BeguileSoft - Traffic Analysis Exercise

-

 

 2019-05-02 MALWARE TRAFFIC ANALYSIS ANSWER WITH EXPLANATION

Note - Drop a comment if you require the pcap file. In order to follow the community guidelines I cannot post the link here.

Executive summary

On 2019-05-02 at 21:36 UTC, a Windows host used by Adriana Breaux was infected with Hawkeye Keylogger.

Event List

Shown above: Alerts on the traffic from this pcap file.

Details of infected host

1.     IP address- 10.0.0.227

2.     Host name- Breaux-Win7-PC

·       To determine the hostname, we can filter for DNS and look for the hostname in each of the packets.



  •     Mac address- 84:8f:69:09:86:c0


  • Windows user account name- Adriana.breaux
    To determine this we can filter for the hostname with the filter frame containing “Breaux”. In one of the packets, we see the account username.



  • Indicator of Compromise

    1.     104.16.154.36 Port 80 - whatismyipaddress.com GET /Http/1.1.

    2.     145.14.144.10 Port 21 - 000webost.com – FTP control channel

    3.     145.14.145.99 Port 21 - 000webost.com – FTP control channel. 



    Notes:

    Inherently none of the IOCs are malicious. We notice an HTTP request to whatismyipaddress. It isn’t necessarily an IOC. In this scenario, the Hawkeye keylogger stores username and passwords to an FTP server hosted through 000webhost.com.

  • If we use the command command “ftp.request.command eq USER or ftp.request.command eq PASS  or ftp.request.command eq STOR” we can see the Hawkeye keylogger in action.


  • If we use ftp-data and follow the tcp stream of the first packet we can see the passwords stolen along with the host name and other relevant information.


  • If we filter for ftp.request.command eq STOR we notice 2 jpeg files being stored.


  • We can simply go to file – export objects – FTP data. From there we can download all the files that were downloaded in this packet capture. Below are the jpeg files.




Conclusion

In summary, the traffic analysis on 2019-05-02 revealed a Hawkeye Keylogger infection on Adriana Breaux's Windows host (IP: 10.0.0.227). Indicators of Compromise included connections to 000webhost.com on port 21 and an HTTP request to whatismyipaddress.com. The Hawkeye keylogger, observed through FTP commands, exposed stolen passwords and file uploads, highlighting a security breach. Immediate remediation and heightened cybersecurity measures are recommended to address the identified vulnerabilities and prevent future incidents.


3

4.   

Comments

Post a Comment

Popular posts from this blog

SteelCoffee - Traffic Analysis Exercise

-
Image
 Link to Exercise:  https://www.malware-traffic-analysis.net/2020/04/24/index.html Scenario: segment range:  10.0.0.0/24 (10.0.0.0 through 10.0.0.255) Domain :  steelcoffee.net Domain controller:  10.0.0.10 - SteelCoffee-DC LAN segment gateway:  10.0.0.1 LAN segment broadcast address:  10.0.0.25 Alerts: Q1- Which two clients are Windows hosts, and what are the associated user account names? 10.0.0.167 – GRIONXA – elmer obrian 10.0.0149 – C10SKPY – alyssa fitzgerald. After applying an SMB filter, two clients were identified as Windows hosts, specifically, "DESKTOP-C10SKPY" and "DESKTOP-GRIONXA" with IP addresses 10.0.0.149 and 10.0.0.167, respectively. To determine the associated user account names, a Kerberos filter was applied using the IP addresses of the Windows hosts. Focusing on traffic with port 88, indicative of Kerberos communication, the analysis revealed the user account names in clear text. For the Windows host with IP address 10.0.0.149, t...
Read more