Skip to content

THM - Advent of Cyber 2022 - Day 13


Difficulty: ⭐
Challenge Link
OS: Linux

After receiving the phishing email on Day 6 and investigating malware on Day 12, it seemed everything was ready to go back to normal. However, monitoring systems started to show suspicious traffic patterns just before closing the case. Now Santa's SOC team needs help in analysing these suspicious network patterns.

Learning Objectives

  • Learn what traffic analysis is and why it still matters.
  • Learn the fundamentals of traffic analysis.
  • Learn the essential Wireshark features used in case investigation.
  • Learn how to assess the patterns and identify anomalies on the network.
  • Learn to use additional tools to identify malicious addresses and conduct further analysis.
  • Help the Elf team investigate suspicious traffic patterns.

What is the "Percent Packets" value of the "Hypertext Transfer Protocol"?

View the "Protocol Hierarchy" menu.


Answer
0.3

Which port number has received more than 1000 packets?

View the "Conversations".
Navigate to the TCP section.

Answer
3389

What is the service name of the used protocol that received more than 1000 packets?

Common Port Name

Answer
rdp

What are the domain names?

Filter the DNS packets. Enter the domains in alphabetical order and defanged format. (format: domain[.]zzz,domain[.]zzz) We can use dns in the wireshark search field to filter by dns packets.

Answer

DEFANGED just alls brackets around the . to keep it from easily being clickable.

bestfestivalcompany[.]thm,cdn[.]bandityeti[.]thm

What are the names of the requested files?

Filter the HTTP packets.
Enter the names in alphabetical order and in defanged format. (format: file[.]xyz,file[.]xyz)
Similar to the previous one we can filter by HTTP and then look in the HTTP Section of the Packet.

Answer
favicon[.]ico,mysterygift[.]exe

Which IP address downloaded the executable file?

Enter your answer in defanged format.
Looking back on the same filter as above at the .exe packet you can see the source IP.

Answer
10[.]10[.]29[.]186

Which domain address hosts the malicious file?

Enter your answer in defanged format.
Looking at the same packet. We can see the source url of that file from where it was downloaded.

Answer
cdn[.]bandityeti[.]thm

What is the "user-agent" value used to download the non-executable file?

Let's look back at the other packet and check the user-agent field.

Answer
Nim httpclient/1.6.8

What is the sha256 hash value of the executable file?

Export objects from the PCAP file.
Calculate the file hashes.
We can export the HTTP Objects and select the .exe from the list. Then run sha256sum against it.

Answer
0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f

Search the hash value of the executable file on VirusTotal.

Navigate to the "Behaviour" section.
There are multiple IP addresses associated with this file.
What are the connected IP addresses?
Enter the IP addressed defanged and in numerical order. (format: IPADDR,IPADDR)
Please note that the VT entry changed since the official walkthrough video was recorded - check the VT website to get all the IP addresses you need!

Answer
20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]64,23[.]216[.]147[.]76