Blue Team | Investigating Malware and Spam with Wireshark
TryHackMe Carnage Description
We covered a analyzing an incident with Wireshark. We used Wireshark filters to investigate and reveal malware and its activity.
Eric Fischer from the Purchasing Department at Bartell Ltd has received an email from a known contact with a Word document attachment. Upon opening the document, he accidentally clicked on “Enable Content.” The SOC Department immediately received an alert from the endpoint agent that Eric’s workstation was making suspicious connections outbound. The pcap was retrieved from the network sensor and handed to you for analysis.
Task: Investigate the packet capture and uncover the malicious activities.
*Credit goes to Brad Duncan for capturing the traffic and sharing the pcap packet capture with InfoSec community.
Initial Infection Analysis
My first step is to look at the initial HTTP traffic to understand how this whole thing started. I can see the exact date and time the first connection was made to the malicious IP. By following the TCP stream, I can see that a file named documents.zip
was downloaded. Inside that zip file was a malicious Excel file. I can also see the web server’s name and its PHP version right in the HTTP response header, which is always good information to have.
Finding the Malicious Domains
After the initial infection, the malware, likely a macro in that Excel file, reached out to download more nasty stuff. This traffic is HTTPS, so it’s encrypted. However, I can still get a lot of information by looking at the “Client Hello” packets in the SSL/TLS handshake. By filtering for a specific time frame, I’m able to identify three more malicious domains that the malware communicated with.
Identifying the Cobalt Strike Servers
Next, I hunt for the Command and Control (C2) servers, which in this case are Cobalt Strike servers. I can extract the destination IP addresses from the Wireshark capture. For the first Cobalt Strike IP, I filter the HTTP traffic and follow the TCP stream to find the host header. Then, using VirusTotal, I can look up the historical SSL certificates for that IP to find the associated domain name.
Post-Infection Traffic and Data Exfiltration
Now I want to see what happened after the machine was fully compromised. I filter for HTTP POST requests, which are often used to send data out of a network. I find the domain name involved in this post-infection traffic and can even see the first 11 characters that the victim’s machine sent to this malicious domain.
DNS and Spam Activity
Digging further, I see that the malware used an API to check the victim’s public IP address. I can find the exact time of the first DNS query to api.ipify.org
by filtering for DNS traffic.
Finally, I investigate some suspicious spam activity. By filtering for SMTP traffic and following the TCP stream, I can see the “mail from” address that was used to send out spam. I can also use Wireshark’s protocol hierarchy statistics to see the total number of SMTP packets in the capture.
And that’s how I piece together the entire story of a network infection, from the initial download to data exfiltration and spam, all by analyzing a single packet capture file!
Technical Commands
Here are the Wireshark display filters and the T-Shark command I used throughout my investigation:
- Wireshark Display Filters:
http
tcp.port == 443 and (frame.time >= "September 24, 2021 16:45:11" and frame.time <= "September 24, 2021 16:45:30")
http.request.method == "POST"
dns
smtp
- T-Shark Command (for extracting destination IPs):
tshark -T json -e ip.dst -r carnage.pcap | grep "[0-9]" | sort
TryHackMe Carnage Challenge Answers
What was the date and time for the first HTTP connection to the malicious IP?
(answer format: yyyy-mm-dd hh:mm:ss)
What is the name of the zip file that was downloaded?
Without downloading the file, what is the name of the file in the zip file?
What is the name of the webserver of the malicious IP from which the zip file was downloaded?
What is the version of the webserver from the previous question?
Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?
Which certificate authority issued the SSL certificate to the first domain from the previous question?
What is the domain name of the post-infection traffic?
What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?
What was the Server header for the malicious domain from the previous question?
The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (answer format: yyyy-mm-dd hh:mm:ss UTC)
What was the domain in the DNS query from the previous question?
How many packets were observed for the SMTP traffic?