HoneyBOT

Always open malware in a secure environment like a VM.

We will be using the REMnux distribution which is specifically made for reverse engineering.

Q1. What is the attacker's IP address?

• We can see that the Source address field of the first packet is 98.114.205.102.

Q2. What is the target's IP address?

• The target's IP address is included in the Destination address field.

Q3. Provide the country code for the attacker's IP address (a.k.a geo-location).

• We can obtain more information about the attacker's IP address using IPinfo.

Q4. How many TCP sessions are present in the captured traffic?

• We can find TCP sessions by selecting the Statistics > Conversations option.

• We can see that there are 5 TCP sessions present.

Q5. How long did it take to perform the attack (in seconds)?

• Let us set the time display format to Seconds since beginning of capture.

• We can see that the last packet arrives around 16 seconds after the first packet. So it took 16 seconds to perform the attack.

For some reason there is no question number 6.

Q7. Provide the CVE number of the exploited vulnerability.

• Using the following filter we can filter out SMB packets.

smb

• On observing the packets, we can see a few DSSETUP packets. These are used to obtain information about a remote hosts Active Directory.

• The Operation field is set to DsRoleUpgradeDownlevelServer.

• A quick google search gives us the CVE number of the exploited vulnerability.

• It exploits a buffer overflow which in turn allows the attacker to perform ACE in order to create long debug entries.

Q8. Which protocol was used to carry over the exploit?

• As we saw in the previous question, the protocol used was SMB.

Q9. Which protocol did the attacker use to download additional malicious files to the target system?

• Let us follow the stream through Analyze > Follow > TCP Stream.

• On checking the 3rd TCP stream we can see the steps performed by the attacker.

• These steps resemble that of a FTP login sequence.

• Alternatively, in TCP stream 2 we can see the command executed by the attacker.

• The attacker ran the ftp command using the script file o and disabled auto-login using the n flag.

Q10. What is the name of the downloaded malware?

• Again in TCP stream 3 we can see that the attacker retrieved the copy of the ssms.exe file.

• In TCP stream 2 we can see that the attacker executed the ssms.exe file.

Q11. The attacker's server was listening on a specific port. Provide the port number.

• In the 2nd TCP stream, we can see port 8884 specified in the echo command.

• The result of this command is redirected into the script file o used during FTP login.

Q12. When was the involved malware first submitted to VirusTotal for analysis? Format: YYYY-MM-DD

• TCP stream 4 contains the file sent from the attacker to the victim.

• We can download this file in the raw format via Save as... > Raw.

• Using the md5sum command we can find the hash of the saved file.

$ md5sum malware 
14a09a48ad23fe0ea5a180bee8cb750a  malware

• We can now search up this file hash using VirusTotal.

Q13. What is the key used to encode the shellcode?