> For the complete documentation index, see [llms.txt](https://kunalwalavalkar.gitbook.io/write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kunalwalavalkar.gitbook.io/write-ups/cyberdefenders/hawkeye.md).

# HawkEye

{% hint style="warning" %}
Always open malware in a secure environment like a VM.
{% endhint %}

{% hint style="info" %}
We will be using the [REMnux](https://remnux.org/) distribution which is specifically made for reverse engineering.
{% endhint %}

##

> Q1. How many packets does the capture have?

* In order to find the number of packets we have to go to the `Statistics > Capture File Properties` section.&#x20;

<figure><img src="/files/jYARt25lcJw0ZJxttSpK" alt=""><figcaption></figcaption></figure>

##

> Q2. At what time was the first packet captured?

* We have to set the format to UTC in the `View > Time Display Format` section.&#x20;

<figure><img src="/files/AgGwz6bGuVaOx7Qj6a33" alt=""><figcaption></figcaption></figure>

* Alternatively, we can also find the answer in the `Capture File Properties` section.!

<figure><img src="/files/xNiR01wUR1QBLOmZd8RD" alt=""><figcaption></figcaption></figure>

##

> Q3. What is the duration of the capture?

* Again this answer can be found in the `Capture File Properties` section.&#x20;

<figure><img src="/files/3RvVy3SJdFCIU2yYfrTX" alt=""><figcaption></figcaption></figure>

##

> Q4. What is the most active computer at the link level?

* If we go to the `Statistics > Endpoints` section, we can see information about all the devices in the packet transfer.&#x20;

<figure><img src="/files/Hx7YMHiPBagV1JIynv0U" alt=""><figcaption></figcaption></figure>

##

> Q5. Manufacturer of the NIC of the most active system at the link level?

* We can use [A-Packets](https://apackets.com/), in order to find the answer easily.
* Open the `Ethernet` section of the file.&#x20;

<figure><img src="/files/u5bK6yvEqI4pgEkBkDij" alt=""><figcaption></figcaption></figure>

* Alternatively, we can also use Wireshark to find the NIC manufacturer.
* Put the following filter on in order to filter for relevant traffic.

```
eth.addr==00:08:02:1c:47:ae
```

* On applying the filter, we can see the following packet.&#x20;

<figure><img src="/files/0XYE1RobTW5JzeCqFxtu" alt=""><figcaption></figcaption></figure>

* The source address is `00:08:02:1c:47:ae`. Let's search this MAC address on [DNSChecker](https://dnschecker.org/).

<figure><img src="/files/mHlpVVHjjOT2tLrFlMpI" alt=""><figcaption></figcaption></figure>

* Same answer as the one we got from A-Packets.

##

> Q6. Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?

* A quick Google search tells us where the headquarters are located.&#x20;

<figure><img src="/files/pFJ9b1NiZbs7HLtKiGx1" alt=""><figcaption></figcaption></figure>

##

> Q7. The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?

* The `/24` subnet mask denotes that the first 24 bytes are part of the network and the last 8 bytes are part of the host.
* This means that every host within the `10.4.10.x/24` subnet is part of the organization.

<figure><img src="/files/QyEhaoWG2pZn2lFp2hyg" alt=""><figcaption></figcaption></figure>

* We can see that the first 3 devices are part of the same subnet thus the same organization. Note that the broadcast address is not counted.

##

> Q8. What is the name of the most active computer at the network level?

* Since we already know the MAC address of the most active host, we can set a filter for that address and `dhcp` to find the host name.

```
eth.addr==00:08:02:1c:47:ae && dhcp
```

* Let's look at the `Host Name` option.&#x20;

<figure><img src="/files/5NkOej5KbB60fdvqWezq" alt=""><figcaption></figcaption></figure>

##

> Q9. What is the IP of the organization's DNS server?

* In the `DNS` section of A-Packets, we can see the IP of the organization.&#x20;

<figure><img src="/files/WxL3nqg2CE3eNIzvUeE2" alt=""><figcaption></figcaption></figure>

* We can also filter for `dns` packets in Wireshark.&#x20;

<figure><img src="/files/chJ3FQzal8MydkGXBVJb" alt=""><figcaption></figcaption></figure>

##

> Q10. What domain is the victim asking about in packet 204?

* Let's analyze the 204th packet.&#x20;

<figure><img src="/files/rmOg8mycsn7a2euJwbFH" alt=""><figcaption></figcaption></figure>

##

> Q11. What is the IP of the domain in the previous question?

* Let's look through the `Connections` section in A-Packets.&#x20;

<figure><img src="/files/r9FJ9cVioD4OL2fwDfXh" alt=""><figcaption></figcaption></figure>

* In order to find the answer in Wireshark, we have to set the following filter:

```
frame contains proforma-invoices.com
```

* Look in the destination IP address field.

<figure><img src="/files/AHGkl8t6065Cg219Y1Fe" alt=""><figcaption></figcaption></figure>

##

> Q12. Indicate the country to which the IP in the previous section belongs.

* We can use the `IP Lookup` tool in DNSChecker.

<figure><img src="/files/OGL0mHEMCwH7tZ8OzkT2" alt=""><figcaption></figcaption></figure>

##

> Q13. What operating system does the victim's computer run?

* Let's filter the http requests using the following filter:

```
eth.addr==00:08:02:1c:47:ae && http.request
```

* Go to `Follow > TCP Stream` in order to see the entire message.&#x20;

<figure><img src="/files/QkiE3HUahSOwCMOEHTlG" alt=""><figcaption></figcaption></figure>

* We can also find the OS in the `HTTP` section of A-Packets.&#x20;

<figure><img src="/files/4mGXESHKu0wAWqWPPofU" alt=""><figcaption></figcaption></figure>

##

> Q14. What is the name of the malicious file downloaded by the accountant?

* In the `HTTP Headers` section of A-Packets, we can find the file that is being downloaded. !

<figure><img src="/files/kFh4YtGtZmMiJpDvJnEw" alt=""><figcaption></figcaption></figure>

* Alternatively, in Wireshark we can filter for `GET` request using the following filter:

```
http.request.method == GET
```

* Only the 210th packet is accessing a file.&#x20;

<figure><img src="/files/MqP8S4v5qQ8uU5SnuTEv" alt=""><figcaption></figcaption></figure>

##

> Q15. What is the md5 hash of the downloaded file?

* Let's extract the file via `File > EXport Objects > HTTP`.
* We can now use `md5sum` command in order to obtain the file hash.

```
$ md5sum tkraw_Protected99.exe 
71826ba081e303866ce2a2534491a2f7  tkraw_Protected99.exe
```

* We can also upload the file to [VirusTotal](https://www.virustotal.com/gui/home/search) in order to find the file hash.&#x20;

<figure><img src="/files/KDQ6JHD6u3DEzVnZq4Ra" alt=""><figcaption></figcaption></figure>

##

> Q17. What software runs the webserver that hosts the malware?

* In Wireshark, we can again follow the TCP Stream in order to find the server.&#x20;

<figure><img src="/files/g3FoszvZItIa0IzBlA3S" alt=""><figcaption></figcaption></figure>

##

> Q18. What is the public IP of the victim's computer?

* Let's filter for all HTTP requests:

```
http.request
```

* If we follow TCP Stream, we can find the public IP.&#x20;

<figure><img src="/files/ZWNIVqGiC6uT77Z6cTcs" alt=""><figcaption></figcaption></figure>

##

> Q19. In which country is the email server to which the stolen information is sent?

* We can use the `IP Lookup` tool in DNSChecker.&#x20;

<figure><img src="/files/8jGCPLEz0AHrqBGiyreh" alt=""><figcaption></figcaption></figure>

##

> Q20. Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?

* Put on the following filter:

```
ip.addr == 10.4.10.132 && smtp.req
```

* We can follow the TCP stream.

<figure><img src="/files/bC5pGIeWsWW3oXWVTViF" alt=""><figcaption></figcaption></figure>

##

> Q21. To which email account is the stolen information sent?

* Further down in the TCP stream we can see the email that the information is sent to. !

<figure><img src="/files/F1pkZ65NKmqAUOPMBxTg" alt=""><figcaption></figcaption></figure>

##

> Q22. What is the password used by the malware to send the email?

* We will use the same filter as before:

```
ip.addr == 10.4.10.132 && smtp.req
```

* We can see a password. However, it seems to be base64 encoded.&#x20;

<figure><img src="/files/Az7ivD2CYg4qlJctNZ1K" alt=""><figcaption></figcaption></figure>

* Let's use CyberChef to decode the password.&#x20;

<figure><img src="/files/XtELfu61Sdms7QiJeOLk" alt=""><figcaption></figcaption></figure>

##

> Q23. Which malware variant exfiltrated the data?

* If we follow the same TCP stream, we can see a huge blob of data.

<figure><img src="/files/UmVw48tUAnD3Ny8HRuJH" alt=""><figcaption></figcaption></figure>

* This has been base64 encoded. We have to again use CyberChef to decode it.&#x20;

<figure><img src="/files/Z8jkEiv7aIpAbyb91Tne" alt=""><figcaption></figcaption></figure>

##

> Q24. What are the bankofamerica access credentials? (username:password)

* This information is available in the output for the previous question.&#x20;

<figure><img src="/files/tAdBlTuuIFcFaqJOga5u" alt=""><figcaption></figcaption></figure>

##

> Q25. Every how many minutes does the collected data get exfiltrated?

* If we look at the SMTP packets, we can see that the email is sent every 10 minutes.

<figure><img src="/files/zuliou92mPZoedJCMw6Q" alt=""><figcaption></figcaption></figure>
