Wireshark - Carnagez

Tracing the engress traffic to malicious domain generated by malware with Wireshark

By Ren Sie
Posted on September 21, 2024

Refer to Carnage for the challenge room on TryHackMe

Scenario

Eric Fischer from the Purchasing Department at Bartell Ltd got an email from a familiar contact with a Word document attached. When he opened the document, he accidentally clicked "Enable Content." Soon after, the SOC Department got an alert that Eric’s workstation was making strange outbound connections. They collected a pcap file from the network sensor and gave it to you for review.

Task

Investigate the packet capture to find out what malicious activities occurred.

What was the date and time for the first HTTP connection to the malicious IP?

I searched for any "http" packet that contains the document file.

After locating the file, I found a connection from the proxy server to the victim machine via port 8080.

Note: Port 8080 is commonly used for web traffic, particularly for a proxy server.

What is the name of the zip file that was downloaded?

The file name is displayed in the previous screenshot.

What was the domain hosting the malicious zip file?

By examining the packet, we can identify the domain name.

Without downloading the file, what is the name of the file in the zip file?

By following the HTTP stream of the packet #1735, we’ll know the downloaded file with in the .zip file that initiated the connection with the malicious node.

What is the name of the webserver of the malicious IP from which the zip file was downloaded?

The webserver name is displayed in the previous screenshot.

What is the version of the webserver from the previous question?

Under the same HTTP stream, it shows the version of the webserver as well.

Note: “X-Powered-By” header reveals the framework used by webserver to generate the web content.

Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?

We will set a time range to narrow the search.

tls.handshake.type == 1 and frame.time >= "2021-09-24 16:45:11" and frame.time <= "2021-09-24 16:45:30"

After reviewing each packet, we found three domains marked as malicious on VirusTotal.

Which certificate authority issued the SSL certificate to the first domain from the previous question?

Follow the TCP stream of the packet #2427, it shows the certificate authority for the first domain.

What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers.

Cobalt Strike generally communicates through GET and POSTS requests.

http.request.method == "GET" or http.request.method == "POST"

After input the filter, navigate to Menu bar > Statistics > Conversation

We checked these two IP addresses on VirusTotal to determine if they are associated with Cobalt Strike.

What is the Host header for the first Cobalt Strike IP address from the previous question?

Enter the first Cobalt Strike IP address from the previous question into the filter bar. Then, examine a packet with the GET request made from the victim machine.

ip.addr == 185.106.86.158

Then, examine a packet with the GET request made from the victim machine. This will allow us to find its host header.

What is the domain name for the first IP address of the Cobalt Strike server? You may use VirusTotal to confirm if it's the Cobalt Strike server

Menu bar > Statistics > Resolved Addresses, then enter the first IP address of the Cobalt Strike server.

What is the domain name of the second Cobalt Strike server IP?  You may use VirusTotal to confirm if it's the Cobalt Strike server.

Following the same steps as before, enter the second IP address of the Cobalt Strike server.

What is the domain name of the post-infection traffic?

Examine any HTTP interactions between the C2 server and the compromised node. Since packet #1735 is the initial point of compromise from the first question, we will investigate any packets that follow #1735.

http.request.method == "GET" or http.request.method == "POST"

Once we identify the suspicious IP address, we will use the resolved address function as in the previous two questions.

What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?

The 11 characters can be found in the results of the filtered packet list.

What was the length for the first packet sent out to the C2 server?

We have known there are 3 C2 servers (185.106.96.158, 185.125.204.174, 208.91.128.6) so far, and we need to discover the length of the first packet sent out to the server which involved http protocol.

(ip addr == 185.106.96.158 or ip addr == 182.125.204.174 or ip addr == 208.91.128.6) and http

What was the Server header for the malicious domain from the previous question?

Follow the HTTP stream of the packet #3822, it shows the server header for the domain.

The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred?

Since the malware used an API, we’ll search for any frames containing API in the DNS query. The device wasn't compromised until packet #1735, so packet #990 can be considered legitimate.

dns and frame contains "api"

What was the domain in the DNS query from the previous question?

The domain name can be found in the previous screenshot.

There was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?

We know that EMAIL use smtp protocol. Search for any packet that contains “FROM” which is always included in the email header.

smtp and frame contains "FROM"

How many packets were observed for the SMTP traffic?

Update the filter to "smtp", and we will know the answer.

Share: X (Twitter) Facebook LinkedIn