SteelCoffee - Traffic Analysis Exercise

-

Scenario:

segment range:  10.0.0.0/24 (10.0.0.0 through 10.0.0.255)
Domain :  steelcoffee.net
Domain controller:  10.0.0.10 - SteelCoffee-DC
LAN segment gateway:  10.0.0.1
LAN segment broadcast address:  10.0.0.25

Alerts:




Q1- Which two clients are Windows hosts, and what are the associated user account names?
  • 10.0.0.167 – GRIONXA – elmer obrian
  • 10.0.0149 – C10SKPY – alyssa fitzgerald.
After applying an SMB filter, two clients were identified as Windows hosts, specifically, "DESKTOP-C10SKPY" and "DESKTOP-GRIONXA" with IP addresses 10.0.0.149 and 10.0.0.167, respectively. To determine the associated user account names, a Kerberos filter was applied using the IP addresses of the Windows hosts. Focusing on traffic with port 88, indicative of Kerberos communication, the analysis revealed the user account names in clear text. For the Windows host with IP address 10.0.0.149, the associated user account name was found to be "alyssa fitzgerald."



Q2- Which one of these two Windows clients was infected?
  • The windows client 10.0.0.167 was affected by the malware. We can determine this by looking at the alerts since the 10.0.0167 is engaging with the malware in the 4th alert.
Q3- What type of malware was that Windows client infected with?
  • Qakbot or Qbot.

Notes:

  1. According to the alerts file present above we see a number of alerts but it is important to note that only one of them is important to us. That is thr 4th alert of “ET Malware windows alert send….”

  2. The alert shows the trigger was from 119.31.234.40 port 80 and going to 10.0.0.167 port 51132. It shows that a windows executable is sent while the host says its an image file.

  3. If we filter for the above traffic with port 51132 and follow the traffic for tcp stream we see the content type to be an image but just below it the stream shows “MZ”. The “MZ” at the beginning of the signature indicates that the file is a PE executable.


     

  4. Now our next step is to locate this image file, export it to our kali linux and check the SHA256. By going to file -> export objects -> http -> alphapioneer.com we can save the png file. The reason for choosing alphapioneer is that the above screenshot shows the host as alphapioneer.com.

  5. Next we want to check the sha 256 of this file. I am using kali linux hence I open my terminal and se the command shasum -a 256 file.name. The sha256 value is shown below.


  6. Now you can use app.any.run to check the hash but I used virus total. Once you copy paste the hash we see the result that the malware is called Qbot.



































Comments

Post a Comment

Popular posts from this blog

BeguileSoft - Traffic Analysis Exercise

-
Image
    2019-05-02 MALWARE TRAFFIC ANALYSIS ANSWER WITH EXPLANATION Note - Drop a comment if you require the pcap file. In order to follow the community guidelines I cannot post the link here. Executive summary On 2019-05-02 at 21:36 UTC, a Windows host used by Adriana Breaux was infected with Hawkeye Keylogger.
Read more