TShark – Directory

Inspect engress traffic from compromised machine to malicious domain with TShark

By Ren Sie
Posted on September 24, 2024

Refer to Directory for the challenge room on TryHackMe

Scenario

An alert has been triggered: "A user came across a poor file index, and their curiosity led to problems".

Task

Inspect the provided directory-curiosity.pcap located in ~/Desktop/exercise-files and retrieve the artefacts to confirm that this alert is a true positive.

Investigate the DNS queries. And investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious.

What is the name of the malicious/suspicious domain?

Identify all the domains that the victim has communicated with and input them into VirusTotal to determine which ones are suspicious.

$ tshark -r directory-curiosity.pcap -T fields -e dns.qry.name | awk NF | sort | uniq

What is the total number of HTTP requests sent to the malicious domain?

Search for all HTTP request packets in the .pcap file, and count how many packets are to the malicious domain with uniq -c.

$ tshark -r directory-curiosity.pcap -Y 'http.request' -T fields -e http.host | awk NF | sort | uniq -c | grep -i 'jx2-bavuong'

What is the IP address associated with the malicious domain?

Since we already know the domain name and the question is asking for the IP address, we will use dns.a and dns.qry.name to retrieve the information.

-e dns.a: Extracts IPv4 addresses returned in DNS responses.
-e dns.qry.name: Extracts domain names that were queried in DNS requests.

$ tshark -r directory-curiosity.pcap -T fields -e dns.a -e dns.qry.name | awk NF | sort | uniq | grep -i 'jx2-bavuong'

What is the server info of the suspicious domain?

By following the http conversation, we know the malicious server’s information.

$ tshark -r directory-curiosity.pcap -z follow,http,ascii,0 -q | grep -i 'server'

Follow the "first TCP stream" in "ASCII" and investigate the output. What is the number of listed files?

By examining the HTML content from the server's response, we can identify that there are three files.

$ tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q

What is the filename of the first file?

The filename of the first file can be found in the previous screenshot.

Export all HTTP traffic objects, what is the name of the downloaded executable file?

The name of the downloaded .exe file can be found in the previous screenshot.

What is the SHA256 value of the malicious file?

Using the export-objects function to extract the file that’s captured in the .pcap file to the export directory.

$ tshark -r directory-curiosity.pcap --export-objects http,~/Desktop/export -q
$ sha256sum \~/Desktop/export/vlauto.exe

Search the SHA256 value of the file on VirusTotal, what is the "PEiD packer" value?

Paste the hash value into VirusTotal, then navigate to the Details tab to find the value of the PEiD packer.

Note: PEiD packer: .NET executable” indicates the file is a .NET application and is not packed or encrypted with a tool commonly recognized by PEiD.

Search the SHA256 value of the file on VirtusTotal, what does the "Lastline Sandbox" flag this as?

Continue with the last task by navigating to the Behavior tab, where we will find the behavior tags from Lastline Sandbox.

Share: X (Twitter) Facebook LinkedIn