HawkEye

Always open malware in a secure environment like a VM.

We will be using the REMnux distribution which is specifically made for reverse engineering.

Q1. How many packets does the capture have?

• In order to find the number of packets we have to go to the Statistics > Capture File Properties section.

Q2. At what time was the first packet captured?

• We have to set the format to UTC in the View > Time Display Format section.

• Alternatively, we can also find the answer in the Capture File Properties section.!

Q3. What is the duration of the capture?

• Again this answer can be found in the Capture File Properties section.

Q4. What is the most active computer at the link level?

• If we go to the Statistics > Endpoints section, we can see information about all the devices in the packet transfer.

Q5. Manufacturer of the NIC of the most active system at the link level?

• We can use A-Packets, in order to find the answer easily.
• Open the Ethernet section of the file.

• Alternatively, we can also use Wireshark to find the NIC manufacturer.

• Put the following filter on in order to filter for relevant traffic.

eth.addr==00:08:02:1c:47:ae

• On applying the filter, we can see the following packet.

• The source address is 00:08:02:1c:47:ae. Let's search this MAC address on DNSChecker.

• Same answer as the one we got from A-Packets.

Q6. Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?

• A quick Google search tells us where the headquarters are located.

Q7. The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?

• The /24 subnet mask denotes that the first 24 bytes are part of the network and the last 8 bytes are part of the host.

• This means that every host within the 10.4.10.x/24 subnet is part of the organization.

• We can see that the first 3 devices are part of the same subnet thus the same organization. Note that the broadcast address is not counted.

Q8. What is the name of the most active computer at the network level?

• Since we already know the MAC address of the most active host, we can set a filter for that address and dhcp to find the host name.

eth.addr==00:08:02:1c:47:ae && dhcp

• Let's look at the Host Name option.

Q9. What is the IP of the organization's DNS server?

• In the DNS section of A-Packets, we can see the IP of the organization.

• We can also filter for dns packets in Wireshark.

Q10. What domain is the victim asking about in packet 204?

• Let's analyze the 204th packet.

Q11. What is the IP of the domain in the previous question?

• Let's look through the Connections section in A-Packets.

• In order to find the answer in Wireshark, we have to set the following filter:

frame contains proforma-invoices.com

• Look in the destination IP address field.

Q12. Indicate the country to which the IP in the previous section belongs.

• We can use the IP Lookup tool in DNSChecker.

Q13. What operating system does the victim's computer run?

• Let's filter the http requests using the following filter:

eth.addr==00:08:02:1c:47:ae && http.request

• Go to Follow > TCP Stream in order to see the entire message.

• We can also find the OS in the HTTP section of A-Packets.

Q14. What is the name of the malicious file downloaded by the accountant?

• In the HTTP Headers section of A-Packets, we can find the file that is being downloaded. !

• Alternatively, in Wireshark we can filter for GET request using the following filter:

http.request.method == GET

• Only the 210th packet is accessing a file.

Q15. What is the md5 hash of the downloaded file?

• Let's extract the file via File > EXport Objects > HTTP.

• We can now use md5sum command in order to obtain the file hash.

$ md5sum tkraw_Protected99.exe 
71826ba081e303866ce2a2534491a2f7  tkraw_Protected99.exe

• We can also upload the file to VirusTotal in order to find the file hash.

Q17. What software runs the webserver that hosts the malware?

• In Wireshark, we can again follow the TCP Stream in order to find the server.

Q18. What is the public IP of the victim's computer?

• Let's filter for all HTTP requests:

http.request

• If we follow TCP Stream, we can find the public IP.

Q19. In which country is the email server to which the stolen information is sent?

• We can use the IP Lookup tool in DNSChecker.

Q20. Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?

• Put on the following filter:

ip.addr == 10.4.10.132 && smtp.req

• We can follow the TCP stream.

Q21. To which email account is the stolen information sent?

• Further down in the TCP stream we can see the email that the information is sent to. !

Q22. What is the password used by the malware to send the email?

• We will use the same filter as before:

ip.addr == 10.4.10.132 && smtp.req

• We can see a password. However, it seems to be base64 encoded.

• Let's use CyberChef to decode the password.

Q23. Which malware variant exfiltrated the data?

• If we follow the same TCP stream, we can see a huge blob of data.

• This has been base64 encoded. We have to again use CyberChef to decode it.

Q24. What are the bankofamerica access credentials? (username:password)

• This information is available in the output for the previous question.

Q25. Every how many minutes does the collected data get exfiltrated?

• If we look at the SMTP packets, we can see that the email is sent every 10 minutes.