Malware logo

Intro

CyberDefenders.org, hosted a challenging hawkeye stealer challenge. You the challenger/IR team have to investigate the pcap, and answer questions about the infected victim and the location and domain ownership of the attack. No reversing in this one, it can be solved using python, wireshark, and native OS tools, with some OSINT using Virus Total.

For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!

Walkthrough

1) How many packets does the capture have?

Python

from scapy.all import *
a=rdpcap('/Users/apdavies03/Downloads/stealer.pcap')
len(a)
4003

Answer:

4003

2) At what time was the first packet captured?

Wireshark:

  • Apr 10, 2019 21:37:07.129730000 BST

Python:

>>> a[0].time
Decimal('1554928627.129730')
import time
time.ctime(a[0].time)
'Wed Apr 10 21:37:07 2019'

Answer:

2019-04-10 20:37:07 UTC

3) What is the duration of the capture?

python:

>>> time.ctime(a[4002].time)
'Wed Apr 10 22:40:48 2019'

Wed Apr 10 22:40:48 2019 - Wed Apr 10 21:37:07 2019 = 1:03:41

Answer:

01:03:41

4) What is the most active computer at the link level?

Wireshark:

  • statistics -> ethernet

Answer:

00:08:02:1c:47:ae

5) Manufacturer of the NIC of the most active system at the link level?

Hint:

  • Internet lookup

Answer:

Hewlett-Packard

6) Where is the headquarters of the company that manufactured the NIC of the most active computer at the link level?

Answer:

Palo Alto

7) The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?

Hint:

  • 1 private address is a network device
  • 4 ips -1 =

Answer:

3

8) What is the name of the most active computer at the network level?

Wireshark

  • DHCP -> Hostname

Answer:

Beijing-5cd1-PC

9) What is the IP of the organization’s DNS server?

Answer:

10.4.10.4

10) What domain is the victim asking about in the 204 packets?

python:

b[203].qd.qname

Answer:

proforma-invoices.com

11) What is the IP of the domain in the previous question?

Python:

a[205].an.rdata

Answer:

217.182.138.150

12) Indicate the country to which the IP in the previous section belongs.

Hint:

  • geoip/whois

Answer:

France

13) What operating system does the victim’s computer run?

strings ~/Downloads/stealer.pcap|grep -i windows|uniq

Answer:

Windows NT 6.1

14) What is the name of the malicious file downloaded by the accountant?

Answer:

 tkraw_Protected99.exe

15) What is the md5 hash of the downloaded file?

Hint:

  • Wireshark
  • Export HTTP Objects
md5 tkraw_Protected99.exe 
MD5 (tkraw_Protected99.exe) = 71826ba081e303866ce2a2534491a2f7

Answer:

71826ba081e303866ce2a2534491a2f7

16) What is the name of the malware according to Malwarebytes?

Answer:

Spyware.HawkEyeKeyLogger

17) What software runs the webserver that hosts the malware?

Answer:

LiteSpeed

18) What is the public IP of the victim’s computer?

Hint:

  • bot.whatismyipaddress.com

Answer:

173.66.146.112

19) In which country is located the email server to which the stolen information is sent?

Hint:

  • whois
  • 23.229.162.69

Answer:

United States

20) What is the creation date of the domain to which the information is exfiltrated?

Hint:

  • macwinlogistics.in

Answer:

 2014-02-08

21) Analyzing the first extraction of information. What software runs the email server to which the stolen information is sent?

Answer:

 Exim 4.91

22) To which email account is the stolen information sent?

Answer:

sales.del@macwinlogistics.in

23) What is the password used by the malware to send the email?

Hint:

  • U2FsZXNAMjM=

Answer:

Sales@23

24) Which malware variant exfiltrates information?

Hint:

  • Hawkeye varient
  • base64 decode email subject

Answer:

Reborn v9

25) What are the bankofamerica access credentials? username:password

Hint:

  • tcp stream 24

Answer:

 roman.mcguire:P@ssw0rd$

26) Every how many minutes is the information collected exfiltrated?

Hint:

  • Last email timings

Answer:

10
Share on: