Post

[CD] HawkEye

Posted Updated
By Gru3y
2 min read

Scenario

An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.

Questions

Q: How many packets does the capture have?
A: 4003
HawkEye

Q: At what time was the first packet captured?
A: 2019-04-10 20:37:07 UTC
HawkEye

Q: What is the duration of the capture?
A: 01:03:41
HawkEye

Q: What is the most active computer at the link level?
A: 00:08:02:1c:47:ae
HawkEye

Q: Manufacturer of the NIC of the most active system at the link level?
A: Hewlett-Packard
HawkEye

Q: Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?
A: Palo Alto
HawkEye

Q: The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?
A: 3
HawkEye

Q: What is the name of the most active computer at the network level?
A: BEIJING-5CD1-PC
HawkEye HawkEye

Q: What is the IP of the organization’s DNS server?
A: 10.4.10.4
HawkEye

Q: What domain is the victim asking about in packet 204?
A: proforma-invoices.com
HawkEye

Q: What is the IP of the domain in the previous question?
A: 217.182.138.150
HawkEye

Q: Indicate the country to which the IP in the previous section belongs.
A: France
HawkEye

Q: What operating system does the victim’s computer run?
A: Windows NT 6.1
HawkEye

Q: What is the name of the malicious file downloaded by the accountant?
A: tkraw_Protected99.exe
HawkEye

Q: What is the md5 hash of the downloaded file?
A: 71826ba081e303866ce2a2534491a2f7
HawkEye

Q: What software runs the webserver that hosts the malware?
A: LiteSpeed
HawkEye

Q: What is the public IP of the victim’s computer?
A: 173.66.146.112
HawkEye HawkEye

Q: In which country is the email server to which the stolen information is sent?
A: United States
HawkEye HawkEye

Q: Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent?
A: Exim 4.91
HawkEye

Q: To which email account is the stolen information sent?
A: sales.del@macwinlogistics.in
HawkEye

Q: What is the password used by the malware to send the email?
A: Sales@23
HawkEye

Q: Which malware variant exfiltrated the data?
A: Reborn v9
HawkEye

Q: What are the bankofamerica access credentials? (username:password)
A: roman.mcguire:P@ssw0rd$
HawkEye

Q: Every how many minutes does the collected data get exfiltrated?
A: 10
HawkEye

Writeups, CyberDefenders
CyberDefenders Writeup Wireshark Network Miner PCAP
This post is licensed under CC BY 4.0 by the author.