badfile.exe – Part 1 – Suspicious Activity

We begin with a packet capture of an administrator’s device.  Odd connection attempts (which were unsuccessful) were made to a particular website.  These attempts were not initiated by the user.

The PCAP in question can be downloaded here.

See if you can find the following:

  1. What’s the IP address of the system that captured the traffic?
  2. What’s the IP address of the web server listening on port 421?
  3. What is the webpage that the device failed to reach?
  4. What text can be found on the website?

Answers:

 

 

 

You’ll want to use a packet inspection tool like WireShark to inspect the PCAP.  Since we know that we’ll likely be looking for a website/web server, it might be helpful to set a wireshark filter for  HTTP traffic.

  1. 192.168.43.28
    Once we set a filter of “http”, we can see that there are several HTTP get requests.  It would be safe to assume that the IP of the system that captured the traffic is 192.168.43.28.
  2. 178.33.250.62
    We know that the administrator’s IP address is 192.168.43.28.  We also know that we are looking for HTTP traffic, and that HTTP is a protocol which leverages TCP.  Therefore, we can apply the following WireShark filter: “ip.src == 192.168.43.28 && http && tcp.dstport == 421”
  3. 104.236.149.39
    On the screenshot for question #2, we can’t really see anything associated with errors related to failed HTTP.  If a search is performed for port 80, you’ll find that there is a “TCP Transmission” error immediately after a HTTP get request to 104.236.149.39
  4. Go Away!

At first glance, it doesn’t look like there is anything interesting about this particular webpage, but looks can be deceiving…

 

Stay tuned for Part 2.

 

 

 

Posted in C2

Leave a Reply

Your email address will not be published. Required fields are marked *