Hi, I will be using Wireshark to analyze some packets.
Q1: What was the date and time for the first HTTP connection to the malicious IP?
I had to change the time format on my .pcap file, and then sort by http to find this.
I saw that there was a .zip file here, and we are going to assume this is first contact.
A:2021-09-24 16:44:38
Q2: What is the name of the zip file that was downloaded?
I was able to see this in the first screenshot, we can see that Documents.zip was downloaded.
A:Documents.zip
Q3: What was the domain hosting the malicious zip file?
Changed my view in Wireshark for this one. “Resolve network address”. This then showed the destination attirenepal.com
A: Attirenepal.com
Q4: Without downloading the file, what is the name of the file in the zip file?
I followed the HTTP stream of the get req, which showed me the OK from the http response. In these contents we can see an xls file.
I took that and inputted it as my answer and was correct
A: chart-1530076591.xls
Q5: What is the name of the webserver of the malicious IP from which the zip file was downloaded?
Staying in the HTTP Stream, we can see a server listed in the HTTP connection “LiteSpeed”
A: LiteSpeed
Q6: What is the version of the webserver from the previous question?
by looking at x-powered-by in the stream, we will be able to tell the software used. Which was PHP/7.2.34
A: PHP/7.2.34
Q7: Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?
For this question, I wanted to look at a couple of different ports that had server names. I used 443, 80, and 8080. This is what the filter looked like:
Using this filter, I kind of just found domains that match the formatting of the question. Ended up with finejewels.com.au, thietbiagt.com, new.americold.com
A: finejewels.com.au, thietbiagt.com, new.americold.com
Q8: Which certificate authority issued the SSL certificate to the first domain from the previous question?
I followed the tcp stream of the packet and found that the cert was godaddy
A: Godaddy
Skipping Q9-Q12 for this writeup
Q13: What is the domain name of the post-infection traffic?
After a computer is infected it will likely send info to a server, usually through http, so we can assume it will be a post request we are looking for.
we can see that this is being sent to maldivehost.net which is kind of suspicious
A: maldivehost.net
Q14: What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?
We can actually see this in the “Info” column of the post req
A: zLIisQRWZI9
Q15: What was the length for the first packet sent out to the C2 server?
pretty straight forward, first packet sent.
Q16: What was the Server header for the malicious domain from the previous question?
By following the http stream I was able to see the server header
A: Apache/2.4.49 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4
Q17: The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (answer format: yyyy-mm-dd hh:mm:ss UTC)
When there’s a callout to an api usually there is “api” in the url, so I filtered by DNS contains api.
I punched in the date and time for api.ipify.org and was correct
A: 2021-09-24 17:00:04
Q18: What was the domain in the DNS query from the previous question?
A: api.ipify.org