Blue Team | Investigating Malware and Spam with Wireshark

TryHackMe Carnage Description

We covered a analyzing an incident with Wireshark. We used Wireshark filters to investigate and reveal malware and its activity.

Eric Fischer from the Purchasing Department at Bartell Ltd has received an email from a known contact with a Word document attachment.  Upon opening the document, he accidentally clicked on “Enable Content.”  The SOC Department immediately received an alert from the endpoint agent that Eric’s workstation was making suspicious connections outbound. The pcap was retrieved from the network sensor and handed to you for analysis.

Task: Investigate the packet capture and uncover the malicious activities.

*Credit goes to Brad Duncan for capturing the traffic and sharing the pcap packet capture with InfoSec community. 

Initial Infection Analysis

My first step is to look at the initial HTTP traffic to understand how this whole thing started. I can see the exact date and time the first connection was made to the malicious IP. By following the TCP stream, I can see that a file named documents.zip was downloaded. Inside that zip file was a malicious Excel file. I can also see the web server’s name and its PHP version right in the HTTP response header, which is always good information to have.

Finding the Malicious Domains

After the initial infection, the malware, likely a macro in that Excel file, reached out to download more nasty stuff. This traffic is HTTPS, so it’s encrypted. However, I can still get a lot of information by looking at the “Client Hello” packets in the SSL/TLS handshake. By filtering for a specific time frame, I’m able to identify three more malicious domains that the malware communicated with.

Identifying the Cobalt Strike Servers

Next, I hunt for the Command and Control (C2) servers, which in this case are Cobalt Strike servers. I can extract the destination IP addresses from the Wireshark capture. For the first Cobalt Strike IP, I filter the HTTP traffic and follow the TCP stream to find the host header. Then, using VirusTotal, I can look up the historical SSL certificates for that IP to find the associated domain name.

Post-Infection Traffic and Data Exfiltration

Now I want to see what happened after the machine was fully compromised. I filter for HTTP POST requests, which are often used to send data out of a network. I find the domain name involved in this post-infection traffic and can even see the first 11 characters that the victim’s machine sent to this malicious domain.

DNS and Spam Activity

Digging further, I see that the malware used an API to check the victim’s public IP address. I can find the exact time of the first DNS query to api.ipify.org by filtering for DNS traffic.

Finally, I investigate some suspicious spam activity. By filtering for SMTP traffic and following the TCP stream, I can see the “mail from” address that was used to send out spam. I can also use Wireshark’s protocol hierarchy statistics to see the total number of SMTP packets in the capture.

And that’s how I piece together the entire story of a network infection, from the initial download to data exfiltration and spam, all by analyzing a single packet capture file!

Technical Commands

Here are the Wireshark display filters and the T-Shark command I used throughout my investigation:

  • Wireshark Display Filters:
    • http
    • tcp.port == 443 and (frame.time >= "September 24, 2021 16:45:11" and frame.time <= "September 24, 2021 16:45:30")
    • http.request.method == "POST"
    • dns
    • smtp
  • T-Shark Command (for extracting destination IPs):
    • tshark -T json -e ip.dst -r carnage.pcap | grep "[0-9]" | sort

TryHackMe Carnage Challenge Answers

What was the date and time for the first HTTP connection to the malicious IP?

(answer format: yyyy-mm-dd hh:mm:ss)

What is the name of the zip file that was downloaded?

What was the domain hosting the malicious zip file?

Without downloading the file, what is the name of the file in the zip file?

What is the name of the webserver of the malicious IP from which the zip file was downloaded?

What is the version of the webserver from the previous question?

Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?

Which certificate authority issued the SSL certificate to the first domain from the previous question?

What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers. (answer format: enter the IP addresses in sequential order)
What is the Host header for the first Cobalt Strike IP address from the previous question?
What is the domain name for the first IP address of the Cobalt Strike server? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).
What is the domain name of the second Cobalt Strike server IP?  You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).

What is the domain name of the post-infection traffic?

What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?

What was the length for the first packet sent out to the C2 server?

What was the Server header for the malicious domain from the previous question?

The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (answer format: yyyy-mm-dd hh:mm:ss UTC)

What was the domain in the DNS query from the previous question?

Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?

How many packets were observed for the SMTP traffic?

Video Walk-Through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles