Magnify logo

Intro

CyberDefenders.org, have a fun challenge where you have to disect a PCAP file. The objective is to answer a series of questions while investigating an incident where a user has been hacked, and malware executed on their system.

You are provided with the following files to aid in your analysis:

  • PCAP

Walkthrough

1) What service did the attacker use to gain access to the system?

  • wireshark - observe ssh traffic

Answer:

 ssh

2) What attack type was used to gain access to the system?(one word)

  • Theres a lot of ssh traffic, so assuming a bruteforce is happening!
  • confirmed from log files

Answer:

 bruteforce

3) What was the tool the attacker possibly used to perform this attack?

Hint:

  • common linux bruteforce tool

Answer:

 hydra

4) How many failed attempts were there?

Hint:

  • wireshark count ssh streams 54, 2 are successful 54-2

Answer:

 52

5) What credentials (username:password) were used to gain access? Refer to shadow.log and sudoers.log.

Hint:

  • use john and rockyou

Answer:

 manager:forgot

6) What other credentials (username:password) could have been used to gain access also have SUDO privileges?

Refer to shadow.log and sudoers.log.

Answer:

 sean:spectre

7) What is the tool used to download malicious files on the system?

Hint:

  • wireshark filter: http

Answer:

 wget

8) How many files the attacker download to perform malware installation?

Hint:

  • wireshark filter : http count get requests

Answer:

3

9) What is the main malware MD5 hash?

Hints:

  • wireshark stream 54
  • cyberchef convert
  • md5

Answer:

772b620736b760c1d736b1e6ba2f885b

10) What file has the script modified so the malware will start upon reboot?

Hint:

  • wireshark stream 56

Answer:

  /etc/rc.local

11) Where did the malware keep local files?

Answer:

/var/mail/

12) What is missing from ps.log?

Answer:

 /var/mail/mail

13) What is the main file that used to remove this information from ps.log?

Hint:

  • wireshark stream 56

Answer:

sysmod.ko

14) Inside the Main function, what is the function that causes requests to those servers?

Hint:

  • upx (unpack the exe)
  • strings

Answer:

 requestFile

15) One of the IP’s the malware contacted starts with 17. Provide the full IP.

Hints:

  • wireshark statistics
  • or unpack the malware

Answer:

174.129.57.253

16) How many files the malware requested from external servers?

Answer:

9

17) What are the commands that the malware was receiving from attacker servers? Format: comma-separated in alphabetical order?

  • Extract object
  • unpack as UPX compressed (you should have already done this for q14.)
  • We used Ghidra
  • lookup main function
  • then choice of: decrypttmessage or processmessage functions

Notice these hex encoded strings

0x52554e3a :RUN
0x4e4f500 .NOP

Answer:

nop,run
Share on: