Forensic - HawkEye
Scenario
An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.
Q1 - How many packets does the capture have ?
4003
Q2 - At what time was the first packet captured ?
Apr 10, 2019 22:37:07 CEST to 2019-04-10 20:37:07 UTC
Q3 - What is the duration of the capture?
20:37:07 UTC to 21:40:48 UTC -> 01:03:41
Q4 - What is the most active computer at the link level?
Q5 - Manufacturer of the NIC of the most active system at the link level?
Hewlett-Packard
Q6 - Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?
Palo Alto
Q7 - The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?
10.4.10.255 is not on the /24
Q8 - What is the name of the most active computer at the network level?
ip.addr==10.4.10.132 -> Follow TCP Stream
Q9 - What is the IP of the organization's DNS server?
ip.addr==10.4.10.4 && dns because 10.4.10.4 is on the private network of the organization
Q10 - What domain is the victim asking about in packet 204?
Q11 - What is the IP of the domain in the previous question?
Q12 - Indicate the country to which the IP in the previous section belongs.
whois 217.182.138.150
address: France
Q13 - What operating system does the victim's computer run?
ip.addr==10.4.10.132 -> Follow TCP Stream
Windows NT 6.1
Q14 - What is the name of the malicious file downloaded by the accountant?
Q15 - What is the md5 hash of the downloaded file?
71826ba081e303866ce2a2534491a2f7 tkraw_Protected99.exe
Q16 - What is the name of the malware according to Malwarebytes?
Virus Total
Q17 - What software runs the webserver that hosts the malware ?
Q18 - What is the public IP of the victim's computer?
To add the Host column from the Column display, go to Edit > Preferences > Appearance > Columns. Click the (+) button and enter the same details below.
Follow HTTP Stream
Q19 - In which country is the email server to which the stolen information is sent?
whois 23.229.162.69
Country: US
Q20 - What is the domain's creation date to which the information is exfiltrated?
ip.addr == 10.4.10.132 && smtp.req Follow TCP Stream
whois macwinlogistics.in
Creation Date: 2014-02-08T10:31:26Z
Q21 - Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?
Exim 4.91
Q22 - To which email account is the stolen information sent?
Q23 - What is the password used by the malware to send the email?
Q24 - Which malware variant exfiltrated the data?
Q25 - What are the bankofamerica access credentials? (username:password)
Q26 - Every how many minutes does the collected data get exfiltrated?
Answer : 10 min
