Post

Network Analysis – Ransomware

Posted
Preview Image
By Oste
2 min read

What is the operating system of the host from which the network traffic was captured? (Look at Capture File Properties, copy the details exactly) (3 points)

To score this, you need to go the menu bar and select statistics and choose Capture File Properties. From here, you can easily get the OS information as shown in the screenshots below

image

image

32-bit Windows 7 Service Pack 1, build 7601

What is the full URL from which the ransomware executable was downloaded? (3 points)

Headed over to File > Export objects > HTTP objects and you’ll find one packet with an executable file called safecrypt. Manually exploring the packet, you’ll get the full URL in the GET request. Alternatively, you can choose to follow the http stream and get the answer.

image

image

http://10.0.2.15:8000/safecrypt.exe

Name the ransomware executable file? (2 points)

safecrypt.exe

What is the MD5 hash of the ransomware? (2 points)

On the linux terminal, you can use a tool called md5sum to get the hash. If you are solving this on windows, you can try tools like hashtab, hashtool among others. But inorder to get the hash, you need to export the executable we saw from the previous screenshot.

1
2
3

md5sum safecrypt.exe
4a1d88603b1007825a9c6b36d1e5de44  safecrypt.exe
➜

4a1d88603b1007825a9c6b36d1e5de44

What is the name of the ransomware? (2 points)

In order to get the name, we can lookup if this hash has shown up in malware databses. Using Virustotal for example, we can search the hash of the binary or manually upload it. In this, we find various security vendors recognizing it as TeslaCrypt.

image

TeslaCrypt

What is the encryption algorithm used by the ransomware, according to the ransom note? (2 points)

image

RSA-4096

I filtered dns traffic then manually inspected the DNS query’s

image

dunyamuzelerimuzesi.com

Decrypt the Tender document and submit the flag (3 points)

I did some digging and found a command line tool that can decrypt files encrypted by the ransomware. You can download it at Mcafee. Instructions on how to use the tool can be found here. Decrypting was relatively easy and opening the document, we get the flag.

1
2
3
4
5
6
7
8
9
10
11
12

$ ./tesladecrypt.exe -h
usage: tesladecrypt.exe [-h] [--version] [-l] [-r] [-d] target_directory

positional arguments:
  target_directory  Directory to search for encrypted teslacrypt files

optional arguments:
  -h, --help        show this help message and exit
  --version         Get version information
  -l, --list        List all encrypted TeslaCrypt files
  -r, --recursive   Process files in sub-directories
  -d, --del         Delete encrypted files after decryption

1
2
3

$ ./tesladecrypt.exe -d E:\
>
Decrypting [ Tender.pdf.micro ] - OK and DELETED Encrypted File

image

BTLO-T3nd3r-Fl@g

BTLO, Security Operations
dridex wireshark malware ransomware
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.