Carnage

https://tryhackme.com/room/c2carnage Apply your analytical skills to analyze the malicious network traffic using Wireshark.

What was the date and time for the first HTTP connection to the malicious IP?

To get this we need to change the time display format to something human readable. View > Time Display Format > UTC Date and Time of day. Then filter HTTP connections, I’ve already found the zip and http host using Statistics > HTTP > Requests.

What is the name of the zip file that was downloaded?

• filter http.host == "attirenepal.com"

What was the domain hosting the malicious zip file?

• filter http.host == "attirenepal.com"

Without downloading the file, what is the name of the file in the zip file?

• Follow the TCP Stream chart-1530076591.xls

What is the name of the webserver of the malicious IP from which the zip file was downloaded?

• I searched for the xls file in the strings and then used tcp.stream eq 73 to find the webserver LiteSpeed

What is the version of the webserver from the previous question?

• Same as previous question x-powered-by: PHP/7.2.34

Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?

• View - Name Resolution - Resolve network addresses this is disabled by default but will allows wireshark to turn the IP and macs into actual Names we can understand. here we can pick up the malicious file domains.

• finejewels.com.au
• thietbiagt.com
• new.americold.com

I am completely unsure how these are actual domains that downloaded malicious files and cant find an answer on how to determine that, maybe in the future I will know.

Which certificate authority issued the SSL certificate to the first domain from the previous question?

• tcp.stream eq 90 shows us godaddy

What are the two IP addresses of the Cobalt Strike servers?

• Statistics > Conversations > TCP Tab then we can look for patterns and check with virustotal for C2 Servers. I found 185.106.96.158 to be sus as its sending 4 packets over and over with the same size, virustotal confirms a C2 server. the other server was running on 8080 @ 185.125.204.174. Im nore sure about the pattern here or how to decipher if its a c2 server I just started plastering virustotal with all of the IP’s hoping to find something.

What is the Host header for the first Cobalt Strike IP address from the previous question?

I found this by using ip.addr == 185.106.96.158 then following the TCP stream

What is the domain name for the first IP address of the Cobalt Strike server? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).

• We already have the name resolution turned on so the domain name should show up under Source survmeter.live

What is the domain name of the second Cobalt Strike server IP? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).

• same as previous question just filter the ip.addr to find thew domain name.

What is the domain name of the post-infection traffic?

• maldivehost.net

What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?

• this is what is being POSTed int he TCP/HTTP stream

What was the length for the first packet sent out to the C2 server?

• We can see the packet length of pacted 3822 from the previous qustion.

What was the Server header for the malicious domain from the previous question?

• We can pull this from the HTTP Stream of the previous question.

The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (answer format: yyyy-mm-dd hh:mm:ss UTC)

I had to get help for this: Since our question is asking to take a look at DNS queries that use an API to check for the IP addresses on the victim workstation, we can filter our packet to DNS alongside with our packet to contain the word “api”. Our filter should look like this: dns && frame contains “api” The packet 24147 is the answer.

What was the domain in the DNS query from the previous question?

• api.ipify.org

Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?

remove all filters, search MAIL FROM - FROM:<farshin@mailfa.com>

How many packets were observed for the SMTP traffic?

Statistics - Protocol Heirarchy.