Scenario
Three machines in the Finance department at Pfeffer PLC were compromised. We suspect the initial source of the compromise happened through a phishing attempt and by an infected USB drive. The Incident Response team managed to pull the network traffic logs from the endpoints. Use Brim to investigate the network traffic for any indicators of an attack and determine who stands behind the attacks.
NOTE: DO NOT directly interact with any domains and IP addresses in this challenge.
Infection 1:
Start by loading the Infection1 packet capture in Brim to investigate the compromise event for the first machine. All the PCAPs can be found here: /home/ubuntu/Desktop/PCAPs
Note: For questions that require multiple answers, please separate the answers with a comma.
Checking the amount of logs we currently have:
1
count() by _path | sort -r
Output:
1
- There are 7 log files generated from the capture
- The client machine on the network that was provided with IP:
- Provide the victim’s IP address. Checking the network IP addresses:
1
_path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r
Output:
Checking the connections on the network:
1
_path=="conn" | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq
1
- 192.168.75.249 seems to be the most common IP so its probably the victim's IP address
1
- It is!
- The victim attempted to make
HTTPconnections to two suspicious domains with the status ‘404 Not Found’. Provide the hosts/domains requested.
Command:
1
_path=="http" | 192.168.75.249 | cut _path,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,host,uri,status_code,status_msg
Output:
Answer: 
- The victim made a successful HTTP connection to one of the domains and received the
response_body_lenof1,309(uncompressed content size of the data transferred from the server). Provide thedomainand thedestination IPaddress.1
_path=="http" | 192.168.75.249 | cut response_body_len,id.resp_h,id.resp_p,host,uri | sort
Output:
Answer:
- How many unique DNS requests were made to
cab[.]myfkn[.]comdomain (including the capitalized domain)?
1
_path=="dns" | count () by query
1
- The domain has 6 DNS requests
- Provide the URI of the domain
bhaktivrind[.]comthat the victim reached out over HTTP. Command:1
_path=="http" | cut id.orig_h,id.orig_p,id.resp_h,id.resp_p,host,uri | bhaktivrind.com
1
- /cgi-bin/JBbb8
- Provide the IP address of the malicious server and the executable that the victim downloaded from the server.
Parsing the right columns for the file:
1
_path=="files" | cut fuid,tx_hosts,rx_hosts,source,md5,sha1
1
- There are 4 files that the victim has downloaded from the attacker's server.
Checking them on VirusTotal:
1
2
3
4
1. Filetype - MD5: 68fa9a5dc9b89daa69d8418bf8d05869 SHA1: b897e40829c23b20d52ba23dbf7f606e2af8a83c
2. Filetype - MD5: 017089b4144bf2fb9e4af12373c50175 SHA1: b6595572d542d6fcd17037539c0b4ac7e5278e82
3. Filetype - MD5: 7fe07db5541e97de0248e5fbbe18259d SHA1: ddda073882033f6f32fd485dad238c1c880107bf
4. Filetype - MD5: 3c06f8b36b6db15e6eb5996c3d1a0a76 SHA1: 19293815a07107a28d2364afb832cec5cd81d3d4
1. First file: An .mp4 file!
2. A text file?
3. Another text file:
4. Still a text file (html)
5. (Found from http.log)
1
2
- hdmilg[.]xyz => 185.239.243.112
- File: catzx[.]exe
- Based on the information gathered from the second question, provide the name of the malware using VirusTotal.
Infection 2:
Please, navigate to the Infection2 packet capture in Brim to investigate the compromise event for the second machine.
Note: For questions that require multiple answers, please separate the answers with a comma.
Checking the amount of logs we currently have:
1
count() by _path | sort -r
Output:
- Provide the IP address of the victim machine.
1
- 192.168.75.146
- Provide the IP address the victim made the
POSTconnections to.
1
_path=="http" | cut uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p, method,host,uri | POST
1
- 5.181.156.252
How many
POSTconnections were made to the IP address in the previous question?3Provide the domain where the binary was downloaded from.
Provide the name of the binary including the full URI.
1
- /jollion/apines.exe
Provide the IP address of the domain that hosts the binary.
1
- 45.95.203.28
There were 2 Suricata “
A Network Trojan was detected” alerts. What were the source and destination IP addresses?
- Taking a look at
.topdomain in HTTP requests, provide the name of the stealer (Trojan that gathers information from a system) involved in this packet capture using URLhaus Database.
Infection 3:
Please, load the Infection3 packet capture in Brim to investigate the compromise event for the third machine.
Note: For questions that require multiple answers, please separate the answers with a comma.
Checking the amount of logs we currently have:
1
count() by _path | sort -r
- Provide the IP address of the victim machine.
1
- Here are the provided IP addresses under the "client_addr"
1
2
- that's a lot of connections to different IP and .exe downloads.
- The victim's machine is 192.168.75.232
- Provide
three C2 domainsfrom which the binaries were downloaded (starting from the earliest to the latest in the timestamp)1
_path=="http" | cut uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p, method,host,uri | .exe
Instances of binaries downloaded:
All domain names:
- Provide the IP addresses for all three domains in the previous question. First one:
Second one:
Third one:
Answers:
1
2
3
- 199.21.76.77
- 162.217.98.146
- 63.251.106.25
- How many unique DNS queries were made to the domain associated from the first IP address from the previous answer?
1
_path=="dns" | cut query | sort | uniq | count()
- Answer is
2
- Answer is
- How many binaries were downloaded from the above domain in total?
5
- Provided the user-agent listed to download the binaries.
Provide the amount of DNS connections made in total for this packet capture.
986With some OSINT skills, provide the name of the worm using the first domain you have managed to collect from Question 2. (Please use quotation marks for Google searches, don’t use
.ruin your search, and DO NOT interact with the domain directly).
