cybportdal - Network A. lab 1

Network Traffic Analysis with Wireshark (CyberDefenders Lab)

Scenario

The SOC team has detected suspicious activity in the network traffic, revealing that a machine has been compromised. Sensitive company information has been stolen. Your task is to use Network Capture (PCAP) files and Threat Intelligence to investigate the incident and determine how the breach occurred.

Task

In this project, I analyzed a packet capture (PCAP) file using Wireshark to investigate suspicious network activity. The goal was to identify malicious traffic, extract evidence, and understand how the attack unfolded.

Methodology (Steps I Took)

Step 1: Opened the PCAP file (205-DanaBot.pcap) in Wireshark.

figure 1. Opening the pcap file using wireshark

Step 2: Identified identifying different protocols like HTTP, TCP, DNS etc requests and suspicious domains.

figure 2. Identifying different active protocols

Step 3: Identify suspicious and analyzing suspicious request

figure 3. Identifying suspicious activities

figure 4. Scanning website to determine it threat level

NB: The website portfolio.servicerc.com is labelled as a security threat. From here, we can as well determine the IP address of the threat actor

figure 5. IP address of the threat actor

Step 4: Analysing the HTTP protocol files for further clues

figure 6. I dentifying suspicious files in the HTTP repuests of the pcap file

NB: We notice that there are two suspicious files; login.php and resources.dll. we'll first analyze the first file by saving it into our computer.

Step 5: Analysing the file login.php

figure 7. Checking the file type

NB: We notice that it's a Javascript file with 5558 bytes of size. Let's try and read it contents.

figure 8. Checking it contents

NB: Upon checking the contents of the php file, we realise that it's unreadable. It content has been obfuscated and we need a deobfuscation tool in order to read it contents.

figure 9. deobfuscating the php file

Step 6: Analysing the code

figure 10. analyzing the code

NB: The deobfuscated script in this case shows it leverages ActiveX objects to perform malicious activities. Specifically, the script includes commands to download another file, named resources.dll, from a domain (soundata.top) and then executes it using rundll32.exe, a legitimate system tool often abused for malware execution. The script also deletes itself after execution, an anti-forensic technique designed to hinder analysis. To get the request resource from the attacker's server, we need to inspect the HTTP stream that served the login.php file.

The process used to execute the malicious JavaScript code is WScript.exe. Based on the deobfuscated JavaScript analyzed earlier, the script is designed to be executed using the Windows Script Host (WSH), specifically through WScript.exe, which is the default interpreter for .js files on Windows systems. This is evident from the script's reliance on WScript objects such as WScript.CreateObject, which are integral to WSH functionality.

figure 11. interaction between the compromised system and the malicious server

NB: The server's response has a Content-Type of application/octet-stream, which confirms that the server is delivering binary or encoded data. Additionally, the header Content-Disposition specifies the file name as allegato_708.js, indicating that this is a JavaScript file being served as an attachment.

Conclusion

This project improved my skills in packet analysis, applying Wireshark filters, and identifying malicious patterns in network traffic. It also highlighted the importance of persistence in decoding obfuscated data.