Masterminds
In this TryHackMe room, three machines in the Finance department at Pfeffer PLC were compromised. We suspect the initial source of the compromise happened through a phishing attempt and by an infected USB drive. The Incident Response team managed to pull the network traffic logs from the endpoints. Use Brim to investigate the network traffic for any indicators of an attack and determine who stands behind the attacks.
Brim
Brim is an open-source desktop application that processes pcap and log files. It’s primary focus is providing search analytics.
Infection 1
Lab Questions:
Provide the victim's IP address.
The victim attempted to make HTTP connections to two suspicious domains with the status '404 Not Found'. Provide the hosts/domains requested.
The victim made a successful HTTP connection to one of the domains and received the response_body_len of 1,309 (uncompressed content size of the data transferred from the server). Provide the domain and the destination IP address.
How many unique DNS requests were made to cab[.]myfkn[.]com domain (including the capitalized domain)?
Provide the URI of the domain bhaktivrind[.]com that the victim reached out over HTTP.
Provide the IP address of the malicious server and the executable that the victim downloaded from the server.
Based on the information gathered from the second question, provide the name of the malware using VirusTotal.
Provide the victim's IP address.
To find the victims IP. It is necessary to check for any alerts that were triggered. Using the default queries, click on “Suricata Alerts by Source and Destination” (or type in event_type=="alert" | alerts := union(alert.category) by src_ip, dest_ip)
According to the query, the source IP address 192.168.75.249 triggered an alert. The alert describes a network trojan, meaning that the source IP address downloaded a trojan from the destination IP.
Therefore the victims IP address is: 192.168.75.249
The victim attempted to make HTTP connections to two suspicious domains with the status '404 Not Found'. Provide the hosts/domains requested.
The victim (192.168.75.249) made HTTP connections to domains that returned a 404 request. To figure out the domains, we should create a query that includes the IP address and also an http 404 error code. The query is: status_msg=="Not Found" id.orig_h==192.168.75.249
The query returned us with two http events. If we scroll over to the right, we’ll see the hostnames cambiasuhistoria.growlab.es and www.letscompareonline.com. The answer should be cambiasuhistoria.growlab.es,www.letscompareonline.com
The victim made a successful HTTP connection to one of the domains and received the response_body_len of 1,309 (uncompressed content size of the data transferred from the server). Provide the domain and the destination IP address.
To figure this one out, we’ll make a query to find a domain and IP address with a response_body_len of 1309. Here’s the query: response_body_len==1309 | cut id.resp_h, host
The destination IP address and domain are now shown. Therefore the answer is ww25.gocphongthe.com,199.59.242.153
How many unique DNS requests were made to cab[.]myfkn[.]com domain (including the capitalized domain)?
To answer this question, we want to figure out the total number of DNS requests to the domain. The question also lets us know that there is a domain that is capitalized. Therefore, our query should include both lowercase and uppercase. Here’s our query: _path=="dns" query=="CAB.MYKFN.COM" OR _path=="dns" query=="cab.mykfn.com" | count()
There are 7 unique DNS requests.
Provide the URI of the domain bhaktivrind[.]com that the victim reached out over HTTP.
This one is very simple. Query for the path (HTTP), host (the website), and uri: _path=="http" AND host=="bhaktivrind.com" | cut uri
The uri is /cgi-bin/JBbb8
Provide the IP address of the malicious server and the executable that the victim downloaded from the server.
Remember the destination address from the triggered alert? Let’s use that in our query to find the executable that the victim downloaded. Make sure to only pay attention to HTTP requests.
One event should pop up. If we scroll over to the right, we should be able to find the uri of the executable: /catz.exe. Therefore the answer is 185.239.243.112,catzx.exe
Based on the information gathered from the second question, provide the name of the malware using VirusTotal.
First we need to visit VirusTotal. Once there, click on search then paste one of the domains (in this case we’ll use cambiasuhistoria.growlab.es) and press enter. Head over to the community tab.
After reading through the community tab. We have figured out that the official name of the malware is Emotet
Infection 2
Lab Questions:
Provide the IP address of the victim machine.
Provide the IP address the victim made the POST connections to.
How many POST connections were made to the IP address in the previous question?
Provide the domain where the binary was downloaded from.
Provide the name of the binary including the full URI.
Provide the IP address of the domain that hosts the binary.
There were 2 Suricata "A Network Trojan was detected" alerts. What were the source and destination IP addresses?
Taking a look at .top domain in HTTP requests, provide the name of the stealer (Trojan that gathers information from a system) involved in this packet capture using URLhaus Database.
Provide the IP address of the victim machine.
Let’s do the exact same thing we did last time. Go over to the built in queries and look through the Suricata Alerts.
There are two events with the same source IP triggering an alert. The answer is 192.168.75.146
Provide the IP address the victim made the POST connections to.
To find this. Query using the previous IP address and then add POST to it. The query should look like 192.168.75.146 method=="POST"
There are 3 different POST connections with the same IP destination address. The answer is: 5.181.156.252
How many POST connections were made to the IP address in the previous question?
There were 3 different POST connections
Provide the domain where the binary was downloaded from.
Remember that GET requests signify the retrieval of a file. Let’s query for the victims IP address and a GET method. method=="GET" id.orig_h==192.168.75.146
There should be one event that is shown. If we scroll over to the right, we’ll find the hostname: hypercustom.top
Provide the name of the binary including the full URI.
In the question above, we figured out the host. The URI is shown right next to it: uri: /jollion/apines.exe
Provide the IP address of the domain that hosts the binary.
In the same screenshot above, the destination IP address that hosts the binary is shown: 45.95.203.28
There were 2 Suricata "A Network Trojan was detected" alerts. What were the source and destination IP addresses?
Using the first question we figured out to view the Suricata alerts, the alert showing “Potentially Bad Traffic, A Network Trojan was detected” had the source IP address of 192.168.75.146 and the destination IP address of 45.95.203.28. Therefore, the answer is 192.168.75.146,45.95.203.28
Taking a look at .top domain in HTTP requests, provide the name of the stealer (Trojan that gathers information from a system) involved in this packet capture using URLhaus Database.
Go to https://urlhaus.abuse.ch and paste hypercustom.top into the Browse Database box.
In the “Tags” column, the website provides related searches to the malware URL. The stealer’s name is RedLine Stealer
Infection 3
Lab Questions:
Provide the IP address of the victim machine.
Provide three C2 domains from which the binaries were downloaded (starting from the earliest to the latest in the timestamp)
Provide the IP addresses for all three domains in the previous question.
How many unique DNS queries were made to the domain associated from the first IP address from the previous answer?
How many binaries were downloaded from the above domain in total?
Provided the user-agent listed to download the binaries.
Provide the amount of DNS connections made in total for this packet capture.
With some OSINT skills, provide the name of the worm using the first domain you have managed to collect from Question 2. (Please use quotation marks for Google searches, don't use .ru in your search, and DO NOT interact with the domain directly).
Provide the IP address of the victim machine.
Lets do the exact thing we did for the past two infections.
Once the query loads, we are able to see 9 alerts. What is suspicious is that almost all of the alerts have one IP Address in common, 192.168.75.232. It looks like the IP address 192.168.75.232 is causing Network Trojan alerts. Let’s view the IP address in more detail. We’re going to set a query to view the number of connections made by the IP address. What we are looking for is an abnormal amount of outbound traffic.
There is obviously a lot of outbound connections originating from the 192.168.75.232 IP address. Therefore, the IP address of the victim machine is 192.168.75.232
With this much outbound traffic, this machine must reaching out to a C2 server.
Provide three C2 domains from which the binaries were downloaded (starting from the earliest to the latest in the timestamp)
The keyword in this question is “downloaded”. Therefore, we are looking for HTTP GET requests. In our query lets type in _path=="http" method=="GET"
If we scroll to the right, we’ll find GET requests for .exe files from suspicious domains. These must be the C2 domains. Therefore, the answer is efhoahegue.ru,afhoahegue.ru,xfhoahegue.ru
Provide the IP addresses for all three domains in the previous question.
Using the previous filter, we can match the IP Addresses to the malicious domains. The IP addresses of the domains are 162.217.98.146, 199.21.76.77, and 63.251.106.25
162.217.98.146,199.21.76.77,63.251.106.25
How many unique DNS queries were made to the domain associated from the first IP address from the previous answer?
To find this answer, we need to filter in the previous first IP address (162.217.98.146) and then look for DNS events. The query is: 162.217.98.146 _path== "dns"
The answer is 2
How many binaries were downloaded from the above domain in total?
Remember that the first IP addresses domain is efhoahegue.ru. We’ll then index for this domain.
There are 8 events that were generated from the filter. Five of them show GET requests for .exe files. Therefore the answer is 5.
Provided the user-agent listed to download the binaries.
Using the previous filter, scroll over to the right to find the user-agent(s).
The answer is Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Provide the amount of DNS connections made in total for this packet capture.
To find the amount of DNS connections made we need to query for events that are under the DNS path and count them. _path=="dns" | count()
The answer is 986
With some OSINT skills, provide the name of the worm using the first domain you have managed to collect from Question 2.
Plug the domain name into google.
The first name that appeared was phorphiex. There is also a GitHub repository of all the malicious domains. Therefore, the answer is Phorphiex
