TSHARK CHALLENGE II: DIRECTORY
SCENARIO: An alert has been triggered: "A user came across a poor file index, and their curiosity led to problems". The case was assigned to you. Inspect the provided directory-curiosity.pcap located in ~/Desktop/exercise-files and retrieve the artefacts to confirm that this alert is a true positive. The available tools are: TShark, VirusTotal.
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the name of the malicious/suspicious domain? Enter your answer in a defanged format.
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
directory-curiosity.pcap
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: dns
https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
search: qry
dns.qry.name Name Character string 1.0.0 to 4.4.5
root@thm:~$ tshark -r directory-curiosity.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
8 isatap
4 www.bing.com
2 r20swj13mr.microsoft.com
2 ocsp.digicert.com
2 jx2-bavuong.com
2 iecvlist.microsoft.com
2 api.bing.com
* the "awk NF" in the pipeline will remove empty lines.
root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/url
search: jx2-bavuong.com
4/97 security vendors flagged this URL as malicious
root@thm:~$ BROWSER > cyberchef.io
input: jx2-bavuong.com
recipe: Defang URL
output: jx2-bavuong[.]comInvestigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the total number of HTTP requests sent to the malicious domain?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
directory-curiosity.pcap
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: http
https://www.wireshark.org/docs/dfref/h/http.html
root@thm:~$ BROWSER > hhttps://www.wireshark.org/docs/dfref/h/http.html > CTRL+F
search: request
http.request.full_uri Full request URI Character string 1.6.0 to 4.4.5
root@thm:~$ tshark -r directory-curiosity.pcap -T fields -e http.request.full_uri | awk NF | sort -r | uniq -c | sort -r
8 http://239.255.255.250:1900*
3 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
2 http://jx2-bavuong.com/vlauto.exe
1 http://www.bing.com/favicon.ico
1 http://jx2-bavuong.com/newbot/target.port
1 http://jx2-bavuong.com/newbot/target.method
1 http://jx2-bavuong.com/newbot/target.ip
1 http://jx2-bavuong.com/newbot/target
1 http://jx2-bavuong.com/newbot/proxy
1 http://jx2-bavuong.com/newbot/botlogger.php
1 http://jx2-bavuong.com/newbot/blog
1 http://jx2-bavuong.com/icons/text.gif
1 http://jx2-bavuong.com/icons/blank.gif
1 http://jx2-bavuong.com/icons/binary.gif
1 http://jx2-bavuong.com/favicon.ico
1 http://jx2-bavuong.com/
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the IP address associated with the malicious domain? Enter your answer in a defanged format.
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
directory-curiosity.pcap
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: dns
https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
search: qry
dns.qry.type Type Unsigned integer (16 bits) 1.0.0 to 4.4.5
root@thm:~$ tshark -r directory-curiosity.pcap -Y 'dns.qry.type == 1' --color
11 1.764583 192.168.100.116 ? 192.168.100.2 DNS 75 Standard query 0x82a6 A jx2-bavuong.com
12 2.098611 192.168.100.2 ? 192.168.100.116 DNS 91 Standard query response 0x82a6 A jx2-bavuong.com A 141.164.41.174
14 2.251297 fe80::b9a3:aa8f:3e8e:fe86 ? ff02::1:3 LLMNR 86 Standard query 0x4c80 A isatap
15 2.251566 192.168.100.116 ? 224.0.0.252 LLMNR 66 Standard query 0x4c80 A isatap
16 2.359169 fe80::b9a3:aa8f:3e8e:fe86 ? ff02::1:3 LLMNR 86 Standard query 0x4c80 A isatap
17 2.359248 192.168.100.116 ? 224.0.0.252 LLMNR 66 Standard query 0x4c80 A isatap
35 4.813007 fe80::b9a3:aa8f:3e8e:fe86 ? ff02::1:3 LLMNR 86 Standard query 0x0813 A isatap
36 4.813254 192.168.100.116 ? 224.0.0.252 LLMNR 66 Standard query 0x0813 A isatap
37 4.921634 fe80::b9a3:aa8f:3e8e:fe86 ? ff02::1:3 LLMNR 86 Standard query 0x0813 A isatap
38 4.921723 192.168.100.116 ? 224.0.0.252 LLMNR 66 Standard query 0x0813 A isatap
57 6.000463 192.168.100.116 ? 192.168.100.2 DNS 72 Standard query 0x7e1f A api.bing.com
58 6.001397 192.168.100.116 ? 192.168.100.2 DNS 72 Standard query 0xd62e A www.bing.com
59 6.001505 192.168.100.116 ? 192.168.100.2 DNS 72 Standard query 0x1877 A www.bing.com
60 6.005877 192.168.100.2 ? 192.168.100.116 DNS 148 Standard query response 0x7e1f A api.bing.com CNAME api-bing-com.e-0001.e-msedge.net CNAME e-0001.e-msedge.net A 13.107.5.80
61 6.006865 192.168.100.2 ? 192.168.100.116 DNS 220 Standard query response 0xd62e A www.bing.com CNAME a-0001.a-afdentry.net.trafficmanager.net CNAME www-bing-com.dual-a-0001.a-msedge.net CNAME dual-a-0001.a-msedge.net A 204.79.197.200 A 13.107.21.200
62 6.007180 192.168.100.2 ? 192.168.100.116 DNS 220 Standard query response 0x1877 A www.bing.com CNAME a-0001.a-afdentry.net.trafficmanager.net CNAME www-bing-com.dual-a-0001.a-msedge.net CNAME dual-a-0001.a-msedge.net A 204.79.197.200 A 13.107.21.200
256 38.713894 192.168.100.116 ? 192.168.100.2 DNS 82 Standard query 0x81dd A iecvlist.microsoft.com
257 38.716022 192.168.100.116 ? 192.168.100.2 DNS 84 Standard query 0xb539 A r20swj13mr.microsoft.com
258 38.719989 192.168.100.2 ? 192.168.100.116 DNS 164 Standard query response 0x81dd A iecvlist.microsoft.com CNAME ie9comview.vo.msecnd.net CNAME cs9.wpc.v0cdn.net A 152.199.19.161
259 38.722033 192.168.100.2 ? 192.168.100.116 DNS 166 Standard query response 0xb539 A r20swj13mr.microsoft.com CNAME ie9comview.vo.msecnd.net CNAME cs9.wpc.v0cdn.net A 152.199.19.161
323 40.299409 192.168.100.116 ? 192.168.100.2 DNS 77 Standard query 0x02e5 A ocsp.digicert.com
324 40.299849 192.168.100.2 ? 192.168.100.116 DNS 125 Standard query response 0x02e5 A ocsp.digicert.com CNAME cs9.wac.phicdn.net A 93.184.220.29
root@thm:~$ BROWSER > cyberchef.io
input: 141.164.41.174
recipe: Defang IP Addresses
output: 141[.]164[.]41[.]174Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the server info of the suspicious domain?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
directory-curiosity.pcap
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: http
https://www.wireshark.org/docs/dfref/h/http.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/h/http.html > CTRL+F
search: server
http.server Server Character string 1.0.0 to 4.4.5
root@thm:~$ root@dco:~$ tshark -r directory-curiosity.pcap -T fields -e 'http.server' --color | awk NF | uniq -c
3 Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
1 Kestrel
10 Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
1 ECS (pab/6F8D)
3 ECS (pab/6FA8)
1 ECS (pab/6F8D)
1 Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. Follow the "first TCP stream" in "ASCII". Investigate the output carefully. What is the number of listed files?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
directory-curiosity.pcap
root@thm:~$ tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 192.168.100.116:49170
Node 1: 141.164.41.174:80
251
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: jx2-bavuong.com
DNT: 1
Connection: Keep-Alive
1078
HTTP/1.1 200 OK
Date: Sun, 13 Dec 2020 00:51:46 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Content-Length: 829
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<pre><img src="/icons/blank.gif" alt="Icon "> <a href="?C=N;O=D">Name</a> <a href="?C=M;O=A">Last modified</a> <a href="?C=S;O=A">Size</a> <a href="?C=D;O=A">Description</a><hr><img src="/icons/text.gif" alt="[TXT]"> <a href="123.php">123.php</a> 12-Jul-2020 08:43 1
<img src="/icons/binary.gif" alt="[ ]"> <a href="vlauto.exe">vlauto.exe</a> 06-May-2020 23:32 40K
<img src="/icons/text.gif" alt="[TXT]"> <a href="vlauto.php">vlauto.php</a> 10-Jul-2020 23:25 93
<hr></pre>
<address>Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 Server at jx2-bavuong.com Port 80</address>
</body></html>
313
GET /icons/blank.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://jx2-bavuong.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: jx2-bavuong.com
DNT: 1
Connection: Keep-Alive
490
HTTP/1.1 200 OK
Date: Sun, 13 Dec 2020 00:51:46 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Last-Modified: Sat, 20 Nov 2004 13:16:24 GMT
ETag: "20000000053c6-94-3e9506e1a3a00"
Accept-Ranges: bytes
Content-Length: 148
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/gif
GIF89a...................!.NThis art is in the public domain. Kevin Hughes, kevinh@eit.com, September 1995.!.......,............................I..;
===================================================================
* vlauto.exe
vlauto.php
123.phpInvestigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the filename of the first file? Enter your answer in a defanged format.
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
directory-curiosity.pcap
root@thm:~$ tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 192.168.100.116:49170
Node 1: 141.164.41.174:80
251
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: jx2-bavuong.com
DNT: 1
Connection: Keep-Alive
1078
HTTP/1.1 200 OK
Date: Sun, 13 Dec 2020 00:51:46 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Content-Length: 829
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<pre><img src="/icons/blank.gif" alt="Icon "> <a href="?C=N;O=D">Name</a> <a href="?C=M;O=A">Last modified</a> <a href="?C=S;O=A">Size</a> <a href="?C=D;O=A">Description</a><hr><img src="/icons/text.gif" alt="[TXT]"> <a href="123.php">123.php</a> 12-Jul-2020 08:43 1
<img src="/icons/binary.gif" alt="[ ]"> <a href="vlauto.exe">vlauto.exe</a> 06-May-2020 23:32 40K
<img src="/icons/text.gif" alt="[TXT]"> <a href="vlauto.php">vlauto.php</a> 10-Jul-2020 23:25 93
<hr></pre>
<address>Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 Server at jx2-bavuong.com Port 80</address>
</body></html>
313
GET /icons/blank.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://jx2-bavuong.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: jx2-bavuong.com
DNT: 1
Connection: Keep-Alive
490
HTTP/1.1 200 OK
Date: Sun, 13 Dec 2020 00:51:46 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Last-Modified: Sat, 20 Nov 2004 13:16:24 GMT
ETag: "20000000053c6-94-3e9506e1a3a00"
Accept-Ranges: bytes
Content-Length: 148
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/gif
GIF89a...................!.NThis art is in the public domain. Kevin Hughes, kevinh@eit.com, September 1995.!.......,............................I..;
===================================================================
* vlauto.exe
vlauto.php
123.php
root@thm:~$ BROWSER > cyberchef.io
input: 123.php
recipe: Defang URL
output: 123[.]phpInvestigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. Export all HTTP traffic objects. What is the name of the downloaded executable file? Enter your answer in a defanged format.
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
directory-curiosity.pcap
root@thm:~$ tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/exercise-files/extracts -q
root@thm:~$ ls extracts/
%2f blank.gif target.ip
MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D blog target.method
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)' botlogger.php target.port
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)' 'favicon(1).ico' text.gif
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)' favicon.ico 'vlauto(1).exe'
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)' proxy vlauto.exe
binary.gif target
root@thm:~$ BROWSER > cyberchef.io
input: vlauto.exe
recipe: Defang URL
output: vlauto[.]exeInvestigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the SHA256 value of the malicious file?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
directory-curiosity.pcap
root@thm:~$ tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/exercise-files/extracts -q
root@thm:~$ ls extracts/
%2f blank.gif target.ip
MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D blog target.method
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)' botlogger.php target.port
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)' 'favicon(1).ico' text.gif
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)' favicon.ico 'vlauto(1).exe'
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)' proxy vlauto.exe
binary.gif target
root@thm:~$ sha256sum extracts/*
a3d272931d754ba1acaf15e3d4322d2f198b8213c5a5640047fe6c0e1f514260 extracts/%2f
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)
8a31e7855292e0a8c66c67ff92ea660743006d47de9f012193cbd123a17ba79d extracts/binary.gif
3cb0e54babf019703fe671a32fcc3947aab9079ec2871cf0f9639245cc12d878 extracts/blank.gif
b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2 extracts/blog
3458fe5099fbfcd6ba7d21f6d075e96d937c0d7bd9b8e8b53c2c5a4eb645038f extracts/botlogger.php
7c1d6d6425232058351d9abb59fb67a5d22b61de9c47474009c3bcbdb53a892a extracts/favicon(1).ico
6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914 extracts/favicon.ico
b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2 extracts/proxy
b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2 extracts/target
4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1 extracts/target.ip
4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1 extracts/target.method
4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1 extracts/target.port
661d43fb30151a050da3b5cef49a2c7d0b01eeafdf1f4a001873406658b0f776 extracts/text.gif
b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de extracts/vlauto(1).exe
b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de extracts/vlauto.exe
Investigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. Search the SHA256 value of the file on VirtusTotal. What is the "PEiD packer" value?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
directory-curiosity.pcap
root@thm:~$ tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/exercise-files/extracts -q
root@thm:~$ ls extracts/
%2f blank.gif target.ip
MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D blog target.method
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)' botlogger.php target.port
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)' 'favicon(1).ico' text.gif
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)' favicon.ico 'vlauto(1).exe'
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)' proxy vlauto.exe
binary.gif target
root@thm:~$ sha256sum extracts/*
a3d272931d754ba1acaf15e3d4322d2f198b8213c5a5640047fe6c0e1f514260 extracts/%2f
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)
8a31e7855292e0a8c66c67ff92ea660743006d47de9f012193cbd123a17ba79d extracts/binary.gif
3cb0e54babf019703fe671a32fcc3947aab9079ec2871cf0f9639245cc12d878 extracts/blank.gif
b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2 extracts/blog
3458fe5099fbfcd6ba7d21f6d075e96d937c0d7bd9b8e8b53c2c5a4eb645038f extracts/botlogger.php
7c1d6d6425232058351d9abb59fb67a5d22b61de9c47474009c3bcbdb53a892a extracts/favicon(1).ico
6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914 extracts/favicon.ico
b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2 extracts/proxy
b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2 extracts/target
4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1 extracts/target.ip
4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1 extracts/target.method
4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1 extracts/target.port
661d43fb30151a050da3b5cef49a2c7d0b01eeafdf1f4a001873406658b0f776 extracts/text.gif
b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de extracts/vlauto(1).exe
b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de extracts/vlauto.exe
root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/search
search: b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de
VirusTotal > Details > Basic properties
PEiD packer .NET executableInvestigate the DNS queries. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. Search the SHA256 value of the file on VirtusTotal. What does the "Lastline Sandbox" flag this as?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
directory-curiosity.pcap
root@thm:~$ tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/exercise-files/extracts -q
root@thm:~$ ls extracts/
%2f blank.gif target.ip
MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D blog target.method
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)' botlogger.php target.port
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)' 'favicon(1).ico' text.gif
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)' favicon.ico 'vlauto(1).exe'
'MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)' proxy vlauto.exe
binary.gif target
root@thm:~$ sha256sum extracts/*
a3d272931d754ba1acaf15e3d4322d2f198b8213c5a5640047fe6c0e1f514260 extracts/%2f
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(1)
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(2)
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(3)
8b32164e32ed4f00da485539fceb6050f765c4f547874d94d5b5d0b17d32ffe3 extracts/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D(4)
8a31e7855292e0a8c66c67ff92ea660743006d47de9f012193cbd123a17ba79d extracts/binary.gif
3cb0e54babf019703fe671a32fcc3947aab9079ec2871cf0f9639245cc12d878 extracts/blank.gif
b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2 extracts/blog
3458fe5099fbfcd6ba7d21f6d075e96d937c0d7bd9b8e8b53c2c5a4eb645038f extracts/botlogger.php
7c1d6d6425232058351d9abb59fb67a5d22b61de9c47474009c3bcbdb53a892a extracts/favicon(1).ico
6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914 extracts/favicon.ico
b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2 extracts/proxy
b444841dad22bddd5952228dfd5a303818066dd27f72dccc692ac420716a8aa2 extracts/target
4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1 extracts/target.ip
4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1 extracts/target.method
4b9b6bc877d6579df1b223892d69cf65b916aff2f2c48e46e4cf4fca058026d1 extracts/target.port
661d43fb30151a050da3b5cef49a2c7d0b01eeafdf1f4a001873406658b0f776 extracts/text.gif
b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de extracts/vlauto(1).exe
b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de extracts/vlauto.exe
root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/search
search: b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de
VirusTotal > Behavior > Dynamic Analysis Sandbox Detections
The sandbox Lastline flags this file as: MALWARE TROJANLast updated