Last Updated: 2021-11-04 00:33:28 UTC
by Brad Duncan (Version: 1)
Thanks to everyone who participated in our October 2021 forensic challenge originally posted on Friday, 2021-10-22. We received 27 submissions through our contact page, and everyone answered correctly. Unfortunately, we could only pick one winner. In this case, our winner was chosen through a random process among the 27 people. Join us in congratulating this month's winner, Ameer Mane! We will contact Ameer, so we can send him a Raspberry Pi 4 kit.
You can still find the material for our October 2021 forensic contest here.
The task was to match each email to the infected Windows host and user. The answers are:
- 2021-10-21-malicious-email-1102-UTC.eml - DESKTOP-NZ875R4 - marcus.cobb
- 2021-10-21-malicious-email-1739-UTC.eml - DESKTOP-CFA3367 - agnes.warren
- 2021-10-21-malicious-email-2214-UTC.eml - DESKTOP-87WCE26 - kevin.henderson
As stated in our diary for the October challenge, the three infected Windows hosts are part of an Active Directory (AD) environment, and its characteristics are:
- LAN segment range: 10.10.22.0/24 (10.10.22.0 through 10.10.22.255)
- Domain: enemywatch.net
- Domain Controller: 10.10.22.22 - ENEMYWATCH-DC
- LAN segment gateway: 10.10.22.1
- LAN segment broadcast address: 10.10.22.255
The first infection started at 14:34:56 UTC, and it happened to the Windows client at 10.10.22.157. This host generated DNS queries for kamuchehddhgfgf.ddns.net that resolved to 220.127.116.11. These DNS queries were followed by TCP traffic to 18.104.22.168 over TCP port 1187.
You can find the malicious traffic by using the following Wireshark filter: dns.qry.name contains ddns.net or (ip.addr eq 22.214.171.124 and tcp.flags eq 0x0002)
Filtering on Kerberos traffic for 10.10.22.157 reveals hostname DESKTOP-NZ875R4 with Windows user account marcus.cobb.
The email addressed to email@example.com is 2021-10-21-malicious-email-1102-UTC.eml, which contains a malicious attachment named Order.7z.
Sandbox analysis of Order.7z indicates it is NanoCore RAT. See the links below for details.
The second infection started at 14:36:35 UTC, and it happened to 10.10.22.158. This host generated traffic to sobolpand.top, which is associated with the "Stolen Images campaign" described in this diary from 2021-10-21. It's more accurately referred to as a "Contact Forms campaign" which normally pushes BazarLoader malware.
In this case, the Windows host retrieved a DLL from sobolpand.top, and we can extract that DLL from the pcap.
The extracted DLL is identified as BazarLoader by this sandbox analysis.
Filtering on Kerberos traffic for 10.10.22.158 reveals hostname DESKTOP-87WCE26 with Windows user account kevin.henderson.
The email addressed to firstname.lastname@example.org is 2021-10-21-malicious-email-2214-UTC.eml, which contains a malicious link to a page hosted at firebase.googleapis.com that is no longer active. When it was active, that URL distributed a malicious zip archive named Critical Errors Report.zip.
Note: Unfortunately, when I generated traffic for this exercise, HTTPS activity caused by the host's request to firebase.googleapis.com was not iincluded in the pcap.
The third infection started at 14:37:01 UTC, and it happened to 10.10.22.156. This host generated HTTP traffic to three URLs ending with /44491/6090605324.dat. These three URLs returned three DLL files for Qakbot. The DLL files can be extracted from the pcap, and they all have the same SHA256 hash:
Indicators of Qakbot post-infection traffic from this infection include:
- TCP traffic to 126.96.36.199 over port 65400
- HTTPS traffic to www.openssl.org (not inherently malicious)
- Several HTTPS requests to api.ipifiy.org (also not inherently malicious)
- Encrypted SMTP traffic to several different email servers
Filtering on Kerberos traffic for 10.10.22.156 reveals hostname DESKTOP-CFA3367 with Windows user account agnes.warren.
The email addressed to email@example.com is 2021-10-21-malicious-email-1739-UTC.eml, which contains a malicious attachment named Document-1975072354.zip.
The malicious zip archive contains an Excel spreadsheet with macro code that generated those three URLs ending in /44491/6090605324.dat.
Our October 2021 forensic contest was relatively easy to answer, but additioinal information about the infections can be found in the pcap.
Congratulations again to Ameer Mane for winning this month's competition!
You can still find the pcap and emails here.
brad [at] malware-traffic-analysis.net