TryHackMe - TShark Challenge II: Directory

Scenario:
An alert has been triggered:

“A user came across a poor file index, and their curiosity led to problems.”

The case was assigned to you. Inspect the provided directory-curiosity.pcap located in ~/Desktop/exercise-files and retrieve the artefacts to confirm that this alert is a true positive.

🧰 Tools Used

• TShark

• VirusTotal

• CyberChef (for defanging URLs/IPs)

❓ Questions & Answers

Q1: What is the name of the malicious/suspicious domain?

First, extract all DNS queries:

tshark -r directory-curiosity.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort | uniq -c | sort -nr

Searching jx2-bavuong.com on VirusTotal confirms it is malicious.

✅ Answer (Defanged):
jx2-bavuong[.]com

---

Q2: What is the total number of HTTP requests sent to the malicious domain?

To assess how frequently the user interacted with the suspicious domain, we filter HTTP requests made specifically to jx2-bavuong.com. Using TShark:

tshark -r directory-curiosity.pcap -Y 'http.host == "jx2-bavuong.com"' -T fields -e http.host | wc -l

This command tells us how many HTTP requests were directed to the domain.

✅ Answer: 14

---

Q3: What is the IP address associated with the malicious domain?

To determine where the requests were sent, we extract the destination IP addresses associated with jx2-bavuong.com:

tshark -r directory-curiosity.pcap -Y 'http.host == "jx2-bavuong.com"' -T fields -e ip.dst -e http.host

✅ Answer (Defanged): 141[.]164[.]41[.]174

This IP is consistently tied to the malicious domain, further confirming its involvement.

---

Q4: What is the server info of the suspicious domain?

To identify the web server stack used, we can extract the Server HTTP header from responses sent by the malicious IP:

tshark -r directory-curiosity.pcap -Y 'ip.src == 141.164.41.174 && http.server' -T fields -e ip.src -e http.server | awk NF | uniq -c

✅ Answer:
Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9

---

Q5: What is the number of listed files (via ASCII TCP stream)?

TShark allows us to inspect full TCP streams to analyze file listings or command-and-control interactions. To follow the first TCP stream in ASCII format:

tshark -r directory-curiosity.pcap -qz follow,tcp,ascii,0

Upon reviewing the response, we observe a file listing:

• 123.php

• vlauto.exe

• vlauto.php

✅ Answer: 3

---

Q6: What is the filename of the first file?

From the file listing above, the first file is 123.php

✅ Answer (Defanged): 123[.]php

---

Q7: Export all HTTP objects. What is the name of the .exe file downloaded?

We want to extract all HTTP objects, especially any executables. The TShark export command:

tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/extracted -q

This saves all HTTP objects to disk, but we can also narrow down .exe requests directly:

tshark -r directory-curiosity.pcap -Y 'http.request.uri contains ".exe"' -T fields -e http.host -e http.request.uri

✅ Answer (Defanged): vlauto[.]exe

---

Q8: What is the SHA256 hash of the malicious .exe file?

To verify the file’s integrity and reputation, we calculate its SHA256 hash:

sha256sum vlauto.exe

Output:

b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de

✅ Answer:
b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de

---

Q9: What is the PEiD packer value of the file?

By uploading the hash to VirusTotal, we examine the file’s static properties. Under the "Details" tab, the PEiD packer field helps us understand how the file was packed or obfuscated.

✅ Answer:
.NET executable

---

Q10: What does Lastline Sandbox flag this file as?

Under the Behavior tab in VirusTotal’s dynamic analysis:

✅ Answer:
MALWARE TROJAN