HawkEye
Q1. How many packets does the capture have?
In order to find the number of packets we have to go to the Statistics > Capture File Properties section.
Answer
2019-04-10 20:37:07 UTC
Q2. At what time was the first packet captured?
We have to set the format to UTC in the View > Time Display Format section.
Alternatively, we can also find the answer in the Capture File Properties section.
Answer
2019-04-10 20:37:07 UTC
Q3. What is the duration of the capture?
Again this answer can be found in the Capture File Properties section.
Answer
01:03:41
Q4. What is the most active computer at the link level?
If we go to the Statistics > Endpoints section, we can see information about all the devices in the packet transfer.
Answer
00:08:02:1c:47:ae
Q5. Manufacturer of the NIC of the most active system at the link level?
We can use A-Packets, in order to find the answer easily.
Open the Ethernet section of the file.
Alternatively, we can also use Wireshark to find the NIC manufacturer.
Put the following filter on in order to filter for relevant traffic.
eth.addr==00:08:02:1c:47:ae
On applying the filter, we can see the following packet.
The source address is 00:08:02:1c:47:ae. Let's search this MAC address on DNSChecker.
Same answer as the one we got from A-Packets.
Answer
Hewlett-Packard
Q6. Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?
A quick Google search tells us where the headquarters are located.
Answer
Palo Alto
Q7. The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?
The /24 subnet mask denotes that the first 24 bytes are part of the network and the last 8 bytes are part of the host.
This means that every host within the 10.4.10.x/24 subnetis part of the organization![[hawkeye 7.png]]
We can see that the first 3 devices are part of the same subnet thus the same organization. Note that the broadcast address is not counted.
Answer
3
Q8. What is the name of the most active computer at the network level?
Since we already know the MAC address of the most active host, we can set a filter for that address and dhcp to find the host name.
eth.addr==00:08:02:1c:47:ae && dhcp
Let's look at the Host Name option.
Answer
BEIJING-5CD1-PC
Q9. What is the IP of the organization's DNS server?
In the DNS section of A-Packets, we can see the IP of the organization.
We can also filter for dns packets in Wireshark.
Answer
10.4.10.4
Q10. What domain is the victim asking about in packet 204?
Let's analyze the 204th packet.
Answer
proforma-invoices.com
Q11. What is the IP of the domain in the previous question?
Let's look through the Connections section in A-Packets.
In order to find the answer in Wireshark, we have to set the following filter:
frame contains proforma-invoices.com
Look in the destination IP address field.
Answer
217.182.138.150
Q12. Indicate the country to which the IP in the previous section belongs.
We can use the IP Lookup tool in DNSChecker.
Answer
France
Q13. What operating system does the victim's computer run?
Let's filter the http requests using the following filter:
eth.addr==00:08:02:1c:47:ae && http.request
Go to Follow > TCP Stream in order to see the entire message.
We can also find the OS in the HTTP section of A-Packets.
Answer
Windows NT 6.1
Q14. What is the name of the malicious file downloaded by the accountant?
In the HTTP Headers section of A-Packets, we can find the file that is being downloaded.
Alternatively, in Wireshark we can filter for GET request using the following filter:
http.request.method == GET
Only the 210th packet is accessing a file.
Answer
tkraw_Protected99.exe
Q15. What is the md5 hash of the downloaded file?
Let's extract the file via File > Export Objects > HTTP.
We can now use md5sum command in order to obtain the file hash.
$ md5sum tkraw_Protected99.exe
71826ba081e303866ce2a2534491a2f7 tkraw_Protected99.exe
We can also upload the file to VirusTotal in order to find the file hash.
Answer
71826ba081e303866ce2a2534491a2f7
Q16. What software runs the webserver that hosts the malware?
In Wireshark, we can again follow the TCP Stream in order to find the server.
Answer
173.66.146.112
Q17. What is the public IP of the victim's computer?
Let's filter for all HTTP requests:
http.request
If we follow TCP Stream, we can find the public IP.
Answer
United States
Q18. In which country is the email server to which the stolen information is sent?
We can use the IP Lookup tool in DNSChecker.
Answer
Exim 4.91
Q19. Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?
Put on the following filter:
ip.addr == 10.4.10.132 && smtp.req
We can follow the TCP stream.
Answer
sales.del@macwinlogistics.in
Q20. To which email account is the stolen information sent?
Further down in the TCP stream we can see the email that the information is sent to.
Answer
Sales@23
Q21. What is the password used by the malware to send the email?
We will use the same filter as before:
ip.addr == 10.4.10.132 && smtp.req
We can see a password. However, it seems to be base64 encoded.
Let's use CyberChef to decode the password.
Answer
Reborn v9
Q22. Which malware variant exfiltrated the data?
If we follow the same TCP stream, we can see a huge blob of data.
This has been base64 encoded. We have to again use CyberChef to decode it.
Answer
roman.mcguire:P@ssw0rd$
Q23. What are the bankofamerica access credentials? (username:password)
This information is available in the output for the previous question.
Answer
Q24. Every how many minutes does the collected data get exfiltrated?
If we look at the SMTP packets, we can see that the email is sent every 10 minutes.
Answer
10