Network Analysis - Malware Compromise

Blue Team Labs Online (retired challenge, Medium Difficulty)

In this challenge, the analyst is expected to investigate the occurrence of malware from a .pcap file using Wireshark.

Q1 - What’s the private IP of the infected host?

To find the answer, Open Wireshark and from the tabs at the top select statistics and then Conversations. What is the Source IP?

Q2 - What’s the malware binary that the macro document is trying to retrieve?

To discover the binary, we need to investigate the traffic from the infected machine. Start by filtering the ip.src to the infected machine. Look at the first http “GET” request to find the binary.

Q3 - From what domain HTTP requests with GET /images/ are coming from?

Adjust the filter to include ip.src from the infected machine && the http.request.full_uri. As per the question, look for GET /images to locate the correct packet to retrieve the domain.

Q4 - The SOC Team found Dridex, a follow-up malware from Ursnif infection, to be the culprit. The customer who sent her the macro file is compromised. What’s the full URL ending in .rar where Ursnif retrieves the follow-up malware from?

Keep the filter the same as in Q3, this time be on the lookout for a .rar file.

Q5 - What is the Dridex post-infection traffic IP addresses beginning with 185.?

For the last answer of the challenge, clear the filters and return to statistics > conversations. What IP address do you see that was communicating after the initial compromise?