# TShark Challenge II: Directory ## Introduction This room presents you with a challenge to investigate some traffic data as a part of the SOC team. Let's start working with TShark to analyse the captured traffic. We recommend completing the [TShark: The Basics](https://tryhackme.com/room/tsharkthebasics) and [TShark: CLI Wireshark Features](https://tryhackme.com/room/tsharkcliwiresharkfeatures) rooms first, which will teach you how to use the tool in depth. Start the VM by pressing the green Start Machine button in this task. The machine will start in split view, so you don't need SSH or RDP. In case the machine does not appear, you can click the blue Show Split View button located at the top of this room. NOTE: Exercise files contain real examples. DO NOT interact with them outside of the given VM. Direct interaction with samples and their contents (files, domains, and IP addresses) outside the given VM can pose security threats to your machine. ## Case: Directory Curiosity! An alert has been triggered: "A user came across a poor file index, and their curiosity led to problems". The case was assigned to you. Inspect the provided directory-curiosity.pcap located in `~/Desktop/exercise-files` and retrieve the artefacts to confirm that this alert is a true positive. Your tools: TShark, [VirusTotal](https://www.virustotal.com/). ### Q & A 1\) What is the name of the malicious/suspicious domain? ``` tshark -r directory-curiosity.pcap -Y "dns.qry.type == 1" ```

Answer: jx2-bavuong\[.]com 2\) What is the total number of HTTP requests sent to the malicious domain? ``` tshark -r directory-curiosity.pcap -Y 'http.request.full_uri contains "jx2-bavuong.com"' -T fields -e http.request.full_uri | wc -l ```

Answer: 14 3\) What is the IP address associated with the malicious domain? ``` tshark -r directory-curiosity.pcap -Y 'dns.qry.name =="jx2-bavuong.com" ' -T fields -e dns.qry.name -e dns.a ```

Answer: 141\[.]164\[.]41\[.]174 4\) What is the server info of the suspicious domain? ``` tshark -r directory-curiosity.pcap -Y 'http contains "jx2-bavuong.com"' -T fields -e http.server | sort | uniq ```

Answer: Apache/2.2.11 (Win32) DAV/2 mod\_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 5\) Follow the "first TCP stream" in "ASCII". What is the number of listed files? ``` tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q ```

Answer: 3 6\) What is the filename of the first file? Answer: 123.php 7\) What is the name of the downloaded executable file? ``` tshark -r directory-curiosity.pcap -Y 'http.request.full_uri contains "jx2-bavuong.com"' -T fields -e http.request.full_uri ```

Answer: vlauto\[.]exe 8\) What is the SHA256 value of the malicious file? ``` tshark -r directory-curiosity.pcap --export-objects http,./extracted-files ```

Answer: b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de 9\) Search the SHA256 value of the file on VirtusTotal. What is the "PEiD packer" value?

Answer: .NET executable 10\) What does the "Lastline Sandbox" flag this as?

Answer: MALWARE TROJAN --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/tryhackme-soc-1/tshark/tshark-challenge-ii-directory.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.