WriteUp > LetsDefend : Infection with Cobalt Strike
Scenario: We got network traffic from password stealer. You should do root cause analysis.
Difficulty: Medium
Q1. Investigate the PCAP file, what is one of the popular document signing services used by the attacker to deliver the malware?
We can find this by opening the pcap in wireshark and following the HTTP stream. One of the response packet has the answer.
Q2. Investigate the PCAP file, what is the full URL used by the attacker to create the malicious document?
In the similar fashion we can find this in one of the request packet.
Q3. On the malicious website from the previous question, what kind of encoding technique used by the attacker to create the malicious document?
One of the response packets for wellhead.php consist of the actual payload that was delivered in response to the GET request, the atob function basically converts base64 encoding.
Q4. What is the name of the malicious document opened by the user?
At the end of the scripts there is a save as function.
Q5. What malware family this malicious file belongs to?
This information is impossible to get through a packet capture, for this either we need a sample or a file hash to check for hits on threat intel sites. We have the base64 data that is used to create a file blob, we can just copy the entire data into CyberChef and convert it from base64. In Cyberchef we do have the option to save the file. For this we will use Network Miner tool.
Now we will upload this on the scanning engines to get further info.
Q6. After the user interacts with the malicious file, it runs malicious DLL on the system. What is the DLL run command?
In the VirusTotal itself we can find the Process creations
Q7. What is the C2 URL?
Going back to wireshark, we will further analyse the packets transferred, we can see multiple POST requests to forum.php
Q8. What is the URL that serves the payload?
We see another executable dropped by GET request.
Q10. What is the name of the malware this payload links back to?
Again for this info we need hash/sample itself, again by using Network Miner we can find the hash of this executable.
Challenge link: https://app.letsdefend.io/challenge/infection-cobalt-strike
