[SANS ISC] June 2021 Forensic Contest, (Wed, Jun 16th)

Introduction

This is a last-minute forensic quiz for June 2021 based on a packet capture (pcap) with Windows-based infection traffic.  Like the previous two months, this month’s prize is a Raspberry Pi.  Rules for the contest follow:

Only one submission per person.
Participants who submit the correct answers will be entered into a drawing, and one will win the Raspberry Pi.
Submissions should be made using the form on our contact page at: https://isc.sans.edu/contact.html
Use June 2021 Forensic Quiz for the Subject: line.
Provide the following information:

IP addresses of the infected Windows computers.
Host names of the infected Windows computers.
User account names from the infected Windows computers.
Date and time the infection activity began in UTC (the GMT or Zulu timezone) for each infected computer
The family of malware involved for each infection.

We will accept submissions through Monday June 28th, 2021.  Everyone who submits the correct answers will be entered in a drawing, and the winner will be randomly chosen on Tuesday June 29th.  The winner will be announced in an ISC diary on Wednesday June 30th that will also provide analysis of the infection traffic.

Material for our June 2021 forensic contest is located at this Github repository.  The repository contains a zip archive with a pcap of network traffic from  infected Windows hosts.  I always recommend people review pcaps of malware in a non-Windows environment, if possible.


Shown above:  Pcap for this month’s contest opened in Wireshark.

NOTE: The pcap has more than one infected computer on the network, and the infections are independent of each other, meaning each infection was not caused by any of the others.  This month’s quiz should be much more difficult than last month’s contest in May 2021.

The pcap is approximately 45.2 MB, so Wireshark might be sluggish when viewing it.  I suggest participants filter on the MAC addresse for each infected Windows host, then use File –> Export Specified Packets to save network traffic for each host to a different pcap. 

Requirements

Analysis of the infection traffic requires Wireshark or some other pcap analysis tool.  Wireshark is my tool of choice to review pcaps of infection traffic.  However, default settings for Wireshark are not optimized for web-based malware traffic.  That’s why I encourage people to customize Wireshark after installing it.  To help, I’ve written a series of tutorials.  The ones most helpful for this quiz are:

Wireshark Tutorial: Changing Your Column Display
Wireshark Tutorial: Identifying Hosts and Users
Wireshark Tutorial: Display Filter Expressions
Using Wireshark – Exporting Objects from a Pcap

I always recommend participants review these pcaps in a non-Windows environment like BSD, Linux, or macOS.  Why?  Because this pcap contains traffic with Windows-based malware.  If you’re using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap.  Worst case?  If you extract malware from a pcap and accidentally run it, you might infect your Windows computer.

Active Directory (AD) Environment

The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname.  The AD environment characteristics are:

LAN segment range: 10.6.15.0/24 (10.6.15.0 through 10.6.15.255)
Domain: saltmobsters.com
Domain Controller: 10.6.15.5 – Saltmobsters-DC
LAN segment gateway: 10.6.15.1
LAN segment broadcast address: 10.6.15.255

Final Words

Again, a zip archive with a pcap for this month’s contest is available in this Github repository.  As stated earlier, we will accpet submissions through Monday June 28th, 2021.  Everyone who submits the correct answers will be entered in a drawing, and the winner will be randomly chosen on Tuesday June 29th.  The winner will be announced in an ISC diary on Wednesday June 30th that will also provide analysis of the infection traffic.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[BleepingComputer] Microsoft’s Halo dev site breached using dependency hijacking

Microsoft has once again been successfully hit by a dependency hijacking attack. This month, another researcher found an npm internal dependency being used by an open-source project. After publishing a public dependency by the same name, he began receiving messages from Microsoft’s Halo game dev servers. […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] Security Researchers Dive Into DarkSide Ransomware

All posts, Security Week

Following the ransomware attack that impacted the pipeline operated by Georgia-based Colonial Pipeline, security firms are providing detailed information on the cybercriminal gang behind the attack. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[SecurityWeek] VMware Patches Vulnerabilities in ESXi, ThinApp

All posts, Security Week

VMware on Tuesday announced the availability of patches for vulnerabilities impacting its ESXi hypervisor, Cloud Foundation hybrid cloud platform, and ThinApp application virtualization tool. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.