TryHackMe | Carnage WriteUp

 

Apply your analytical skills to analyze the malicious network traffic using Wireshark.

Link- https://tryhackme.com/room/c2carnage


After loading the pcap file in wireshark. Change the time display preferences.


What was the date and time for the first HTTP connection to the malicious IP?

(answer format: yyyy-mm-dd hh:mm:ss)

check the HTTP traffic

2021–09–24 16:44:38


What is the name of the zip file that was downloaded?

Check the contents of the packet

documents.zip


What was the domain hosting the malicious zip file?

attirenepal.com


Without downloading the file, what is the name of the file in the zip file?

Right click the packet and follow HTTP stream

chart-1530076591.xls


What is the name of the webserver of the malicious IP from which the zip file was downloaded?

LiteSpeed


What is the version of the webserver from the previous question?

PHP/7.2.34

Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?

finejewels.com.au, thietbiagt.com, new.americold.com


Which certificate authority issued the SSL certificate to the first domain from the previous question?

GoDaddy


What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers. (answer format: enter the IP addresses in sequential order)

Check HTTP traffic to and from external IPs

185.106.96.158, 185.125.204.174


What is the Host header for the first Cobalt Strike IP address from the previous question?

Check contents of packet

ocsp.verisign.com


What is the domain name for the first IP address of the Cobalt Strike server? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).

survmeter.live


What is the domain name of the second Cobalt Strike server IP? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).

securitybusinpuff.com


What is the domain name of the post-infection traffic?

maldivehost.net


What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?

zLIisQRWZI9


What was the length for the first packet sent out to the C2 server?

281


What was the Server header for the malicious domain from the previous question?

Apache/2.4.49 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4


The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (answer format: yyyy-mm-dd hh:mm:ss UTC)

Check DNS traffic

2021–09–24 17:00:04


What was the domain in the DNS query from the previous question?

api.ipify.org


Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?

farshin@mailfa.com


How many packets were observed for the SMTP traffic?

Click on the Statistics dropdown menu and see Protocol Hierarchy Statistics

1439


That’s it! See you in the next Room :)


Comments

Post a Comment

Eonrec

Ads by Eonads

Popular posts from this blog

TryHackMe | Introduction To Honeypots Walkthrough

Image
  A guided room covering the deployment of honeypots and analysis of botnet activities Link - https://tryhackme.com/room/introductiontohoneypots Create a file and then log back in is the file still there? (Yay/Nay) Nay How many passwords include the word “password” or some other variation of it e.g “p@ssw0rd” 15 What is arguably the most common tool for brute-forcing SSH? hydra What intrusion prevention software framework is commonly used to mitigate SSH brute-force attacks? Fail2Ban What CPU does the honeypot “use”? Run command cat /proc/cpuinfo Intel(R) Core(TM) i9–11900KB CPU @ 3.30GHz Does the honeypot return the correct values when uname -a is run? (Yay/Nay) Nay What flag must be set to pipe wget output into bash? -O How would you disable bash history using unset ? unset HISTFILE What brand of device is the bot in the first sample searching for? (BotCommands/Sample1.txt) Do a simple google search of the processes Mikrotik What are the commands in the second sample changing? (Bot
Read more

TryHackMe | Redline Walkthrough

Image
  Learn how to use Redline to perform memory analysis and to scan for IOCs on an endpoint. Link - https://tryhackme.com/room/btredlinejoxr3d Who created Redline? FireEye What data collection method takes the least amount of time? Standard Collector You are reading a research paper on a new strain of ransomware. You want to run the data collection on your computer based on the patterns provided, such as domains, hashes, IP addresses, filenames, etc. What method would you choose to run a granular data collection against the known indicators? IOC Search Collector What script would you run to initiate the data collection process? Please include the file extension. RunRedlineAudit.bat If you want to collect the data on Disks and Volumes, under which option can you find it? Disk Enumeration What cache does Windows use to maintain a preference for recently executed code? Prefetch Where in the Redline UI can you view information about the Logged in User? System Information Provide the Operatin
Read more

TryHackMe | Wireshark: The Basics Walkthrough

Image
  Learn the basics of Wireshark and how to analyse protocols and PCAPs. Link- https://tryhackme.com/room/wiresharkthebasics Which file is used to simulate the screenshots? http1.pcapng Which file is used to answer the questions? Exercise.pcapng Use the “Exercise.pcapng” file to answer the questions. Read the “capture file comments”. What is the flag? TryHackMe_Wireshark_Demo What is the total number of packets? 58620 What is the SHA256 hash value of the capture file? f446de335565fb0b0ee5e5a3266703c778b2f3dfad7efeaeccb2da5641a6d6eb Use the “Exercise.pcapng” file to answer the questions. View packet number 38. Which markup language is used under the HTTP protocol? extensible markup language What is the arrival date of the packet? (Answer format: Month/Day/Year) 05/13/2004 What is the TTL value? 47 What is the TCP payload size? 424 What is the e-tag value? Follow HTTP Stream 9a01a-4696–7e354b00 Use the “Exercise.pcapng” file to answer the questions. Search the “r4w” string in packet detai
Read more