Today’s diary is a forensic quiz for April 2021. This month’s quiz will also be a contest. The prize is a Raspberry Pi. Rules for the contest follow:
- Only one submission per person.
- The first person to submit the correct answers will win the Raspberry Pi.
- Submissions will be made using the form on our contact page at: https://isc.sans.edu/contact.html
April 2021 Forensic Quiz Submissionfor the Subject: line.
- Provide the following information:
- IP address of the infected Windows computer.
- Host name of the infected Windows computer.
- User account name on the infected Windows computer.
- Date and time the infection activity began in UTC (the GMT or Zulu timezone).
- The family or families of malware on the infected computer.
Material for this forensic quiz is located at this Github repository. This repository contains a zip archive containing a pcap of network traffic from the infected Windows host. The repository also contains another zip archive with malware and artifacts recovered from the infected Windows host. Be very careful with the malware and artifacts zip because it has actual malware from a recently-infected Windows computer. If you don’t know what you’re doing, do not download the malware and artifacts. I always recommend people do this quiz in a non-Windows environment, if possible.
Shown above: A meme about usernames and passwords on an infected Windows host.
Analysis of the infection traffic requires Wireshark or some other pcap analysis tool. Wireshark is my tool of choice to review pcaps of infection traffic. However, default settings for Wireshark are not optimized for web-based malware traffic. That’s why I encourage people to customize Wireshark after installing it. To help, I’ve written a series of tutorials. The ones most helpful for this quiz are:
- Wireshark Tutorial: Changing Your Column Display
- Wireshark Tutorial: Identifying Hosts and Users
- Wireshark Tutorial: Display Filter Expressions
- Using Wireshark – Exporting Objects from a Pcap
I always recommend participants use a non-Windows environment like BSD, Linux, or macOS. Why? Because most pcaps in these traffic analysis quizzes contain traffic with Windows-based malware. If you’re using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap. Worst case? If you extract malware from a pcap and accidentally run it, you might infect your Windows computer.
Analysis of the malware and artifacts should also be done in a non-Windows environment, unless you are a skilled malware analyst. However, reviewing the malware and artifacts in a non-Windows environment like Linux shouldn’t pose any problems. Feel free to search for (or submit) malware from this quiz on sites like:
- Any.Run – https://app.any.run/
- Cape Sandbox – https://www.capesandbox.com/
- Hatching Triage – https://tria.ge/
- Hybrid Analysis – https://www.hybrid-analysis.com/
- Joe Sandbox – https://www.joesandbox.com/#windows
- Malware Bazaar – https://bazaar.abuse.ch/
- VirusTotal – https://www.virustotal.com/
Most of the above sites require some sort of account to log in and search for samples. Some of these sites provide free accounts that only require a valid email address. Alternatively, search Google or other search engines for the SHA256 hashes of malware samples from this quiz. You might get links from the above sites in your search results.
Active Directory (AD) Environment
The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname. The AD environment characteristics are:
- LAN segment range: 192.168.5.0/24 (192.168.5.0 through 192.168.5.255)
- Domain: cliffwater.net
- Domain Controller: 192.168.5.5 – Cliffwater-DC
- LAN segment gateway: 192.168.5.1
- LAN segment broadcast address: 192.168.5.255
Again, the zip archive with a pcap of the traffic for this exercise is available in this Github repository. The winner of today’s contest and analysis of the infection will be posted in an upcoming ISC diary two weeks from today on Wednesday April 14th.
I think the Raspberry Pi is an older model like a Raspberry Pi 2 or Raspberry Pi 3, but I will find out and update or add a comment to this diary.
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.