1 of 4

Traffic Analysis

aka working with pcaps

Evil Corp's Child 1, 2 and 3

Evil Corp's Child 1:

Briefing:

Link to pcap file:

Right so they started off easy. Opening up the pcap I used the http display filter to show packets of this protocol:

Evil Corp's Child 2:

Briefing:

Here, we need to use some display filters to refine our search. Firstly, we know it uses the same port as HTTPS. This is port 443. Secondly, We're talking about the malware and know that the infected client's ip is 192.168.1.91 from challenge 1. Putting this into a display filter would look like this:

Although there are quite a few packets, there are only so many different ips, so trying about 5 got me the correct answer, which was flag{213.136.94.177} .

Evil Corp's Child 3:

Briefing:

This was an interesting one. After some googling, I found out that Certificates are sent during tls handshakes, as TLS is used to encrypt HTTP traffic, making it HTTPS. The Display filter i needed to show these packets was tls.handshake.type == 11.

As said in the brief, we need the packet from the source IP 37.205.9.252 . Therefore expaning this packet's details, then TLSv1.2 Record Layer: Handshake Protocol: Certificate then Handshake Protocol: Certificate then Certificates then subject: rdnSequence (0) finally gives us the LocalityName.

flag{Mogadishu}

By das :)

Remotely Administered Evil 1 and 2

link to file:

file: https://tinyurl.com/y4z72k5o
Password: hacktober

Remotely Administered Evil 1:

Briefing:

What is the name of the executable in the malicious url? Submit the filename as the flag: flag{virus.bad}.

Simply opening it up in wireshark, we can see the flag-

flag{solut.exe}

Remotely Administered Evil 2:

Briefing:

What MYDDNS domain is used for the post-infection traffic in RATPack.pcap?
Use the file from Remotely Administrated Evil.

All you need to do here is filter for dns traffic. Because there weren't too many packets, I spotted the flag almost immediately and didn't have to filter further.

flag{solution.myddns.me}

An Evil Christmas Carol 1 and 2

Link to file:

File: https://tinyurl.com/y259doyq
Password: hacktober

An Evil Christmas Carol 1:

Briefing:

A malicious dll was downloaded over http in this traffic, what was the ip address that delivered this file?

Like the others, you can just filter for http traffic and get the flag:

flag{205.185.125.104}

An Evil Christmas Carol 2:

Briefing:

What is the domain used by the post-infection traffic over HTTPS?
Use the file from An Evil Christmas Carol.

We're looking for a domain, so it must be a dns query. Therefore filtering for DNS traffic and specifying the ip (10.0.0.163 as this is the infected client from part 1, and the infected client must've made the query) we can get the flag-

flag{vlcafxbdjtlvlcduwhga.com}

By das

An Evil Christmas Carol 1 and 2

Link to file:

File: https://tinyurl.com/y259doyq
Password: hacktober

An Evil Christmas Carol 1:

Briefing:

A malicious dll was downloaded over http in this traffic, what was the ip address that delivered this file?

Like the others, you can just filter for http traffic and get the flag:

flag{205.185.125.104}

An Evil Christmas Carol 2:

Briefing:

What is the domain used by the post-infection traffic over HTTPS?
Use the file from An Evil Christmas Carol.

flag{vlcafxbdjtlvlcduwhga.com}

By das

Remotely Administered Evil 1 and 2

link to file:

file: https://tinyurl.com/y4z72k5o
Password: hacktober

Remotely Administered Evil 1:

Briefing:

What is the name of the executable in the malicious url? Submit the filename as the flag: flag{virus.bad}.

Simply opening it up in wireshark, we can see the flag-

flag{solut.exe}

Remotely Administered Evil 2:

Briefing:

What MYDDNS domain is used for the post-infection traffic in RATPack.pcap?
Use the file from Remotely Administrated Evil.

All you need to do here is filter for dns traffic. Because there weren't too many packets, I spotted the flag almost immediately and didn't have to filter further.

flag{solution.myddns.me}

Evil Corp's Child 1, 2 and 3

Evil Corp's Child 1:

Briefing:

What is the MD5 hash of the Windows executable file?

NOTE: If you extract any files within this challenge, please delete the file after you have completed the

Link to pcap file:

link: https://tinyurl.com/y3oltdh5
password: hacktober

Right so they started off easy. Opening up the pcap I used the http display filter to show packets of this protocol:

Opening up the details for the first packet, we can see the full request URL at . I then ran wgetto download the file. As the brief suggests, this is not a png but rather a windows executable. Therefore renaming it to ecorp.exe and running the command md5sum ecorp.exe gives us the flag of flag{a95d24937acb3420ee94493db298b295}.

Evil Corp's Child 2:

Briefing:

The malware uses four different ip addresses and ports for communication, what IP uses the same port as https?  Submit the flag as: flag{ip address}.

Use the file from Evil Corp's Child.

Although there are quite a few packets, there are only so many different ips, so trying about 5 got me the correct answer, which was flag{213.136.94.177} .

Evil Corp's Child 3:

Briefing:

What is the localityName in the Certificate Issuer data for HTTPS traffic to 37.205.9.252?

Use the file from Evil Corp's Child.

flag{Mogadishu}

By das :)