Apply your analytical skills to analyze the malicious network traffic using Wireshark.
Questions
What was the date and time for the first HTTP connection to the malicious IP?
Filtering by http we can see that the first request was sent from our source IP reaching out to destination IP with a GET request. Checking the first layer of the Frame we can see the arrival time
What is the name of the zip file that was downloaded?
We can see from the GET request that its grabbing a .zip file named documents.zip
What was the domain hosting the malicious zip file?
The host for this request is shown under the Hypertext Transfer Protocol section in the details
Without downloading the file, what is the name of the file in the zip file?
To find the name of the file, we can follow the HTTP stream. After the source IP sends out the GET request the server responds (in blue) and we can see the first bytes after PK (the magic bytes of a .zip file) and a string which looks like the original filename.
What is the name of the webserver of the malicious IP from which the zip file was downloaded?
Within the above screenshot we can also see that the server name is in the details.
What is the version of the webserver from the previous question?
We can see the webserver version in the screenshot under the title “x-powered-by:”
Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?
The hint tells us to check HTTPs traffic and the specific time frame. Following the TCP stream (the red) is our requests to the domains.
we can look through the streams and find the two other domains.
Which certificate authority issued the SSL certificate to the first domain from the previous question?
We can see Godaddy as the certificate authority for the SSL certificate
What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers. (answer format: enter the IP addresses in sequential order)
Clicking on conversations and TCP we can look through the IP addresses and identify the Cobalt Strike C2 servers
What is the Host header for the first Cobalt Strike IP address from the previous question?
Searching in Host Header on Virustotal we can grab the answer, we can also find it if we filter for the Cobalt IP and any HTTP traffic
What is the domain name for the first IP address of the Cobalt Strike server? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).
We can find the answer to this under Relations in VirusTotal
What is the domain name of the second Cobalt Strike server IP? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).
We can filter out the domain name of the second cobalt strike by the ip and http. If we follow the stream we can see the domain
What is the domain name of the post-infection traffic?
We can filter all HTTP requests with: “http.request.method == POST” and follow stream
What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?
What was the length for the first packet sent out to the C2 server?
Length is shown above, 281
What was the Server header for the malicious domain from the previous question?
We can grab the server header when we follow the the HTTP stream
The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred?
We can filter by IP, dns, and if a packet contains api
What was the domain in the DNS query from the previous question?
We can grab it from the above screenshot
Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?
Filtering by frame contains “MAIL FROM” we can find the first email address
How many packets were observed for the SMTP traffic?
