TSHARK CHALLENGE II: DIRECTORY

SCENARIO: An alert has been triggered: "A user came across a poor file index, and their curiosity led to problems". The case was assigned to you. Inspect the provided directory-curiosity.pcap located in ~/Desktop/exercise-files and retrieve the artefacts to confirm that this alert is a true positive. The available tools are: TShark, VirusTotal.

Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the name of the malicious/suspicious domain? Enter your answer in a defanged format.
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 directory-curiosity.pcap

root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: dns
  https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
 search: qry
  dns.qry.name	Name	Character string	1.0.0 to 4.4.5

root@thm:~$ tshark -r directory-curiosity.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
 8 isatap
 4 www.bing.com
 2 r20swj13mr.microsoft.com
 2 ocsp.digicert.com
 2 jx2-bavuong.com
 2 iecvlist.microsoft.com
 2 api.bing.com

 * the "awk NF" in the pipeline will remove empty lines.
 
root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/url
 search: jx2-bavuong.com
  4/97 security vendors flagged this URL as malicious

root@thm:~$ BROWSER > cyberchef.io
 input: jx2-bavuong.com
 recipe: Defang URL
 output: jx2-bavuong[.]com
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the total number of HTTP requests sent to the malicious domain?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 directory-curiosity.pcap

root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: http
  https://www.wireshark.org/docs/dfref/h/http.html
root@thm:~$ BROWSER > hhttps://www.wireshark.org/docs/dfref/h/http.html > CTRL+F
 search: request
  http.request.full_uri	Full request URI	Character string	1.6.0 to 4.4.5

root@thm:~$ tshark -r directory-curiosity.pcap -T fields -e http.request.full_uri | awk NF | sort -r | uniq -c | sort -r
 8 http://239.255.255.250:1900*
 3 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
 2 http://jx2-bavuong.com/vlauto.exe
 1 http://www.bing.com/favicon.ico
 1 http://jx2-bavuong.com/newbot/target.port
 1 http://jx2-bavuong.com/newbot/target.method
 1 http://jx2-bavuong.com/newbot/target.ip
 1 http://jx2-bavuong.com/newbot/target
 1 http://jx2-bavuong.com/newbot/proxy
 1 http://jx2-bavuong.com/newbot/botlogger.php
 1 http://jx2-bavuong.com/newbot/blog
 1 http://jx2-bavuong.com/icons/text.gif
 1 http://jx2-bavuong.com/icons/blank.gif
 1 http://jx2-bavuong.com/icons/binary.gif
 1 http://jx2-bavuong.com/favicon.ico
 1 http://jx2-bavuong.com/
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the IP address associated with the malicious domain? Enter your answer in a defanged format.
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 directory-curiosity.pcap

root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: dns
  https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
 search: qry
  dns.qry.type	Type	Unsigned integer (16 bits)	1.0.0 to 4.4.5

root@thm:~$ tshark -r directory-curiosity.pcap -Y 'dns.qry.type == 1' --color
  11   1.764583 192.168.100.116 ? 192.168.100.2 DNS 75 Standard query 0x82a6 A jx2-bavuong.com
  12   2.098611 192.168.100.2 ? 192.168.100.116 DNS 91 Standard query response 0x82a6 A jx2-bavuong.com A 141.164.41.174
  14   2.251297 fe80::b9a3:aa8f:3e8e:fe86 ? ff02::1:3    LLMNR 86 Standard query 0x4c80 A isatap
  15   2.251566 192.168.100.116 ? 224.0.0.252  LLMNR 66 Standard query 0x4c80 A isatap
  16   2.359169 fe80::b9a3:aa8f:3e8e:fe86 ? ff02::1:3    LLMNR 86 Standard query 0x4c80 A isatap
  17   2.359248 192.168.100.116 ? 224.0.0.252  LLMNR 66 Standard query 0x4c80 A isatap
  35   4.813007 fe80::b9a3:aa8f:3e8e:fe86 ? ff02::1:3    LLMNR 86 Standard query 0x0813 A isatap
  36   4.813254 192.168.100.116 ? 224.0.0.252  LLMNR 66 Standard query 0x0813 A isatap
  37   4.921634 fe80::b9a3:aa8f:3e8e:fe86 ? ff02::1:3    LLMNR 86 Standard query 0x0813 A isatap
  38   4.921723 192.168.100.116 ? 224.0.0.252  LLMNR 66 Standard query 0x0813 A isatap
  57   6.000463 192.168.100.116 ? 192.168.100.2 DNS 72 Standard query 0x7e1f A api.bing.com
  58   6.001397 192.168.100.116 ? 192.168.100.2 DNS 72 Standard query 0xd62e A www.bing.com
  59   6.001505 192.168.100.116 ? 192.168.100.2 DNS 72 Standard query 0x1877 A www.bing.com
  60   6.005877 192.168.100.2 ? 192.168.100.116 DNS 148 Standard query response 0x7e1f A api.bing.com CNAME api-bing-com.e-0001.e-msedge.net CNAME e-0001.e-msedge.net A 13.107.5.80
  61   6.006865 192.168.100.2 ? 192.168.100.116 DNS 220 Standard query response 0xd62e A www.bing.com CNAME a-0001.a-afdentry.net.trafficmanager.net CNAME www-bing-com.dual-a-0001.a-msedge.net CNAME dual-a-0001.a-msedge.net A 204.79.197.200 A 13.107.21.200
  62   6.007180 192.168.100.2 ? 192.168.100.116 DNS 220 Standard query response 0x1877 A www.bing.com CNAME a-0001.a-afdentry.net.trafficmanager.net CNAME www-bing-com.dual-a-0001.a-msedge.net CNAME dual-a-0001.a-msedge.net A 204.79.197.200 A 13.107.21.200
 256  38.713894 192.168.100.116 ? 192.168.100.2 DNS 82 Standard query 0x81dd A iecvlist.microsoft.com
 257  38.716022 192.168.100.116 ? 192.168.100.2 DNS 84 Standard query 0xb539 A r20swj13mr.microsoft.com
 258  38.719989 192.168.100.2 ? 192.168.100.116 DNS 164 Standard query response 0x81dd A iecvlist.microsoft.com CNAME ie9comview.vo.msecnd.net CNAME cs9.wpc.v0cdn.net A 152.199.19.161
 259  38.722033 192.168.100.2 ? 192.168.100.116 DNS 166 Standard query response 0xb539 A r20swj13mr.microsoft.com CNAME ie9comview.vo.msecnd.net CNAME cs9.wpc.v0cdn.net A 152.199.19.161
 323  40.299409 192.168.100.116 ? 192.168.100.2 DNS 77 Standard query 0x02e5 A ocsp.digicert.com
 324  40.299849 192.168.100.2 ? 192.168.100.116 DNS 125 Standard query response 0x02e5 A ocsp.digicert.com CNAME cs9.wac.phicdn.net A 93.184.220.29

root@thm:~$ BROWSER > cyberchef.io
 input: 141.164.41.174
 recipe: Defang IP Addresses
 output: 141[.]164[.]41[.]174
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the server info of the suspicious domain?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 directory-curiosity.pcap

root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: http
  https://www.wireshark.org/docs/dfref/h/http.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/h/http.html > CTRL+F
 search: server
  http.server	Server	Character string	1.0.0 to 4.4.5

root@thm:~$ root@dco:~$ tshark -r directory-curiosity.pcap -T fields -e 'http.server' --color | awk NF | uniq -c
  3 Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
  1 Kestrel
 10 Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
  1 ECS (pab/6F8D)
  3 ECS (pab/6FA8)
  1 ECS (pab/6F8D)
  1 Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. Follow the "first TCP stream" in "ASCII". Investigate the output carefully. What is the number of listed files?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 directory-curiosity.pcap

root@thm:~$ tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
 ===================================================================
 Follow: tcp,ascii
 Filter: tcp.stream eq 0
 Node 0: 192.168.100.116:49170
 Node 1: 141.164.41.174:80
 251
 GET / HTTP/1.1
 Accept: text/html, application/xhtml+xml, */*
 Accept-Language: en-US
 User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
 Accept-Encoding: gzip, deflate
 Host: jx2-bavuong.com
 DNT: 1
 Connection: Keep-Alive

	1078
 HTTP/1.1 200 OK
 Date: Sun, 13 Dec 2020 00:51:46 GMT
 Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
 Content-Length: 829
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html;charset=UTF-8

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 <html>
  <head>
   <title>Index of /</title>
  </head>
  <body>
 <h1>Index of /</h1>
 <pre><img src="/icons/blank.gif" alt="Icon "> <a href="?C=N;O=D">Name</a>                    <a href="?C=M;O=A">Last modified</a>      <a href="?C=S;O=A">Size</a>  <a href="?C=D;O=A">Description</a><hr><img src="/icons/text.gif" alt="[TXT]"> <a href="123.php">123.php</a>                 12-Jul-2020 08:43    1   
 <img src="/icons/binary.gif" alt="[   ]"> <a href="vlauto.exe">vlauto.exe</a>              06-May-2020 23:32   40K  
 <img src="/icons/text.gif" alt="[TXT]"> <a href="vlauto.php">vlauto.php</a>              10-Jul-2020 23:25   93   
 <hr></pre>
 <address>Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 Server at jx2-bavuong.com Port 80</address>
 </body></html>

 313
 GET /icons/blank.gif HTTP/1.1
 Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
 Referer: http://jx2-bavuong.com/
 Accept-Language: en-US
 User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
 Accept-Encoding: gzip, deflate
 Host: jx2-bavuong.com
 DNT: 1
 Connection: Keep-Alive
 
	490
 HTTP/1.1 200 OK
 Date: Sun, 13 Dec 2020 00:51:46 GMT
 Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
 Last-Modified: Sat, 20 Nov 2004 13:16:24 GMT
 ETag: "20000000053c6-94-3e9506e1a3a00"
 Accept-Ranges: bytes
 Content-Length: 148
 Keep-Alive: timeout=5, max=99
 Connection: Keep-Alive
 Content-Type: image/gif
 
 GIF89a...................!.NThis art is in the public domain. Kevin Hughes, [email protected], September 1995.!.......,............................I..;
 ===================================================================

 * vlauto.exe
   vlauto.php
   123.php
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the filename of the first file? Enter your answer in a defanged format.
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 directory-curiosity.pcap

root@thm:~$ tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
 ===================================================================
 Follow: tcp,ascii
 Filter: tcp.stream eq 0
 Node 0: 192.168.100.116:49170
 Node 1: 141.164.41.174:80
 251
 GET / HTTP/1.1
 Accept: text/html, application/xhtml+xml, */*
 Accept-Language: en-US
 User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
 Accept-Encoding: gzip, deflate
 Host: jx2-bavuong.com
 DNT: 1
 Connection: Keep-Alive

	1078
 HTTP/1.1 200 OK
 Date: Sun, 13 Dec 2020 00:51:46 GMT
 Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
 Content-Length: 829
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html;charset=UTF-8

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 <html>
  <head>
   <title>Index of /</title>
  </head>
  <body>
 <h1>Index of /</h1>
 <pre><img src="/icons/blank.gif" alt="Icon "> <a href="?C=N;O=D">Name</a>                    <a href="?C=M;O=A">Last modified</a>      <a href="?C=S;O=A">Size</a>  <a href="?C=D;O=A">Description</a><hr><img src="/icons/text.gif" alt="[TXT]"> <a href="123.php">123.php</a>                 12-Jul-2020 08:43    1   
 <img src="/icons/binary.gif" alt="[   ]"> <a href="vlauto.exe">vlauto.exe</a>              06-May-2020 23:32   40K  
 <img src="/icons/text.gif" alt="[TXT]"> <a href="vlauto.php">vlauto.php</a>              10-Jul-2020 23:25   93   
 <hr></pre>
 <address>Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 Server at jx2-bavuong.com Port 80</address>
 </body></html>

 313
 GET /icons/blank.gif HTTP/1.1
 Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
 Referer: http://jx2-bavuong.com/
 Accept-Language: en-US
 User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
 Accept-Encoding: gzip, deflate
 Host: jx2-bavuong.com
 DNT: 1
 Connection: Keep-Alive
 
	490
 HTTP/1.1 200 OK
 Date: Sun, 13 Dec 2020 00:51:46 GMT
 Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
 Last-Modified: Sat, 20 Nov 2004 13:16:24 GMT
 ETag: "20000000053c6-94-3e9506e1a3a00"
 Accept-Ranges: bytes
 Content-Length: 148
 Keep-Alive: timeout=5, max=99
 Connection: Keep-Alive
 Content-Type: image/gif
 
 GIF89a...................!.NThis art is in the public domain. Kevin Hughes, [email protected], September 1995.!.......,............................I..;
 ===================================================================

 * vlauto.exe
   vlauto.php
   123.php
   
root@thm:~$ BROWSER > cyberchef.io
 input: 123.php
 recipe: Defang URL
 output: 123[.]php
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. Export all HTTP traffic objects. What is the name of the downloaded executable file? Enter your answer in a defanged format.
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 directory-curiosity.pcap

root@thm:~$ tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/exercise-files/extracts -q
   
root@thm:~$ ls extracts/
 %2f                                                                                                                          blank.gif         target.ip
 MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D       blog              target.method
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)'   botlogger.php     target.port
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)'  'favicon(1).ico'   text.gif
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)'   favicon.ico      'vlauto(1).exe'
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)'   proxy             vlauto.exe
 binary.gif                                                                                                                   target
   
root@thm:~$ BROWSER > cyberchef.io
 input: vlauto.exe
 recipe: Defang URL
 output: vlauto[.]exe
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the SHA256 value of the malicious file?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 directory-curiosity.pcap

root@thm:~$ tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/exercise-files/extracts -q
   
root@thm:~$ ls extracts/
 %2f                                                                                                                          blank.gif         target.ip
 MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D       blog              target.method
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)'   botlogger.php     target.port
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)'  'favicon(1).ico'   text.gif
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)'   favicon.ico      'vlauto(1).exe'
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)'   proxy             vlauto.exe
 binary.gif                                                                                                                   target

root@thm:~$ sha256sum extracts/*
 a3d272931d754ba1acaf15e3d4322d2f198b8213c5a5640047fe6c0e1f514260  extracts/%2f
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)
 8a31e7855292e0a8c66c67ff92ea660743006d47de9f012193cbd123a17ba79d  extracts/binary.gif
 3cb0e54babf019703fe671a32fcc3947aab9079ec2871cf0f9639245cc12d878  extracts/blank.gif
 b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2  extracts/blog
 3458fe5099fbfcd6ba7d21f6d075e96d937c0d7bd9b8e8b53c2c5a4eb645038f  extracts/botlogger.php
 7c1d6d6425232058351d9abb59fb67a5d22b61de9c47474009c3bcbdb53a892a  extracts/favicon(1).ico
 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914  extracts/favicon.ico
 b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2  extracts/proxy
 b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2  extracts/target
 4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1  extracts/target.ip
 4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1  extracts/target.method
 4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1  extracts/target.port
 661d43fb30151a050da3b5cef49a2c7d0b01eeafdf1f4a001873406658b0f776  extracts/text.gif
 b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de  extracts/vlauto(1).exe
 b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de  extracts/vlauto.exe
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. Search the SHA256 value of the file on VirtusTotal. What is the "PEiD packer" value?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 directory-curiosity.pcap

root@thm:~$ tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/exercise-files/extracts -q
   
root@thm:~$ ls extracts/
 %2f                                                                                                                          blank.gif         target.ip
 MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D       blog              target.method
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)'   botlogger.php     target.port
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)'  'favicon(1).ico'   text.gif
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)'   favicon.ico      'vlauto(1).exe'
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)'   proxy             vlauto.exe
 binary.gif                                                                                                                   target

root@thm:~$ sha256sum extracts/*
 a3d272931d754ba1acaf15e3d4322d2f198b8213c5a5640047fe6c0e1f514260  extracts/%2f
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)
 8a31e7855292e0a8c66c67ff92ea660743006d47de9f012193cbd123a17ba79d  extracts/binary.gif
 3cb0e54babf019703fe671a32fcc3947aab9079ec2871cf0f9639245cc12d878  extracts/blank.gif
 b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2  extracts/blog
 3458fe5099fbfcd6ba7d21f6d075e96d937c0d7bd9b8e8b53c2c5a4eb645038f  extracts/botlogger.php
 7c1d6d6425232058351d9abb59fb67a5d22b61de9c47474009c3bcbdb53a892a  extracts/favicon(1).ico
 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914  extracts/favicon.ico
 b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2  extracts/proxy
 b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2  extracts/target
 4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1  extracts/target.ip
 4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1  extracts/target.method
 4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1  extracts/target.port
 661d43fb30151a050da3b5cef49a2c7d0b01eeafdf1f4a001873406658b0f776  extracts/text.gif
 b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de  extracts/vlauto(1).exe
 b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de  extracts/vlauto.exe

root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/search
 search: b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de
 
VirusTotal > Details > Basic properties
  PEiD packer .NET executable
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. Search the SHA256 value of the file on VirtusTotal. What does the "Lastline Sandbox" flag this as?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 directory-curiosity.pcap

root@thm:~$ tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/exercise-files/extracts -q
   
root@thm:~$ ls extracts/
 %2f                                                                                                                          blank.gif         target.ip
 MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D       blog              target.method
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)'   botlogger.php     target.port
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)'  'favicon(1).ico'   text.gif
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)'   favicon.ico      'vlauto(1).exe'
 'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)'   proxy             vlauto.exe
 binary.gif                                                                                                                   target

root@thm:~$ sha256sum extracts/*
 a3d272931d754ba1acaf15e3d4322d2f198b8213c5a5640047fe6c0e1f514260  extracts/%2f
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)
 8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3  extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)
 8a31e7855292e0a8c66c67ff92ea660743006d47de9f012193cbd123a17ba79d  extracts/binary.gif
 3cb0e54babf019703fe671a32fcc3947aab9079ec2871cf0f9639245cc12d878  extracts/blank.gif
 b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2  extracts/blog
 3458fe5099fbfcd6ba7d21f6d075e96d937c0d7bd9b8e8b53c2c5a4eb645038f  extracts/botlogger.php
 7c1d6d6425232058351d9abb59fb67a5d22b61de9c47474009c3bcbdb53a892a  extracts/favicon(1).ico
 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914  extracts/favicon.ico
 b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2  extracts/proxy
 b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2  extracts/target
 4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1  extracts/target.ip
 4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1  extracts/target.method
 4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1  extracts/target.port
 661d43fb30151a050da3b5cef49a2c7d0b01eeafdf1f4a001873406658b0f776  extracts/text.gif
 b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de  extracts/vlauto(1).exe
 b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de  extracts/vlauto.exe

root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/search
 search: b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de
 
VirusTotal > Behavior > Dynamic Analysis Sandbox Detections
  The sandbox Lastline flags this file as: MALWARE TROJAN
PreviousTSHARK CHALLENGE I: TEAMWORKNextENDPOINT SECURITY MONITORING

Last updated