April 2021 Forensic Quiz
2021-04-01 21:41 UTC - UPDATE: The domain for the AD environment used in this quiz has been changed to clockwater.net. We will still accept the original domain listed in the answers from any of the submissions. We already have 10 submission as I write this. Thanks to everyone who has participated or will still take part in this quiz!
Introduction
Today's diary is a forensic quiz for April 2021. This month's quiz will also be a contest. The prize is a Raspberry Pi. Rules for the contest follow:
- Only one submission per person.
- The first person to submit the correct answers will win the Raspberry Pi.
- Submissions will be made using the form on our contact page at: https://isc.sans.edu/contact.html
- Use
April 2021 Forensic Quiz Submission
for the Subject: line. - Provide the following information:
- IP address of the infected Windows computer.
- Host name of the infected Windows computer.
- User account name on the infected Windows computer.
- Date and time the infection activity began in UTC (the GMT or Zulu timezone).
- The family or families of malware on the infected computer.
Material for this forensic quiz is located here. The referenced page contains links to a zip archive containing a pcap of network traffic from the infected Windows host. The page also contains another zip archive with malware and artifacts recovered from the infected Windows host. Be very careful with the malware and artifacts zip because it has actual malware from a recently-infected Windows computer. If you don't know what you're doing, do not download the malware and artifacts. I always recommend people do this quiz in a non-Windows environment, if possible.
Shown above: A meme about usernames and passwords on an infected Windows host.
Requirements
Analysis of the infection traffic requires Wireshark or some other pcap analysis tool. Wireshark is my tool of choice to review pcaps of infection traffic. However, default settings for Wireshark are not optimized for web-based malware traffic. That's why I encourage people to customize Wireshark after installing it. To help, I've written a series of tutorials. The ones most helpful for this quiz are:
- Wireshark Tutorial: Changing Your Column Display
- Wireshark Tutorial: Identifying Hosts and Users
- Wireshark Tutorial: Display Filter Expressions
- Using Wireshark - Exporting Objects from a Pcap
I always recommend participants use a non-Windows environment like BSD, Linux, or macOS. Why? Because most pcaps in these traffic analysis quizzes contain traffic with Windows-based malware. If you're using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap. Worst case? If you extract malware from a pcap and accidentally run it, you might infect your Windows computer.
Analysis of the malware and artifacts should also be done in a non-Windows environment, unless you are a skilled malware analyst. However, reviewing the malware and artifacts in a non-Windows environment like Linux shouldn't pose any problems. Feel free to search for (or submit) malware from this quiz on sites like:
- Any.Run - https://app.any.run/
- Cape Sandbox - https://www.capesandbox.com/
- Hatching Triage - https://tria.ge/
- Hybrid Analysis - https://www.hybrid-analysis.com/
- Joe Sandbox - https://www.joesandbox.com/#windows
- Malware Bazaar - https://bazaar.abuse.ch/
- VirusTotal - https://www.virustotal.com/
Most of the above sites require some sort of account to log in and search for samples. Some of these sites provide free accounts that only require a valid email address. Alternatively, search Google or other search engines for the SHA256 hashes of malware samples from this quiz. You might get links from the above sites in your search results.
Active Directory (AD) Environment
The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname. The AD environment characteristics are:
- LAN segment range: 192.168.5.0/24 (192.168.5.0 through 192.168.5.255)
- Domain: clockwater.net
- Domain Controller: 192.168.5.5 - Clockwater-DC
- LAN segment gateway: 192.168.5.1
- LAN segment broadcast address: 192.168.5.255
Final Words
Again, the zip archive with a pcap of the traffic for this exercise is available here. The winner of today's contest and analysis of the infection will be posted in an upcoming ISC diary two weeks from today on Wednesday April 14th.
I think the Raspberry Pi is an older model like a Raspberry Pi 2 or Raspberry Pi 3, but I will find out and update or add a comment to this diary.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Comments