TShark Challenge II: Directory

Introduction

This room presents you with a challenge to investigate some traffic data as a part of the SOC team. Let's start working with TShark to analyse the captured traffic. We recommend completing the TShark: The Basics and TShark: CLI Wireshark Features rooms first, which will teach you how to use the tool in depth.

Start the VM by pressing the green Start Machine button in this task. The machine will start in split view, so you don't need SSH or RDP. In case the machine does not appear, you can click the blue Show Split View button located at the top of this room.

NOTE: Exercise files contain real examples. DO NOT interact with them outside of the given VM. Direct interaction with samples and their contents (files, domains, and IP addresses) outside the given VM can pose security threats to your machine.

Case: Directory Curiosity!

An alert has been triggered: "A user came across a poor file index, and their curiosity led to problems".

The case was assigned to you. Inspect the provided directory-curiosity.pcap located in ~/Desktop/exercise-files and retrieve the artefacts to confirm that this alert is a true positive.

Your tools: TShark, VirusTotal.

Q & A

1) What is the name of the malicious/suspicious domain?

tshark -r directory-curiosity.pcap -Y "dns.qry.type == 1"

Answer: jx2-bavuong[.]com

2) What is the total number of HTTP requests sent to the malicious domain?

tshark -r directory-curiosity.pcap -Y 'http.request.full_uri contains "jx2-bavuong.com"' -T fields -e http.request.full_uri | wc -l

Answer: 14

3) What is the IP address associated with the malicious domain?

tshark -r directory-curiosity.pcap -Y 'dns.qry.name =="jx2-bavuong.com" ' -T fields -e dns.qry.name -e dns.a

Answer: 141[.]164[.]41[.]174

4) What is the server info of the suspicious domain?

tshark -r directory-curiosity.pcap -Y 'http contains "jx2-bavuong.com"' -T fields -e http.server | sort | uniq

Answer: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9

5) Follow the "first TCP stream" in "ASCII". What is the number of listed files?

tshark -r directory-curiosity.pcap  -z follow,tcp,ascii,0 -q

Answer: 3

6) What is the filename of the first file?

Answer: 123.php

7) What is the name of the downloaded executable file?

tshark -r directory-curiosity.pcap -Y 'http.request.full_uri contains "jx2-bavuong.com"' -T fields -e http.request.full_uri

Answer: vlauto[.]exe

8) What is the SHA256 value of the malicious file?

tshark -r directory-curiosity.pcap --export-objects http,./extracted-files

Answer: b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de

9) Search the SHA256 value of the file on VirtusTotal. What is the "PEiD packer" value?

Answer: .NET executable

10) What does the "Lastline Sandbox" flag this as?

Answer: MALWARE TROJAN

PreviousTShark Challenge I: Teamwork NextTempest

Last updated 21 days ago