A compromised workstation has been flagged after generating suspicious outbound network traffic, and the resulting PCAP capture has been handed to the SOC for triage. Our objective in this lab is to reconstruct the intrusion end-to-end: determine how the attacker achieved initial execution, identify every payload pulled down during the infection chain, and map the post-compromise behavior to known adversary tradecraft.
The investigation begins at the network layer and works its way down through several obfuscation layers that give this sample its name. We will peel back an obfuscated VBScript that stages a PowerShell downloader, a PE payload masquerading as a .jpg, and a . NET-based RAT reflectively loaded into a signed Microsoft binary. By the end of the walkthrough, we will have recovered both stages of the malware, identified the family and its C2 infrastructure, listed the artifacts dropped to disk, and tied the execution chain back to MITRE ATT&CK techniques.
Tools used throughout this lab:
Q1: The attacker successfully executed a command to download the first stage of the malware. What is the URL from which the first malware stage was instal