Network Analysis - Malware Compromise
Scenario
A SOC Analyst at Umbrella Corporation is going through SIEM alerts and sees the alert for connections to a known malicious domain. The traffic is coming from Sara’s computer, an Accountant who receives a large volume of emails from customers daily. Looking at the email gateway logs for Sara’s mailbox there is nothing immediately suspicious, with emails coming from customers. Sara is contacted via her phone and she states a customer sent her an invoice that had a document with a macro, she opened the email and the program crashed. The SOC Team retrieved a PCAP for further analysis.
Solution
-
What’s the private IP of the infected host? (4 points)
Packet #6 contains the information.
Answer:
10.11.27.101 -
What’s the malware binary that the macro document is trying to retrieve? (4 points)
Packet #6 contains the information:
/QIC/tewokl.php?l=spet10.sprAnswer:
spet10.spr -
From what domain HTTP requests with GET /images/ are coming from? (4 points)
Packet #288 contains the information.
Answer:
cochrimato.com -
The SOC Team found Dridex, a follow-up malware from Ursnif infection, to be the culprit. The customer who sent her the macro file is compromised. What’s the full URL ending in .rar where Ursnif retrieves the follow-up malware from? (4 points)
Packet #911 contains the information.
Answer:
http://95.181.198.231/oiioiashdqbwe.rar -
What is the Dridex post-infection traffic IP addresses beginning with 185.? (4 points)
Filter:
ip.host matches "185"Answer:
185.244.150.230