let's start:
Downloading the Capture File and Understanding the Assignment
- Download the .pcap file from pcap.
- Familiarize yourself with the assignment instructions.
LAN segment data:
LAN segment range: 10.9.10[.]0/24 (10.9.10[.]0 through 10.9.10[.]255)
Domain: angrypoutine[.]com
Domain controller: 10.9.10[.]9 - ANGRYPOUTINE-DC
LAN segment gateway: 10.9.10[.]1
LAN segment broadcast address: 10.9.10[.]255
OUR TASK:
Write an incident report based on the pcap and the alerts.
The incident report should contain the following:
Executive Summary
Details (of the infected Windows host)
Indicators of Compromise (IOCs).
Identifying the Infected Host
This is my method for finding the infected host in a PCAP file, though it may not always guarantee accurate results.
- In Wireshark, go to Statistics > Endpoint > IPv4.
- Identify the IP associated with the most transferred packets within your LAN. This is likely the compromised host.
Investigating the PCAP
Analyzing Network Traffic with Basic Filters:
(http.request || tls.handshake.type eq 1) && !(ssdp)
Upon inspection, a GET request to 194.62.42.206 port 80 was detected, fetching a malicious Dynamic Link Library (DLL) file for BazarLoader from the following URL:
/bmdff/BhoHsCtZ/MLdmpfjaX/5uFG3Dz7yt/date1?BNLv65=pAAS
This URL, containing '/bmdff/', consistently yields a 64-bit DLL for BazarLoader. Notably, this pattern has persisted over the past several weeks, indicating association with the TA551 (Shathak) campaign.
Further analysis reveals BazarLoader's command and control (C2) activity. Initially, BazarLoader retrieves BazarBackdoor via HTTPS traffic from 167.172.37.9 over TCP port 443. Subsequently, BazarBackdoor itself generates C2 activity, utilizing HTTPS traffic to communicate with 94.158.245.52 over TCP port 443.
It's important to note that Bazar C2 activity often directs traffic to legitimate domains. While this behavior isn't inherently malicious, it's reminiscent of various malware families conducting connectivity checks or ensuring uninterrupted internet access on infected Windows hosts.
For a comprehensive understanding of BazarLoader's network reconnaissance tactics, I recommend reading Brad Duncan's article on the case study:
Case Study: From BazarLoader to Network Reconnaissance
Final report:
Executive Summary
On 2021-09-10 at approximately 23:17 UTC, a Windows host used by Hobart Gunnarsson was infected with BazarLoader through the TA551 (Shathak) campaign.
Details
MAC address: 00:4f:49:b1:e8:c3
IP address: 10.9.10.102
Host name: DESKTOP-KKITB6Q
Windows user account: hobart.gunnarsson
Indicators of Compromise (IOCs)
BazarLoader DLL:
194.62.42.206 port 80 - simpsonsavingss.com - GET /bmdff/BhoHsCtZ/MLdmpfjaX/5uFG3Dz7y /date1?BNLv65=pAAS
SHA256 hash: eed363fc4af7a9070d69340592dcab7c78db4f90710357de29e3b624aa957cf8
File size: 284,816 bytes
File description: BazarLoader DLL
File name: date6.dll
BazarLoader C2 traffic:
167.172.37.9 port 443 - HTTPS traffic
94.158.245.52 port 443 - HTTPS traffic
Top comments (0)