HawkEye Walkthrough — Cyberdefenders

responderj
9 min readMar 6, 2022

--

Scenario:
An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.

Challenge Link: HawkEye

Tools:

  1. How many packets does the capture have?

To view the total packets, navigate to Statistics > Capture File Properties and look for Packets under Measurements.

2. At what time was the first packet captured?

To set the timezone of Wireshark to UTC, go to View > Time Display Format > UTC Date and Time of Day.

The No. column shows the frame number of the pcap.

The Time column with frame 1 shows the time of the first packet captured.

Or open the Capture File Properties and look for the First packet under Time. Make sure to convert to UTC.

3. What is the duration of the capture?

The same steps from Q.1. In Capture File Properties, look for Elapsed under Time.

4. What is the most active computer at the link level?

Ethernet — Identical to the Ethernet device’s MAC-48 identifier.

To view Ethernet, go to Statistics > Endpoints > Ethernet. Click Packets to sort the packets by descending.

The image above shows the device’s MAC address from most to least active.

5. Manufacturer of the NIC of the most active system at the link level?

The filter below will display all the traffic from the MAC address 00:08:02:1c:47:ae. The Manufacturer is in the Source section of the Frame details window.

eth.addr==00:08:02:1c:47:ae

Or search the MAC address information online using DNSChecker.org.

6. Where is the headquarters of the company that manufactured the NIC of the most active computer at the link level?

Google result shows the headquarters address of Hewlett Packard.

7. The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?

The image below shows the Private address ranges.

To view the IPv4 addresses, go to Statistics > Endpoints > IPv4.

The image above shows 4 Private IP addresses, but the .255 was assigned to the Broadcast address (First address = network address & last address = broadcast address).

8. What is the name of the most active computer at the network level?

The DHCP traffic has the host information such as MAC Address, IP Address, and Hostname. Since I already know the MAC address, I used it to filter the packets to only display the DHCP traffic from the MAC address 00:08:02:1c:47:ae.

eth.addr==00:08:02:1c:47:ae && dhcp

Select the first frame and expand Dynamic Host Configuration Protocol and Option (12).

9. What is the IP of the organization’s DNS server?

We can identify the DNS server IP address by analyzing the DNS traffic. Enter the string dns in the Filter field to display all the DNS traffic. Select the first frame and expand Ethernet II, the Source is the MAC address of the victim’s computer, and the Destination is the MAC address of the DNS server. Expand Internet Protocol Version 4 or look in the Destination column for the IP address.

10. What domain is the victim asking about in the 204 packets?

The filter below will only display frame 204.

frame.number == 204

Expanding the Domain Name System and Queries will show the domain the victim is accessing.

11. What is the IP of the domain in the previous question?

The filter below will display all the frames that contain proforma-invoices.com.

frame contains proforma-invoices.com

The IP address of the domain is in the Destination column.

12. Indicate the country to which the IP in the previous section belongs.

AbusedIPDB will return the information of the IP Address you entered, including its location.

13. What operating system does the victim’s computer run?

The filter below will display all the HTTP requests made by the victim.

eth.addr==00:08:02:1c:47:ae && http.request

Select the first frame and use the Follow TCP Stream option.

The image below shows the HTTP request headers. We can identify Operating System under User-Agent field.

14. What is the name of the malicious file downloaded by the accountant?

The filter below will display all the HTTP GET requests made.

http.request.method == GET

The image above shows that frame 210 is the only packet retrieving a file and the Info column will provide the filename of the malicious file.

15. What is the md5 hash of the downloaded file?

To export the file from the previous question, go to File > Export Objects > HTTP.

Select Packet 3155 and click the Save button.

Then I used the certutil command with the -hashfile option to generate the MD5 hash.

certutil -hashfile tkraw_Protected99.exe MD5

16. What is the name of the malware according to Malwarebytes?

Scan the file using its MD5 hash in VirusTotal and look for Malwarebytes results.

17. What software runs the webserver that hosts the malware?

The filter below will display all the frames that has proforma-invoices.com.

frame contains proforma-invoices.com

To display the HTTP header use the Follow HTTP Stream feature.

The Server in the HTTP header represents the software the web server uses and sometimes includes the version.

18. What is the public IP of the victim’s computer?

To add the Host column from the Column display, go to Edit > Preferences > Appearance > Columns. Click the (+) button and enter http.host then select Custom as Type.

http.request

The results from the filter above show that frame 3164 performed a GET request from the host bot.whatismyipaddress.com.

bot.whatismyipaddress.com is not accessible, but if you access whatismyipaddress.com, it will display your device’s public IP address.

The response request on the HTTP header shows the public IP address of the victim’s computer.

19. In which country is located the email server to which the stolen information is sent?

The SMTP requests can be used to identify the email server’s IP address.

The filter below will display all the SMTP requests made by the victim’s machine.

ip.addr == 10.4.10.132 && smtp.req

The image above shows the Email Server’s IP address under Destination. AbuseIPDB will display the Country where the IP address is located.

20. What is the creation date of the domain to which the information is exfiltrated?

Select the first frame from the results on the filter below and use the Follow TCP Stream option.

ip.addr == 10.4.10.132 && smtp.req

The image above shows the email domain. Now that I know the domain, I used an online tool called Whois. The results show the information on the domain, including the creation date.

21. Analyzing the first extraction of information. What software runs the email server to which the stolen information is sent?

The same steps from the previous question on viewing the SMTP traffic. The first line on the image below shows the software used and the version.

22. To which email account is the stolen information sent?

The same steps from Q.20 on viewing the SMTP traffic. The image below shows the recipient of the email.

23. What is the password used by the malware to send the email?

I used the same filter from Q.20.

ip.addr == 10.4.10.132 && smtp.req

Selecting frame 3182 and expanding Application Layer/Simple Mail Transfer Protocol shows the password, encoded with base64.

CyberChef can be used to decode the password with From Base64 operation.

24. Which malware variant exfiltrates information?

Using the Follow TCP stream option from one of the SMTP requests, SMTP traffic shows that the content is encoded with base64.

CyberChef shows the human-readable format of the email body.

25. What are the bankofamerica access credentials? Username:password

The output from the previous question shows several pieces of information, including the URL, Username, and Password.

26. Every how many minutes is the information collected exfiltrated?

The information was collected via Email. Analyzing the SMTP traffic shows that an email was sent every 10 minutes.

Email content 1.1
Email content 1.2
Email content 1.3
Email content 1.4
Email content 1.5

References:

Resources:

--

--