Compromised

Sherlock Scenario

Our SOC team detected suspicious activity in Network Traffic, the machine has been compromised and company information that should not have been there has now been stolen – it’s up to you to figure out what has happened and what data has been taken.

Q1) What is the IP address used for initial access?

Let's capture only SYN packets, those representing the first step in a TCP handshake that do not include an ACK flag, indicating an initial connection request.

ip.src != ip.dst && (tcp.flags.syn == 1 && tcp.flags.ack == 0)

Let's filter by this IP.

(ip.src == 162.252.172.54 or ip.dst == 162.252.172.54) and http

Next, we will trace the HTTP stream for further analysis.

Answer: 162.252.172.54

Q2) What is the SHA256 hash of the malware?

From File > Export Objects > HTTP

Or using tshark.

tshark -r capture.pcap --export-objects http,exported_files

sha256sum 6ctf5JL

Answer: 9b8ffdc8ba2b2caa485cca56a82b2dcbd251f65fb30bc88f0ac3da6704e4d3c6

Q3) What is the Family label of the malware?

Let's perform a search on VirusTotal using the hash value.

Answer: Pikabot

Q4) When was the malware first seen in the wild (UTC)?

Answer: 2023-05-19 14:01:21

Q5) The malware used HTTPS traffic with a self-signed certificate. What are the ports, from smallest to largest?

HTTPS traffic uses SSL/TLS, typically on port 443, but malware may use non-standard ports. We need to list all TCP ports involved in SSL/TLS traffic.

Self-signed certificates are exchanged during the TLS handshake (Client Hello, Server Hello, Certificate). To identify self-signed certificates, we need to inspect the TLS certificate packets. Let's list TLS Handshake Packets with Certificates:

tshark -r capture.pcap -Y "ssl.handshake.certificate" -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport

Answer: 2078, 2222, 32999

Q6) What is the id-at-localityName of the self-signed certificate associated with the first malicious IP?

Let's apply a filter using the first IP address listed above: 45.85.235.39.

ip.addr == 45.85.235.39 and tls.handshake.certificate

We can also do this using tshark.

tshark -r capture.pcap -Y "ip.addr == 45.85.235.39 and ssl.handshake.certificate" -T fields -e ssl.handshake.certificate | xxd -r -p | openssl x509 -text -noout

Answer: Pyopneumopericardium

Q7) What is the notBefore time(UTC) for this self-signed certificate?

Or using tshark.

Answer: 2023-05-14 08:36:52

Q8) What was the domain used for tunneling?