DIGITELLA
  • Home
  • Blog
  • About Me
  • Home
  • Blog
  • About Me
Search by typing & pressing enter

YOUR CART

MY BLOG

Here I write about my experiences as I work my way through into digital forensics! 

2/17/2023 0 Comments

Exploitation Kit Network Traffic Investigation

In this challenge, I utilized Brim and Wireshark to analyze malicious web traffic. In particular, you are analyzing traffic where an exploitation kit infection is present. 
Question 1:
I went into Brim and imported the pcap file. I examined the traffic, and I noticed that a network trojan was detected, right before there is also the exploit kit, which is attached to the IP of 172.16.165.165
Picture

​Question 2:
I used the _path=="dhcp" | client_addr 172.16.165.165 filter and found the hostname as shown in the screenshot:
Picture

​Question 3:
​From using the same filter in question 2, you can also see the MAC address, which is shown in the screenshot:
Picture

​Question 4:
I went into Wireshark and used the http.request.method == GET filter. This is to filter for HTTP GET requests. Since there is an exploit kit is being downloaded, you will want to look for a GET request. In the destination column, there is an IP of 82.150.140.30
Picture

​Question 5: 
I used the same information in the screenshot in question 4. FQDN is ciniholland.nl
Question 6:
​In Brim, I checked the suricata alerts by category. The first IP of 37.200.69.143 delivered the exploit kit. If you look at the "alerts" column, it says "Exploit Activity Detected" (rest wasnt captured in the screenshot).
Picture

Question 7 and 8:
​I used the filter in the screenshot. For question 7, the FQDN delivered the exploit kit and malware is stand.trustandprobaterealty.com. For question 8 the redirect URL is ​http://24corp-shop.com/
Picture

Question 9:
I used the event_type="alert" filter. The exploit kit being used is Java. 
Picture

Question 10: 
In NetworkMiner, I imported the PCAP file. When I did this, Windows Defender alerts were triggered, so make sure you have Windows Defender. There were 3 threats in total, but one was actually quickly removed before I could take this screenshot. 
Picture

Question 11/12:
In Wireshark, using the same information in the screenshot from question 4, if you scroll through the TCP stream output, you will see a URL, that is http://24corp-shop.com
Picture

Question 13:
​I used the ​_path=="files" source=="HTTP" 37.200.69.143 in tx_hosts | cut tx_hosts, rx_hosts, md5, mime_type filter, the highlighted applications show the MD5 hash values. 

Picture
0 Comments



Leave a Reply.
Powered by Create your own unique website with customizable templates.