Carnage | Analyze malicious network traffic | TryHackMe
This writeup is for room Carnage https://tryhackme.com/room/c2carnage
Please understand the basics of Wireshark before attempting to complete challenges in this room.
Open the Carnage.pcap file
What was the date and time for the first HTTP connection to the malicious IP?
Change the time display format to readable format
Apply HTTP filter as we are only looking for HTTP connection.(2021–09–24 16:44:38)
What is the name of the zip file that was downloaded?
The first HTTP request contains the name of the zip file
What was the domain hosting the malicious zip file?
Click Follow →TCP stream on the request. Check the Hostname (attirenepal.com)
Without downloading the file, what is the name of the file in the zip file?
TCP stream request will show the content of the file. (chart-1530076591.xls).
What is the name of the webserver of the malicious IP from which the zip file was downloaded?
Check the TCP stream request (LiteSpeed)
What is the version of the webserver from the previous question?
Check the TCP stream request (PHP/7.2.34)
Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?
The answer to this question is difficult to find, use the Hint option. As per Hint check HTTPS traffic.
Apply TLS filter in Wireshark and narrow down the time frame. Also, enable Resolve Network Addresses,
Which certificate authority issued the SSL certificate to the first domain from the previous question?
What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers. (answer format: enter the IP addresses in sequential order)
The most basic payloads for beacon, by default the listeners will listen on ports 80 and 443. Check the Conversation menu option. Check port 80 and 443.(188.8.131.52, 184.108.40.206)
Go to Virus Total and confirm the same
What is the Host header for the first Cobalt Strike IP address from the previous question?
Apply filter ip.addr == 220.127.116.11 and Follow → TCP stream. (ocsp.verisign.com)
What is the domain name for the first IP address of the Cobalt Strike server? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).
Apply filter ip.addr == 18.104.22.168, (survmeter.live)
What is the domain name of the second Cobalt Strike server IP? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).
Apply filter ip.addr == 22.214.171.124, check the name resolution (securitybusinpuff.com)
What is the domain name of the post-infection traffic?
Apply filter http.request.method == POST (maldivehost.net)
What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?
Check TCP stream (zLIisQRWZI9)
POST /zLIisQRWZI9/ASk5Kx0SPR8lJjE5eTg9GkN6fGFyZHl/YXp6eQ== HTTP/1.1
What was the length for the first packet sent out to the C2 server?
Check the packet length(281)
What was the Server header for the malicious domain from the previous question?
Do TCP stream (Apache/2.4.49 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4)
The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (answer format: yyyy-mm-dd hh:mm:ss UTC)
Apply filter frame contains “api”, check for the first suspicious DNS query (2021–09–24 17:00:04)
What was the domain in the DNS query from the previous question?
Domain name can be found in the DNS query (api.ipify.org)
Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?
Apply filter frame contains “MAIL FROM” (email@example.com)
How many packets were observed for the SMTP traffic?
Apply filter SMTP and check the Conversations menu option. Limit to display filter to see only SMTP. (1439)