Introduction

This is a last-minute forensic quiz for June 2021 based on a packet capture (pcap) with Windows-based infection traffic.  Like the previous two months, this month's prize is a Raspberry Pi.  Rules for the contest follow:

• Only one submission per person.
• Participants who submit the correct answers will be entered into a drawing, and one will win the Raspberry Pi.
• Submissions should be made using the form on our contact page at: https://isc.sans.edu/contact.html
• Use June 2021 Forensic Quiz for the Subject: line.
• Provide the following information:
  • IP addresses of the infected Windows computers.
  • Host names of the infected Windows computers.
  • User account names from the infected Windows computers.
  • Date and time the infection activity began in UTC (the GMT or Zulu timezone) for each infected computer
  • The family of malware involved for each infection.

We will accept submissions through Monday June 28th, 2021.  Everyone who submits the correct answers will be entered in a drawing, and the winner will be randomly chosen on Tuesday June 29th.  The winner will be announced in an ISC diary on Wednesday June 30th that will also provide analysis of the infection traffic.

Material for our June 2021 forensic contest is located here.  The page links to a zip archive with a pcap of network traffic from  infected Windows hosts.  I always recommend people review pcaps of malware in a non-Windows environment, if possible.

Shown above:  Pcap for this month's contest opened in Wireshark.

NOTE: The pcap has more than one infected computer on the network, and the infections are independent of each other, meaning each infection was not caused by any of the others.  This month's quiz should be much more difficult than last month's contest in May 2021.

The pcap is approximately 45.2 MB, so Wireshark might be sluggish when viewing it.  I suggest participants filter on the MAC addresse for each infected Windows host, then use File --> Export Specified Packets to save network traffic for each host to a different pcap. 

Requirements

Analysis of the infection traffic requires Wireshark or some other pcap analysis tool.  Wireshark is my tool of choice to review pcaps of infection traffic.  However, default settings for Wireshark are not optimized for web-based malware traffic.  That's why I encourage people to customize Wireshark after installing it.  To help, I've written a series of tutorials.  The ones most helpful for this quiz are:

• Wireshark Tutorial: Changing Your Column Display
• Wireshark Tutorial: Identifying Hosts and Users
• Wireshark Tutorial: Display Filter Expressions
• Using Wireshark - Exporting Objects from a Pcap

I always recommend participants review these pcaps in a non-Windows environment like BSD, Linux, or macOS.  Why?  Because this pcap contains traffic with Windows-based malware.  If you're using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap.  Worst case?  If you extract malware from a pcap and accidentally run it, you might infect your Windows computer.

Active Directory (AD) Environment

The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname.  The AD environment characteristics are:

• LAN segment range: 10.6.15.0/24 (10.6.15.0 through 10.6.15.255)
• Domain: saltmobsters.com
• Domain Controller: 10.6.15.5 - Saltmobsters-DC
• LAN segment gateway: 10.6.15.1
• LAN segment broadcast address: 10.6.15.255

Final Words

Again, a zip archive with a pcap for this month's contest is available here.  As stated earlier, we will accpet submissions through Monday June 28th, 2021.  Everyone who submits the correct answers will be entered in a drawing, and the winner will be randomly chosen on Tuesday June 29th.  The winner will be announced in an ISC diary on Wednesday June 30th that will also provide analysis of the infection traffic.

---

Brad Duncan
brad [at] malware-traffic-analysis.net