HomeLabs

In this incident response exercise, we’re tasked with investigating a suspicious alert triggered by a connection to a potentially malicious IP address: 146.185.170.222. The investigation involves analyzing a PCAP file using Wireshark and utilizing Splunk for endpoint analysis to uncover the nature of the threat. Whether you’re learning incident response or exploring cybersecurity analysis, this breakdown aims to provide insight into the investigative process behind such alerts. 🧩 Scenario OverviewThe alert originated from the SOC shift lead, who assigned the task of investigating an alert for a malicious IP address (146.185.170.222). The provided PCAP file contains the activity in question. Our objectives for this exercise are: 1: Confirming the PCAP Time Frame Using the capinfos tool, we verify the time frame of the PCAP file to ensure it aligns with the alert’s timestamp. This command provides metadata about the PCAP file, including the start and end times of the capture. 2: OSINT Research on IP Address 146.185.170.222 To better understand the nature of this IP, we performed open-source intelligence (OSINT) research using platforms like VirusTotal. Question 1. Is there published OSINT on the IP address? Yes Question 2. If so, what? The results were alarming — the IP has been associated with several high-profile malware families, including: These are well-known banking trojans and loaders often used in financially motivated cyberattacks and ransomware campaigns. Specifically, VirusTotal reported connections to: This strongly indicates that 146.185.170.222 is part of a known malicious infrastructure, and any communication with it should be treated as a serious threat. 3: Analyzing the PCAP with Wireshark Opening the PCAP file in Wireshark, we filter traffic related to the IP address: 146.185.170.222 Question 3. Was there a successful connection to the suspicious IP address? Yes Question 4. Was malware downloaded? Yes Question 5. If so, what is the name of the malicious file? Exfil.ps1 and Keylogger.ps1 What is the SHA256 Hashes of the files? Question 6. What does the malware do? Steals and exfils browser history, system information, and keylogger information’s. Question 7. Was there any information stolen? Yes Question 8. If so, how was information exfiltrated? FTP 4: Utilize Splunk for Endpoint Analysis Question 9. What was the file that caused the connection to the malicious IP address? Invoice.ps1 By pivoting off of evidence found in the PCAP — particularly a file named Exfil.ps1 — we crafted a simple SPL query in Splunk to trace back the activity: Question 10. What is the persistence mechanism for Exfil? Registry Run key. Using the same SPL as previously used, we can see Exfil.ps1 being written to the CurrentVersion\Run key. Question 11. What is the persistence mechanism for Keylogger? Registry Run Key. Question 12. How is data exfilled? Zipped and exfilled via FTP. We see the file being exfilled in the pcap. Pivoting from Exfil.zip discovered in the pcap, we see the file creation, with the following SPL: Additionally, we see the code for Exfil.ps1 from the pcap and see that it is writing the system info and the browser history to the directory \Windows\Temp\Exfil folder. Then we see it zipping the directory. Attack Overview: The downloader (Invoice.ps1) downloads two malicious PowerShell files, Exfil.ps1 and Keylogger.ps1. The Exfil file steals browser history, system information, and keylogger results and zips them up in a file and uses FTP to exfil the file. Keylogger installs a keylogger that writes the results to a .txt file. The downloader establishes persistence by writing to the Run key to start Keylogger.ps1 and Exfil.ps1 each time the user logs in to the system. The downloader PowerShell is shown below. The code for Exfil.ps1 is shown below.

🔍 Introduction In this incident response exercise, we are tasked with investigating a suspicious alert triggered by a connection to an IP address flagged as potentially malicious: 100.38.242.113. The investigation involves analyzing a PCAP file using Wireshark and utilizing Splunk for endpoint analysis to uncover what happened during the attack. Whether you’re learning incident response or exploring cybersecurity analysis, I hope this breakdown helps you understand the investigative mindset behind alerts like these. 🧩 Scenario OverviewThe alert came from the SOC team for a connection to a known malicious IP address: 100.38.242.113. The goal of this exercise was to: Step 1: PCAP AnalysisTo begin the investigation, we first confirm that the PCAP file provided corresponds to the correct timeframe. This can be done using the capinfos tool to view the capture’s metadata and verify timestamps. Open-Source Intelligence (OSINT) on the Malicious IP Address:Next, we perform some OSINT research on the IP address 100.38.242.113. A quick search reveals the IP address is associated with Qakbot, a notorious banking Trojan. This information gives us a significant lead into the type of attack we’re dealing with. Question 1. Is there published OSINT on the IP address? Yes Question 2. If so, what? Associated with Qakbot. Wireshark Analysis:Once we’ve identified the IP address as malicious, we filter the PCAP for traffic involving 100.38.242.113 in Wireshark. We quickly determine that there was indeed a successful connection to this IP address. The malware that was downloaded from this connection was named shell.txt, which had been disguised as a .txt file to bypass security filters. Upon closer inspection, the file was actually a .bat file. It appears that the attackers used a technique to evade detection by renaming the malicious file. Question 3. Was there a successful connection to the suspicious IP address? Yes Question 4. Was malware downloaded? Yes File Export and Hashing:By analyzing the PCAP further, we managed to carve out the shell.bat file, extract its SHA256 hash, and analyze its behavior. The malware sets up a reverse shell, connecting the victim’s system back to the attacker’s machine for remote access. Question 5. If so, what is the name of the malicious file? shell.txt (shell.bat) Question 6. What is the SHA256 Hash of the file? Step 2: Malware BehaviorOnce executed, the shell.bat file initiates a PowerShell script that establishes a reverse TCP connection back to the attacker’s server. From there, the attacker can execute commands remotely on the victim’s machine. Some commands seen in the captured traffic include: Question 8. Was there any information stolen? Yes, enumeration took place. Step 3: Splunk AnalysisThe next step is to pivot through event logs using Splunk, where we search for logs related to the downloaded shell.txt file. By querying the data, we uncover the file path and confirm the file’s unusual extension change, which raises questions about the attacker’s evasion tactics. And This enumeration provides valuable information about the target system, which could help attackers decide their next steps, such as deploying more malware or establishing a command-and-control. Question 9. What file was the cause of the connection to the malicious IP address? GiftCard.bat File Path and Parent Process:Using Splunk’s search query, we track down the file’s location on the system. We also observe that the parent process responsible for downloading the file was powershell.exe, a legitimate Windows process that was weaponized by the attacker to execute malicious code. Conclusion: The Impact of the AttackThe investigation uncovers several key findings: The cause of the connection to the suspicious IP address was determined to be the execution of a .bat file that triggered the download of the reverse shell, exploiting a gap in real-time protection settings on the victim’s machine. This incident highlights the importance of proper endpoint protection and detection mechanisms to prevent malware from executing on vulnerable systems. Final Thoughts:Incident response exercises like this are invaluable for learning how to track down and analyze attacks in a controlled environment. By leveraging tools like Wireshark for packet analysis and Splunk for log analysis, cybersecurity professionals can develop a thorough understanding of attack techniques and improve response times in real-world incidents.