TShark Challenge II: Directory
Last updated
Last updated
This room presents you with a challenge to investigate some traffic data as a part of the SOC team. Let's start working with TShark to analyse the captured traffic. We recommend completing the TShark: The Basics and TShark: CLI Wireshark Features rooms first, which will teach you how to use the tool in depth.
Start the VM by pressing the green Start Machine button in this task. The machine will start in split view, so you don't need SSH or RDP. In case the machine does not appear, you can click the blue Show Split View button located at the top of this room.
NOTE: Exercise files contain real examples. DO NOT interact with them outside of the given VM. Direct interaction with samples and their contents (files, domains, and IP addresses) outside the given VM can pose security threats to your machine.
An alert has been triggered: "A user came across a poor file index, and their curiosity led to problems".
The case was assigned to you. Inspect the provided directory-curiosity.pcap located in ~/Desktop/exercise-files
and retrieve the artefacts to confirm that this alert is a true positive.
Your tools: TShark, VirusTotal.
1) What is the name of the malicious/suspicious domain?
Answer: jx2-bavuong[.]com
2) What is the total number of HTTP requests sent to the malicious domain?
Answer: 14
3) What is the IP address associated with the malicious domain?
Answer: 141[.]164[.]41[.]174
4) What is the server info of the suspicious domain?
Answer: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
5) Follow the "first TCP stream" in "ASCII". What is the number of listed files?
Answer: 3
6) What is the filename of the first file?
Answer: 123.php
7) What is the name of the downloaded executable file?
Answer: vlauto[.]exe
8) What is the SHA256 value of the malicious file?
Answer: b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de
9) Search the SHA256 value of the file on VirtusTotal. What is the "PEiD packer" value?
Answer: .NET executable
10) What does the "Lastline Sandbox" flag this as?
Answer: MALWARE TROJAN