Scenario: An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.
1.wireshark
3.https://whois.domaintools.com
Q1. How many packets does the capture have?
In Wireshark to view all packets captured in your file Statistics=>Capture file properties and then scroll down to measurement section
Q2. At what time was the first packet captured?
from the same windown scroll up to the time of first packet put add 4 to hours to convert to UTC
Q3. What is the duration of the capture?
from the same section
Q4. What is the most active computer at the link level?
to view the most active device at link level (mac address) Statistics=>Endpoints=>Ethernet
Q5. Manufacturer of the NIC of the most active system at the link level?
to get this information we can search about manufacturer of this mac address on google and we will get it
answer: Hewlett-Packard
Q6. Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?
also we can search about this information in google answer: Palo Alto
Q7. The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?
Statistics=>Endpoints=>IPV4
here we get four ips put as we know .255 assigned to Broadcast so we have only three private ips in organization
Q8. What is the name of the most active computer at the network level?
host name usually is a DHCP information so by mac or ip of the device we can filter by dhcp and expand packet to get this information
Q9. What is the IP of the organization's DNS server?
we can filter by dns to find the dns's query and ip of dns server
Q10. What domain is the victim asking about in packet 204?
first as usuall, filter on packet 204 by frame.number==204 in search bar and will find this packet is dns packet, then will expand this packet, and expand the dns section to find the domain name
answer: proforma-invoices.com
Q11. What is the IP of the domain in the previous question?
in packet 204, there is information that the response of this packet in packet 206
so we will filter by this packet and expand it to see the response
answer: 217.182.138.150
Q12.Indicate the country to which the IP in the previous section belongs.
we can search on iplocation.net by ip to get the country
Q13.What operating system does the victim's computer run?
HTTP Request usually contain user-agent infromation such as user OS, so we will filter by http and expand GET packet, and expand it, and expand http section, and get our target
answer: Windowns NT 6.1
Q14.What is the name of the malicious file downloaded by the accountant?
if we filter by GET method
we see that this packet contain exe file and this is our target
answer: tkraw_Protected99.exe
Q15. What is the md5 hash of the downloaded file?
so we will download this file and generate hash value to download/export from wireshark File=>Export object=>HTTP and select our file and save
to generate md5 hash "type in terminal" md5 tkraw_Protected99.exe
answer: 71826ba081e303866ce2a2534491a2f7
Q16. What is the name of the malware according to Malwarebytes?
we can use tool named VirusTotal by the hash value of virus and search the name of this malware according to anti-virus
Q17. What software runs the webserver that hosts the malware?
the webserver that host the malware appear in http response so we can get the response to the packet that contain the malware and expand it to get the name
answer: litespeed
Q18. What is the public IP of the victim's computer?
if we search in GET requests made by victim we will find that there is a packet request whatismyipaddress.com so we can know the public ip of victim from the response to this packet
Q19. In which country is the email server to which the stolen information is sent?
so if we filter on SMTP protocol wish responsable to mails we will find that victim recives mails from this ip
so we will take this ip and search on iplocation.net to find country
Q20. What is the domain's creation date to which the information is exfiltrated?
so if we search about SMTP REQ we will find that victim communicate with this mail
so if we extract the domain name from this mail which is macwinlogistics.in and search about it on this website https://whois.domaintools.com/
we will find the creation date
Q21. Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?
we will follow TCP stream and the first line contain the software and other inforamtion
Q22. To which email account is the stolen information sent?
as we do above we can see the stmp traffic and see from and to email
sales.del@macwinlogistics.in
Q23. What is the password used by the malware to send the email?
as we do above we can see the stmp traffic and see that there is an encoded password in traffic
so if we decode it we will get the password
Sales@23
Q24. Which malware variant exfiltrated the data?
if we track the STMP traffic we will find this packet
if we expand this packet, and scrool down we will find the palin text message
and in this message we will find the malware name ant its variant
Q25.What are the bankofamerica access credentials? (username:password)
in this palin text message also we will find the username and password to access
Q26.Every how many minutes does the collected data get exfiltrated?
if we track the stmp traffic we will notice that every 10 minutes data get exfiltrated
