[Day 13] Packet Analysis

December 13, 2022

Today I got to use Wireshark to investigate network traffic that shows malware activity.

Flags

What is the "Percent Packets" value of the "Hypertext Transfer Protocol"?

0.3

Which port number has received more than 1000 packets?

3389

What is the service name of the used protocol that received more than 1000 packets?

rdp

What are the domain names? Enter the domains in alphabetical order and defanged format.

bestfestivalcompany[.]thm,cdn[.]bandityeti[.]thm

What are the names of the requested files? Enter the names in alphabetical order and in defanged format.

favicon[.]ico,mysterygift[.]exe

Which IP address downloaded the executable file? Enter your answer in defanged format.

10[.]10[.]29[.]186

Which domain address hosts the malicious file? Enter your answer in defanged format.

cdn[.]bandityeti[.]thm

What is the "user-agent" value used to download the non-executable file?

Nim httpclient/1.6.8

What is the sha256 hash value of the executable file?

0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f

What are the connected IP addresses? Enter the IP addressed defanged and in numerical order.

20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]76