[SANS ISC] June 2021 Forensic Contest, (Wed, Jun 16th)

Introduction

This is a last-minute forensic quiz for June 2021 based on a packet capture (pcap) with Windows-based infection traffic.  Like the previous two months, this month’s prize is a Raspberry Pi.  Rules for the contest follow:

Only one submission per person.
Participants who submit the correct answers will be entered into a drawing, and one will win the Raspberry Pi.
Submissions should be made using the form on our contact page at: https://isc.sans.edu/contact.html
Use June 2021 Forensic Quiz for the Subject: line.
Provide the following information:

IP addresses of the infected Windows computers.
Host names of the infected Windows computers.
User account names from the infected Windows computers.
Date and time the infection activity began in UTC (the GMT or Zulu timezone) for each infected computer
The family of malware involved for each infection.

We will accept submissions through Monday June 28th, 2021.  Everyone who submits the correct answers will be entered in a drawing, and the winner will be randomly chosen on Tuesday June 29th.  The winner will be announced in an ISC diary on Wednesday June 30th that will also provide analysis of the infection traffic.

Material for our June 2021 forensic contest is located at this Github repository.  The repository contains a zip archive with a pcap of network traffic from  infected Windows hosts.  I always recommend people review pcaps of malware in a non-Windows environment, if possible.


Shown above:  Pcap for this month’s contest opened in Wireshark.

NOTE: The pcap has more than one infected computer on the network, and the infections are independent of each other, meaning each infection was not caused by any of the others.  This month’s quiz should be much more difficult than last month’s contest in May 2021.

The pcap is approximately 45.2 MB, so Wireshark might be sluggish when viewing it.  I suggest participants filter on the MAC addresse for each infected Windows host, then use File –> Export Specified Packets to save network traffic for each host to a different pcap. 

Requirements

Analysis of the infection traffic requires Wireshark or some other pcap analysis tool.  Wireshark is my tool of choice to review pcaps of infection traffic.  However, default settings for Wireshark are not optimized for web-based malware traffic.  That’s why I encourage people to customize Wireshark after installing it.  To help, I’ve written a series of tutorials.  The ones most helpful for this quiz are:

Wireshark Tutorial: Changing Your Column Display
Wireshark Tutorial: Identifying Hosts and Users
Wireshark Tutorial: Display Filter Expressions
Using Wireshark – Exporting Objects from a Pcap

I always recommend participants review these pcaps in a non-Windows environment like BSD, Linux, or macOS.  Why?  Because this pcap contains traffic with Windows-based malware.  If you’re using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap.  Worst case?  If you extract malware from a pcap and accidentally run it, you might infect your Windows computer.

Active Directory (AD) Environment

The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname.  The AD environment characteristics are:

LAN segment range: 10.6.15.0/24 (10.6.15.0 through 10.6.15.255)
Domain: saltmobsters.com
Domain Controller: 10.6.15.5 – Saltmobsters-DC
LAN segment gateway: 10.6.15.1
LAN segment broadcast address: 10.6.15.255

Final Words

Again, a zip archive with a pcap for this month’s contest is available in this Github repository.  As stated earlier, we will accpet submissions through Monday June 28th, 2021.  Everyone who submits the correct answers will be entered in a drawing, and the winner will be randomly chosen on Tuesday June 29th.  The winner will be announced in an ISC diary on Wednesday June 30th that will also provide analysis of the infection traffic.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[HackerNews] NK Hackers Deploy Browser Exploits on South Korean Sites to Spread Malware

All posts, HackerNews

A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper. Cybersecurity firm Volexity attributed the attacks to a threat actor it tracks as InkySquid, and more widely known by the […]

Read More

[ZDNet] Kaspersky Password Manager caught out making easily bruteforced passwords

All posts, ZDNet

If you are using Kaspersky Password Manager, you might want to regenerate any password created before October 2019. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ThreatPost] Microsoft Releases Emergency Patch for PrintNightmare Bugs

All posts, ThreatPost

The fix doesn’t cover the entire problem nor all affected systems however, so the company also is offering workarounds and plans to release further remedies at a later date. Source: Read More (Threatpost)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.