最近バイナリの勉強ばかりだったので気分転換にPCAPの分析をしました。
こちらのエクササイズをやりました。使ったのはWireshark, tshark, その他bashコマンド。
What is the IP address of the infected Windows host?
10.2.23.231
What is the MAC address of the infected Windows host?
00:11:0a:9f:c0:2d
What is the host name of the infected Windows host?
tcp.port eq 8082 && http.request (HTTP POST starting from frame number 26591 contains infected host info)
FERGUSON-WIN-PC
What is the Windows user account name for the infected Windows host?
tcp.port eq 8082 && http.request (HTTP POST starting from frame number 26591 contains infected host info)
ruby.ferguson
What are the six URLs that returned Windows executable files to the infected Windows host?
frame contains 4d:5a:90:00
http://209.141.55[.]226/troll1.jpg
http://46.249.62[.]199/Tinx86_14.exe
http://46.249.62[.]199/Sw9JKmXqaSj.exe
http://85.143.218[.]7/win.png
http://85.143.218[.]7/tin.png
http://85.143.218[.]7/sin.png
What are the SHA256 hashes of the six Windows executable files sent to the infected Windows host?
$ files=$(file * | grep executable | awk '{print $1}' | sed 's/://g'); for i in $files; do shasum -a 256 $i; done
d43159c8bf2e1bd866abdbb1687911e2282b1f98a7c063f85ffd53a7f51efed4 Sw9JKmXqaSj.exe
f1b789be1126b557240dd0dfe98fc5f3ad6341bb1a5d8be0a954f65b486ad32a Tinx86_14.exe
3abae6dd2ddae23b2de2ccbcc160a4a5773bef8934d0e6896d50197c3d3c417f sin.png
4c957072ab097d3474039f432466cd251d1dc7d91559b76d4e5ead4a8bd499d5 tin.png
8cf2cddda8522975a22da3da429339be471234eacc0e11c099d6dcb732cf3cbb troll1.jpg
38c6c5b8d6fa71d9856758a5c0c2ac9d0a0a1450f75bb1004dd988e23d73a312 win.png
Based on the IDS alerts, what type of infection (or infections) is this?
Trickbot infection and IcedID infection
公式の解答では侵害されたホスト名およびユーザーアカウントをケルベロスの認証情報から確認していましたが、自分はマルウェアのビーコン通信から確認しました。
以上。
