail subject and body. From there we can see usernames and passwords being exfiltrated.

roman.mcguire:P@ssw0rd$

Every how many minutes does the collected data get exfiltrated?

To get this information, we can filter out packets using the IMF protocol

The Internet Message Format is format in which text messages are transferred over the Internet. Where SMTP is equivalent to the message envelope, IMF is equivalent to the letter within the envelope. It contains the originator, recipients, subject and dates. Whilst IMF only handles text messages, it can be augmented with MIME_multipart to support multi-media messages.

From the above, we can see the difference between the time stamps is 10 minutes

10

Final Sentiments

• This was a fun challenge and got to learn more about using wireshark. The official documentation was of much help.
• Please, be cautious before uploading a pcap file to a Online pcap file analyzer. You would not want to leak sensitive information such WPA/WPA2 handshakes, plain text passwords in authorization headers or cryptographic hashes, including complex challenge-base auth protocols, etc. For CTF’s you can use the site to make your work easier etc. Before using A-Packets, i would recommend reading their Privacy Policy
• After completing the challenge, i was interested to check out people’s approaches to the challenge. I was intrigued by how the netscylla team solved this using python. Just python! Go ahead and check their blog on the same

Resources

• Wireshark User’s Guide
• Huawei - DHCP Messages
• PaloAlto - Wireshark Tutorial: Identifying Hosts and Users
• Internet Message Format (imf)
• IPONWIRE - DHCP Messages
• Wireshark - Display Filter Reference: Simple Mail Transfer Protocol
• DNSChecker.org - MAC Address Lookup
• Malwarebytes - Spyware.HawkEyeKeyLogger
• Howtofix - Spyware.HawkEyeKeyLogger