Introduction
We covered how to analyze and conduct network forensic on pcap files with Brim. we also demonstrated how to analyze packet captures with Brim to investigate malware activity. This was part two of TryHackMe MasterMinds.
Three machines in the Finance department at Pfeffer PLC were compromised. We suspect the initial source of the compromise happened through a phishing attempt and by an infected USB drive. The Incident Response team managed to pull the network traffic logs from the endpoints. Use Brim to investigate the network traffic for any indicators of an attack and determine who stands behind the attacks.
Analyzing the First Infection (infection2.pcap)
First, I load up the infection2.pcap file into Brim. My initial goal is to identify the victim’s machine. By looking at the source and destination IP addresses, I can see that one internal IP address, 192.168.75.146, is showing up a lot as the source of the traffic. That’s my prime suspect.
With the victim identified, I start looking at what it was doing. I filter for HTTP POST requests and find that the victim machine made three POST connections to the IP address 151.81.146.156. I also see that a binary file named api_nes.exe was downloaded from the domain hypercustom.top, which is hosted at that same IP address.
Brim’s integration with Suricata, an Intrusion Detection System (IDS), is super helpful here. Suricata has flagged two “network trojan” alerts, both originating from my victim machine. One was to the external IP I already found, and the other was to the local gateway. Using the domain name hypercustom.top and a quick search on the URL House database, I’m able to identify the malware as the RedLine Stealer trojan.
Investigating the Second Infection (infection3.pcap)
Next, I move on to the infection3.pcap file. Following the same process, I identify the new victim’s IP address as 192.168.75.232.
This time, I see connections to three different Command and Control (C2) domains, all ending in .ru. These domains resolve to the IP addresses 185.159.153.10, 185.159.153.11, and 185.159.153.12.
I dig a little deeper and find that there were two unique DNS queries made to the first IP address, and a total of five binaries were downloaded from the domain associated with it. I can even see the user agent that was used for the downloads: a Chrome browser on a Mac.
Finally, I want to get a sense of the overall DNS activity. A quick query in Brim shows me that a total of 986 DNS connections were made in this capture. With a bit of Googling (and being careful not to visit any .ru sites directly), I’m able to identify the worm associated with the C2 domains as Gootkit.
And that’s how I use Brim to dissect a network infection, from identifying the victim to pinpointing the exact type of malware they’re dealing with.
Brim Queries
While most of my work was done through the Brim GUI, I did use a couple of queries to get specific information:
_path=dns | count() by query | sort: This query counts the different types of DNS queries and sorts them._path=dns | count(): This gives me the total count of all DNS events in the capture.
TryHackMe MasterMinds Answers
Start by loading the Infection1 packet capture in Brim to investigate the compromise event for the first machine. All the PCAPs can be found here: /home/ubuntu/Desktop/PCAPs
Provide the victim’s IP address.
The victim made a successful HTTP connection to one of the domains and received the response_body_len of 1,309 (uncompressed content size of the data transferred from the server). Provide the domain and the destination IP address.
How many unique DNS requests were made to cab[.]myfkn[.]com domain (including the capitalized domain)?
Provide the URI of the domain bhaktivrind[.]com that the victim reached out over HTTP.
Provide the IP address of the malicious server and the executable that the victim downloaded from the server.
Please, navigate to the Infection2 packet capture in Brim to investigate the compromise event for the second machine.
Provide the IP address of the victim machine.
How many POST connections were made to the IP address in the previous question?
Provide the domain where the binary was downloaded from.
Provide the name of the binary including the full URI.
Provide the IP address of the domain that hosts the binary.
There were 2 Suricata “A Network Trojan was detected” alerts. What were the source and destination IP addresses?
Taking a look at .top domain in HTTP requests, provide the name of the stealer (Trojan that gathers information from a system) involved in this packet capture using URLhaus Database.
Provide the IP address of the victim machine.
How many unique DNS queries were made to the domain associated from the first IP address from the previous answer?
How many binaries were downloaded from the above domain in total?
Provided the user-agent listed to download the binaries.
Provide the amount of DNS connections made in total for this packet capture.
With some OSINT skills, provide the name of the worm using the first domain you have managed to collect from Question 2. (Please use quotation marks for Google searches, don’t use .ru in your search, and DO NOT interact with the domain directly).
