Skip to content

Benrosan/PCAP_Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
README.md
README.md
 
 

Repository files navigation

PCAP_Lab

Objective

Conduct PCAP analysis via Wireshark and provide a report on attack vectors used and various IOCs associated with malware infection.

Skills Learned

  • PCAP Analysis
  • Detailed understanding of web traffic components as they relate to the OSI model
  • Improved overall analytical skills
  • Better understanding of encryption protocols and PKI framework

Tools Used

  • Wireshark
  • NMAP

Steps

1. Created custom columns and filters to make data more legible.

Screenshot 2024-03-22 112834

2. Tried filtering for DHCP and NetBios frames to find host name. Only the DHCP discover frame contained that info.

Screenshot 2024-03-25 094658

  • I subsequently enabled name resolution in the view menu to keep the host name visible as I continued looking through the PCAP. filtering for NetBios frames also provides the hostname.
  • I was also able to get the device's MAC Address from the Frames (00:60:52:b7:33:0f).

Screenshot 2024-03-25 095224

3. First thing to note in the PCAP was that after the user navigated to oceriesfornot.top, a DNS query was made to another domain: antnosience.com at IP 157.245.142.66

2024-03-25 11_22_27-_2022-03-21-traffic-analysis-exercise pcap

4. I needed more information on what exactly between the TCP 3-way handsahke and the DNS query, so I decided to update my filter to capture all HTTP/1.1 traffic.

2024-03-25 11_35_04-_2022-03-21-traffic-analysis-exercise pcap

The screenshot above that the user downloaded a package from 188.166.118.

5. Next step was to export all HTTP objects to take a closer look at them. A total of 2 objects were exported from the object list. In order to learn more about each object, I spun up my Linux VM to check attributes via the CLI.

2024-03-25 11_11_27-Kali Linux on GENIE - Virtual Machine Connection

I checked the SHA256 hash value of the file and uploaded it to TotalVirus.com. It returned the results below:

2024-03-25 11_08_24-Kali Linux on GENIE - Virtual Machine Connection

Checking the various file names for additional info I noticed the following:

2024-03-25 11_09_37-Kali Linux on GENIE - Virtual Machine Connection

I then conducted a search for the IcedID malware in the MITRE database. It returned the following:

2024-03-25 11_48_07-IcedID, Software S0483 _ MITRE ATT CK®

Among other things, IceID uses HTTPS to reach out to C2 servers.

6. Another HTTP Get request was made to this potentially malicious domain.

2024-03-26 10_39_55-2022-03-21-traffic-analysis-exercise pcap

The file downloaded was .der file, indicating it was a certificate. It's possible that this may be some sort of self-signed certificate designed to facilitate a Man-in-the-Middle attack via proxies, which would be consistent with some IcedID attack vectors.

7. Upon further investigation, it looks like the host was redirected to various malicious sites, which ultimately led to the downloading of the certificates.

2024-03-26 10_58_37-2022-03-21-traffic-analysis-exercise pcap

About

PCAP Analysis Lab

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors