Blue Team | Investigating Malware and Spam with Wireshark
We covered a analyzing an incident with Wireshark. We used Wireshark filters to investigate and reveal malware and its activity.
Subscribe to my YouTube channel membership to receive cybersecurity notes. It includes notes about wireshark as well.
Eric Fischer from the Purchasing Department at Bartell Ltd has received an email from a known contact with a Word document attachment. Upon opening the document, he accidentally clicked on “Enable Content.” The SOC Department immediately received an alert from the endpoint agent that Eric’s workstation was making suspicious connections outbound. The pcap was retrieved from the network sensor and handed to you for analysis.
Task: Investigate the packet capture and uncover the malicious activities.
*Credit goes to Brad Duncan for capturing the traffic and sharing the pcap packet capture with InfoSec community.
What was the date and time for the first HTTP connection to the malicious IP?
(answer format: yyyy-mm-dd hh:mm:ss)
What is the name of the zip file that was downloaded?
Without downloading the file, what is the name of the file in the zip file?
What is the name of the webserver of the malicious IP from which the zip file was downloaded?
What is the version of the webserver from the previous question?
Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?
Which certificate authority issued the SSL certificate to the first domain from the previous question?
What is the domain name of the post-infection traffic?
What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?
What was the Server header for the malicious domain from the previous question?
The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (answer format: yyyy-mm-dd hh:mm:ss UTC)
What was the domain in the DNS query from the previous question?
How many packets were observed for the SMTP traffic?