BurninCandlePcapAnalysis :)
2022-03-21 - TRAFFIC ANALYSIS EXERCISE – BURNINCANDLE
Summary
- On Monday 2022-03-21
at approximately 20:58 UTC, a Windows host used by Patrick Zimmerman was
infected with IcedID (Bokbot) malware that led to Cobalt Strike
Task
– Write
an incident report. (With Explanation).
Details -
1.
Host Name – DESKTOP-5QS3D5D
2.
Host IP and Mac Address – 10.0.19.14 &
00:60:52:b7:33:0f
3.
Windows User name - patrick.zimmerman
4.
Time of infection – Monday 2022-03-21
Explanation
– Few steps that I like to follow in order to get the above details easily in
by filtering Kerberos Traffic. Usually the host name and windows
user are both present here. For this case, I used the below packets which says
303 AS-REQ Follow the stream for both and we get the information.
Once the packet is selected wireshark shows the Source IP and MAC in clear text.
Indicator of Compromise:
188.166.154.118 – Victim
machine made contact with oceriesfornot.top. Search for this host on
virus total. It has been flagged as command and control malware by 14 vendors. There's
a gzip file present as well.
1.
Upon more research I found out that the
cookie present in the above stream means something. _u cookie value holds victims
username and password hexlified. So go to cyberchef, and convert it to ascii.
You will get DESKTOP 5QS3D5D:patrick.zimmerman:CD2F3B9F67E3C343
157.245.142.66 – Host is antnosience.com. TCP Stream. Use above method.
23.227.198.203 (bupdater.com) – This ip is beaconing with bupdater.com on port 757. And if we use it on virus total it is flagged as a malware.
Domains and IP Address
for Iced bot
oceriesfornot[.]top |
http://188.166.154.118/ |
antnosience[.]com |
157.245.142.66 |
suncoastpinball[.]com |
160.153.32.99 |
otectagain[.]top |
157.245.142.66 |
seaskysafe[.]com |
91.193.16.181 |
dilimoretast[.]com |
160.153.32.99 |
Domains and IP addresses
for Cobalt Strike: bupdater[.]com,23.227.198.203,757(Port)
Comments
Post a Comment