Scenario:
An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.
Tools:
Tags:
1
2
3
4
5
6
7
8
9
10
11
12
[PCAP](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=pcap)
[Wireshark](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=wireshark)
[NetworkMiner](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=networkminer)
[BRIM](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=brim)
[VirusTotal](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=virustotal)
[T1048](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=t1048)
[T1071](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=t1071)
[T1056.001](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=t1056.001)
[T1016](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=t1016)
[T1027](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=t1027)
[T1204](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=t1204)
[T1566.002](https://cyberdefenders.org/blueteam-ctf-challenges/?tags=t1566.002)
Questions:
Q1: How many packets does the capture have?
-> Answer: 4003
Q2: At what time was the first packet captured?
Go to View > Time display format > UTC Date and Time of Day
-> Answer: 2019-04-10 20:37:07 UTC
Q3: What is the duration of the capture?
-> First packet capture time difference with the last packet capture time.
Go to Statistics > Capture File Properties > Time > Elapsed
-> Answer: 01:03:41
Q4: What is the most active computer at the link level?
Go to Statistics > Endpoints > Ethernet column > sort by Packets
-> Answer: 00:08:02:1c:47:ae
Q5 Manufacturer of the NIC of the most active system at the link level?
Wireshark query:
1
eth.addr == 00:08:02:1c:47:ae
1
- Under 'Source', the manufacturer is printed.
-> Answer: Hewlett-Packard
Q6 Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?
Just need Google Search on this.
-> Answer: Palo Alto
Q7: The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?
1
2
3
4
10.4.10.2
10.4.10.4
10.4.10.132
10.4.10.255 -> subnet mask so does not count
-> Answer: 3
Q8 What is the name of the most active computer at the network level?
Go select a packet with the 10.4.10.132 was involved since this has the most packets transferred.
Follow the TCP stream: 
Can also check the DHCP packets: 
-> Answer: BEIJING-5CD1-PC
Q9 What is the IP of the organization’s DNS server?
Wireshark query:
1
dns
-> Answer: 10.4.10.4
Q10: What domain is the victim asking about in packet 204?
1
- This is a malware site according to VirusTotal
-> Answer: proforma-invoices.com
Q11: What is the IP of the domain in the previous question?
Following this stream: 
1
- IP of the malware site
-> Answer: 217.182.138.150
Q12 Indicate the country to which the IP in the previous section belongs.
- Upload the MaxMind geoIP database.
- Go to
Endpoints > IPv4 columnthen you should see it on the ‘Country’ column:![]()
-> Answer: France
Q13 What operating system does the victim’s computer run?
First, get all the connections to and from 217.182.138.150: 
Following the stream: 
1
- It shows that a 1st stage malware is being downloaded on the victim's sytem running on Windows OS.
-> Answer: Windows NT 6.1
Q14 What is the name of the malicious file downloaded by the accountant?
->Answer: tkraw_Protected99.exe
Q15 What is the md5 hash of the downloaded file?
Powershell script:
1
Get-FileHash -Path "C:\Users\husky\Desktop\CCD_NetworkForensicsLabs\tkraw_Protected99.exe" -Algorithm MD5
-> Answer: 71826BA081E303866CE2A2534491A2F7
Q16 What software runs the webserver that hosts the malware?
1
- Its an Apache/Nginx alternative I guess
-> Answer: LiteSpeed
Q17 What is the public IP of the victim’s computer?
Let’s go and check which IP addresses did the victim computer talked to: (Statistics > Conversations) 
1
- I crossed off the IP address that are probably for broadcasting or subnet.
What we have left:
1
2
3
4
- 217.182.138.150 : not this since this is the webserver that hosts the malware
- 66.171.248.178 : seems to be another malware site / botnet
- 23.229.162.69 : seems to be a personal website 'briantharris.org' -> Seems to be a mailserver.
- 216.58.193.131 : Seems to be resolving to "Georgia Institute of Technology" -> most viable answer => Nope, its not it. Its google api update.
1
- Looking up these IP addresses on VirusTotal
Another approach: from Statistics > HTTP > Load Distribution you can see that there is a request to whatismyipaddress.com. We can follow the stream on that and its response to the victim’s computer 
-> Answer: 173.66.146.112
Q18 In which country is the email server to which the stolen information is sent?
From the previous searches, we determined that 23.229.162.69 is an email server which I suppose is compromised already/created by the attacker for this data exfiltration. Let’s dig into this: 
1
2
3
- Here is the conversation between the victim's computer and the mail server.
- The attacker seems to already have the credential for this mailserver.
- No clue about the 'secureserver.net' link
Checking the base64 encoded data:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
HawkEye Keylogger - Reborn v9
Passwords Logs
roman.mcguire \ BEIJING-5CD1-PC
===========================================
URL : https://login.aol.com/account/challenge/password
Web Browser : Internet Explorer 7.0 - 9.0
User Name : roman.mcguire914@aol.com
Password : P@ssw0rd$
Password Strength : Very Strong
User Name Field :
Password Field :
Created Time :
Modified Time :
Filename :
===========================================
===========================================
URL : https://www.bankofamerica.com/
Web Browser : Chrome
User Name : roman.mcguire
Password : P@ssw0rd$
Password Strength : Very Strong
User Name Field : onlineId1
Password Field : passcode1
Created Time : 4/10/2019 2:35:17 AM
Modified Time :
Filename : C:\Users\roman.mcguire\AppData\Local\Google\Chrome\User Data\Default\Login Data
==========================================================================================
==========================================================================================
Name : Roman Mcguire
Application : MS Outlook 2002/2003/2007/2010
Email : roman.mcguire@pizzajukebox.com
Server : pop.pizzajukebox.com
Server Port : 995
Secured : No
Type : POP3
User : roman.mcguire
Password : P@ssw0rd$
Profile : Outlook
Password Strength : Very Strong
SMTP Server : smtp.pizzajukebox.com
SMTP Server Port : 587
==========================================================================================
1
2
3
- This malware HawkEye Keylogger is using mailserver as a C2.
- These seems to be the data extracted by the keylogger sent on the mailserver encoded with Base64 encoding.
- Name of the compromised user is 'Roman Mcguire'
-> Answer: United States => Look up secureserver.net on VirusTotal.com
Q19 Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?
Filter through 23.229.162.69: SMTP 
-> Answer: EXIM 4.91
Q20: To which email account is the stolen information sent?
1
- I guess the mail sending server for domain 'macwinlogistics.in' doesn't have email protections as any send mail server can be used to send emails allowing attackers to use the compromised email. Also, this 'secureserver.net' email server is definitely not one of the sending mail server for the 'macwinlogistics.in'.
-> Answer: sales.del@macwinlogistics.in
Q21: What is the password used by the malware to send the email?
1
2
- Password seems to be base64 encoded.
- Password decode: Sales@23
-> Answer: Sales@23
Q22: Which malware variant exfiltrated the data?
1
2
3
HawkEye Keylogger - Reborn v9
Passwords Logs
roman.mcguire \ BEIJING-5CD1-PC
-> Answer: Reborn v9
Q23: What are the bankofamerica access credentials? (username:password)
1
2
3
4
5
6
7
8
9
10
11
12
===========================================
URL : https://www.bankofamerica.com/
Web Browser : Chrome
User Name : roman.mcguire
Password : P@ssw0rd$
Password Strength : Very Strong
User Name Field : onlineId1
Password Field : passcode1
Created Time : 4/10/2019 2:35:17 AM
Modified Time :
Filename : C:\Users\roman.mcguire\AppData\Local\Google\Chrome\User Data\Default\Login Data
==========================================================================================
-> Answer: roman.mcguire:P@ssw0rd$
Q24: Every how many minutes does the collected data get exfiltrated?
Check the first and last packet for SMTP:
1
2
3
First: 69.160215
Last: 3777.862095
Difference: 3708.70188 == 61.811698 minutes
1
- This is not correct as it extracts the first packet of the first session of data exfiltration and the last packet for the last session.
There’s 10 minute interval for each data exfiltration session: 
-> Answer: 10