CyberDefenders: Malware Traffic Analysis 5 blueteam challenge.

Malware Traffic Analysis 5

SHA1SUM	88234e4f078c4a820740d1caaf70cfeb20311a20
Published	Sept. 18, 2020
Author	Brad Duncan
Size	5.1M
Tags	Wireshark PCAP Email analysis Network

Instructions	Uncompress the challenge (pass: cyberdefenders.org) Load suricatarunner.exe and suricataupdater.exe in BrimSecurity from settings Uncompress suricata.zip from description and move suircata.rules to ".\var\lib\suricata\rules" inside suricatarunner directory

Your progress

0% Completed0/19 Questions

Your score

0/1825

Digital Forensics

Last solve

11 days ago by jaymuchu

Tools:

SCENARIO

You're working as an analyst at a Security Operations Center (SOC) for a Thanksgiving-themed company. One quiet evening, you hear someone knocking at the SOC entrance. As you answer the door, an exhausted mail server technician stumbles in and quickly falls to the floor. He whispers in a shaky voice, "Mail filters are down... Spam everywhere..."

As you help him up, he looks to the sky and yells, "The gates of hell have opened!"The technician immediately collapses again and softly whispers, "The horror... The horror...".

The mail filter outage lasted throughout the next day. Fortunately, very few incidents were reported. But one example caught your eye. During the mail filter outage, one of the company employees decided to play "email roulette." The employee opened one of the malicious emails from his inbox and treated it as a legitimate message.

YOUR ASSIGNMENT

You acquired four malicious emails the employee received. You also received a pcap of traffic from his infected computer. Your task? Figure out which email was used to compromise the system.

Thanks, th3c0rt3x for reviewing the challenge.

#	Question	Weight	Solved
#1	c41-MTA5-email-01: What is the name of the malicious file?	25	275
Hint Report an issue

#2	c41-MTA5-email-01: What is the name of the trojan family the malware belongs to? (As identified by emerging threats ruleset).	50	256
Hint Report an issue

#3	c41-MTA5-email-01: The malware dropped two malicious files with the same hash but with different names. Provide the SHA256 hash of those files? (Check the report submitted in 2015).	50	200
Hint Report an issue

#4	c41-MTA5-email-01: How many DNS requests were initiated by the malware? (Check the report submitted in 2015).	50	224
Hint Report an issue

#5	c41-MTA5-email-02: Multiple streams contain macros in this document. Provide the number of the highest one.	100	184
Hint Report an issue

#6	c41-MTA5-email-02: The Excel macro tried to download a file. Provide the full URL of this file?	100	149
Hint Report an issue

#7	c41-MTA5-email-02: What is the name of the object used to get data from the download URL?	100	134
Hint Report an issue

#8	c41-MTA5-email-02: The Excel macro writes a file to the temp folder. Provide the filename?	100	146
Hint Report an issue

#9	c41-MTA5-email-03: Provide the FQDN used by the attacker to store the login credentials?	50	156
Hint Report an issue

#10	c41-MTA5-email-04: How many FQDNs are present in the malicious js?	100	158
Hint Report an issue

#11	c41-MTA5-email-04: What is the name of the object used to handle and read files?	100	139
Hint Report an issue

#12	c41-MTA5.pcap: The victim received multiple emails; however, the user opened a single attachment. Provide the attachment filename.	100	157
Hint Report an issue

#13	c41-MTA5.pcap: What is the IP address of the victim machine?	50	177
Hint Report an issue

#14	c41-MTA5.pcap: What is the hostname of the victim machine?	50	171
Hint Report an issue

#15	c41-MTA5.pcap: What is the FQDN that hosted the malware?	100	166
Hint Report an issue

#16	c41-MTA5.pcap: The opened attachment wrote multiple files to the TEMP folder. Provide the name of the first file written to the disk?	200	144
Hint Report an issue

#17	c41-MTA5.pcap: One of the written files to the disk has the following md5 hash "35a09d67bee10c6aff48826717680c1c"; Which registry key does this malware check for its existence?	200	129
Hint Report an issue

#18	c41-MTA5.pcap: One of the written files to the disk has the following md5 hash "e2fc96114e61288fc413118327c76d93" sent an HTTP post request to "upload.php" page. Provide the webserver IP. (IP is not in PCAP)	200	133
Hint Report an issue

#19	c41-MTA5.pcap: The malware initiated callback traffic after the infection. Provide the IP of the destination server.	100	143
Hint Report an issue

Submit Writeup