CyberDefenders.org, hosted a challenging hawkeye stealer challenge. You the challenger/IR team have to investigate the pcap, and answer questions about the infected victim and the location and domain ownership of the attack. No reversing in this one, it can be solved using python, wireshark, and native OS tools, with some OSINT using Virus Total.
For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!
1) How many packets does the capture have?
from scapy.all import * a=rdpcap('/Users/apdavies03/Downloads/stealer.pcap') len(a) 4003
2) At what time was the first packet captured?
- Apr 10, 2019 21:37:07.129730000 BST
>>> a.time Decimal('1554928627.129730') import time time.ctime(a.time) 'Wed Apr 10 21:37:07 2019'
2019-04-10 20:37:07 UTC
3) What is the duration of the capture?
>>> time.ctime(a.time) 'Wed Apr 10 22:40:48 2019'
Wed Apr 10 22:40:48 2019 - Wed Apr 10 21:37:07 2019 = 1:03:41
4) What is the most active computer at the link level?
- statistics -> ethernet
5) Manufacturer of the NIC of the most active system at the link level?
- Internet lookup
6) Where is the headquarters of the company that manufactured the NIC of the most active computer at the link level?
7) The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?
- 1 private address is a network device
- 4 ips -1 =
8) What is the name of the most active computer at the network level?
- DHCP -> Hostname
9) What is the IP of the organization’s DNS server?
10) What domain is the victim asking about in the 204 packets?
11) What is the IP of the domain in the previous question?
12) Indicate the country to which the IP in the previous section belongs.
13) What operating system does the victim’s computer run?
strings ~/Downloads/stealer.pcap|grep -i windows|uniq
Windows NT 6.1
14) What is the name of the malicious file downloaded by the accountant?
15) What is the md5 hash of the downloaded file?
- Export HTTP Objects
md5 tkraw_Protected99.exe MD5 (tkraw_Protected99.exe) = 71826ba081e303866ce2a2534491a2f7
16) What is the name of the malware according to Malwarebytes?
17) What software runs the webserver that hosts the malware?
18) What is the public IP of the victim’s computer?
19) In which country is located the email server to which the stolen information is sent?
20) What is the creation date of the domain to which the information is exfiltrated?
21) Analyzing the first extraction of information. What software runs the email server to which the stolen information is sent?
22) To which email account is the stolen information sent?
23) What is the password used by the malware to send the email?
24) Which malware variant exfiltrates information?
- Hawkeye varient
- base64 decode email subject
25) What are the bankofamerica access credentials? username:password
- tcp stream 24
26) Every how many minutes is the information collected exfiltrated?
- Last email timings