Trident Lab

Q1) The attacker conducted a port scan on the victim machine. How many open ports did the attacker find?

tcp.flags.syn == 1 && tcp.flags.ack == 0

The attacker's IP address is 192.168.112.128. If the victim responds to an open port, it will reply with packets containing the SYN and ACK flags. Let's filter for these responses.

tcp.flags.syn == 1 && tcp.flags.ack == 1 && ip.dst == 192.168.112.128

Or using NetworkMiner.

Answer: 7

Q2) What is the victim's email address?

smtp

Or using NetworkMiner.

Answer: joshua@cyberdefenders.org

Q3) The malicious document file contains a URL to a malicious HTML file. Provide the URL for this file.

http.request.method == GET and ip.dst == 192.168.112.128

Answer: http://192.168.112.128/word.html

Q4) What is the Microsoft Office version installed on the victim machine?

Answer: 15.0.4517

Q5) The malicious HTML contains a js code that points to a malicious CAB file. Provide the URL to the CAB file?

http.request.method == GET and ip.dst == 192.168.112.128

Alternatively, we can download the file and perform a search within it.

grep -i ".cab" word.html

Answer: http://192.168.112.128/word.cab

Q6) The exploit takes advantage of a CAB vulnerability. Provide the vulnerability name?

From https://github.com/klezVirus/CVE-2021-40444

Answer: zipslip

Q7) Analyzing the dll file what is the API used to write the shellcode in the process memory?

strings word.cab

Answer: WriteProcessMemory