An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.
Information
My Recommendations
wireshark -v
This is my personal preference as I like to keep stuff organized and easily remove all files after completing the challenge:
mkdir Documents/CyberDefenders/Hawkeye && cd Documents/CyberDefenders/Hawkeye
Download it from CyberDefenders and verify with SHA1SUM:
sha1sum /path/to/c72-hawkeye.zip
SHA1SUM: bd7239a7c1e33f4d616242fe892888befc9faa50
Walkthrough
1. How many packets does the capture have?
After opening the file in Wireshark, we can just scroll until the end to see the total number of packets. In this case, it’s 4003.
Answer: 4003
2. At what time was the first packet captured?
The first packet was captured on April 10th, 2019 at 20:37:07:
Answer: 2019-04-10 20:37:07 UTC
3. What is the duration of the capture?
The first packet was captured at 20:37:07. The last one was captured at 21:40:49 (rounded):
21:40:49 – 20:37:07 = 01:03:41
Answer: 01:03:41
4. What is the most active computer at the link level?
The link level is . If we select Statistics –> Conversations, Ethernet, the most active computer is ’00:08:02:1c:47:ae’
Answer: 00:08:02:1c:47:ae
5. Manufacturer of the NIC of the most active system at the link level?
We can use an online Mac Address lookup service to get the Manufacturer of the computer:
Answer: hewlett-packard
6. Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?
The headquarters of Hewlett-Packard are in Palo Alto, California.
Answer: Palo Alto
7. The organization works with private addressing and netmask /24.
How many computers in the organization are involved in the capture?
In Statistics –> Conversations, IPv4, there are 11 Conversations. However, There are only three unique addresses in ‘Address A’ :
Answer: 3
8. What is the name of the most active computer at the network level?
The Network level would be the IPv4 aka end to end communication. In this case, the most active address is 10.4.10.132. To find its name we can use the following filters:
ip.addr == 10.4.10.132 && dhcp
Using dhcp as a filter as it will contain a Host Name value:
Answer: Beijing-5cd1-PC
9. What is the IP of the organization's DNS server?
We can simply use the DNS filter. The only two addresses communicating are 10.4.10.132 and 10.4.10.4.
Answer: 10.4.10.4
10. What domain is the victim asking about in packet 204?
Using the filter: frame.number == 204
It’s a DNS query for the domain name proforma-invoices.com.
Answer: proforma-invoices.com
11. What is the IP of the domain in the previous question?
After the DNS response (Packet 206), the computer is communicating with IP Address 217.182.138.150, which is the IP address of the domain
Answer: 217.182.138.150
12. Indicate the country to which the IP in the previous section belongs.
Using an IP Address Location service, the IP address is registered in France:
Answer: France
13. What operating system does the victim's computer run?
Frame 210 contains an HTTP Request to the malicious website. Looking at its User-Agent:
It’s Windows NT 6.1
Answer: Windows NT 6.1
14. What is the name of the malicious file downloaded by the accountant?
If we look at frame 210, there is a HTTP Request for /profoma/tkraw_Protected99.exe.
Filtering for HTTP, the next http packet is packet 3155, which is an HTTP Ok for Downloading a file with Mime Type application/x-msdownload. The filename is the same as the GET request.
Answer: tkraw_Protected99.exe
15. What is the md5 hash of the downloaded file?
We can extract the file by doing File –> Export Objects –> HTTP, and then save the executable to the Working Directory.
md5sum tkraw_Protected99.exe
#returns 71826ba081e303866ce2a2534491a2f7
Answer: 71826ba081e303866ce2a2534491a2f7
16. What is the name of the malware according to Malwarebytes?
Searching for the file hash in VirusTotal, MalwareBytes flags the file as ‘ Spyware.HawkEyeKeyLogger‘
Answer: Spyware.HawkEyeKeyLogger
17.What software runs the webserver that hosts the malware?
Looking at Packet 3155, which is the HTTP Response for the downloaded malware:
Answer: LiteSpeed
18. What is the public IP of the victim's computer?
After downloading the malware, the victim communicated with a domain named ‘bot.whatismyipaddress.com’ (Packet 3378). To look at the conversation, we can select Analyze –> Follow –> HTTP Stream.
The Website’s response contains the victim’s public IP Address.
Answer: 173.66.146.112
19. In which country is the email server to which the stolen information is sent?
The next DNS Query (Packet 3388) is for domain name ‘macwinlogistics.in‘, with IP address 23.229.162.69. This IP Address is the one that created an SMTP connection with the victim’s computer, most likely to exfiltrate data.
Using an IP Geolocation lookup tool, the IP is registered in the United States:
Answer: United States
20. What is the domain's creation date to which the information is exfiltrated?
21. Analyzing the first extraction of information.
What software runs the email server to which the stolen data is sent?
When the SMTP Connection is first established (Packet 3175), the Response parameter shows the software running:
Answer: Exim 4.91
22. To which email account is the stolen information sent?
In Packet 3179 the attacker entered an AUTH login command for a base64 encoded address. It decodes to sales.del@macwinlogistics.in.
The same email address is present in multiple email communications. The command was repeated seven times. Packet 3204 contains the stolen information for this particular login record.
Answer: sales.del@macwinlogistics.in
23. What is the password used by the malware to send the email?
Following the AUTH login command in Packet 3179, the password is in Base64 Encoded form (packet 3182).
It decodes to ‘Sales@23’.
Answer: Sales@23
24. Which malware variant exfiltrated the data?
The exfiltration routine sends an email, which contains sensitive information from the victim’s computer.
For example, in packet 3204, the Subject of the email shows that the malware is HawkEyeKeylogger – Reborn v9, introduced in 2019.
Answer: Reborn v9
25. What are the bankofamerica access credentials? (username:password)
The stolen information can be found in emails sent to the attacker:
The login is roman.mcguire and the password is P@ssw0rd$.
Answer: roman.mcguire:P@ssw0rd$
26. Every how many minutes does the collected data get exfiltrated?
We can use a more ‘sophisticated’ filter to get an idea of the exfiltration mechanism:
ip.src == 10.4.10.132 && ip.dst == 23.229.162.69 && smtp.auth.username
Every 10 minutes, the user logs in. If we remove the ‘auth.username’ filter, we can see that the same routine is executed, over and over again.
Answer: 10
TLDR
– This challenge revolves around a Network Capture of a HawkEye KeyLogger attack.
