DanaBot Lab | CyberDefenders Writeup

SolveniteSolvenite
2 min read

Scenario:

The SOC team has detected suspicious activity in the network traffic, revealing that a machine has been compromised. Sensitive company information has been stolen. Your task is to use Network Capture (PCAP) files and Threat Intelligence to investigate the incident and determine how the breach occurred.

Here’s the challenge link: https://cyberdefenders.org/blueteam-ctf-challenges/danabot/

1. Which IP address was used by the attacker during the initial access?

Type http.request.method==GET in the search bar to check the requests made by the attacker to the original page.

Answer: 62.173.142.148

2. What is the name of the malicious file used for initial access?

Right click Packet 6, follow → HTTP Stream

Here we can see the file the attacker used to gain initial access.

Answer: allegato_708.js

3. What is the SHA-256 hash of the malicious file used for initial access?

Click File → Export Objects → HTTP

Here we can see the Login.php page as an exportable object. Click Save.

Then use the command sha256sum login.php to get the sha256 hash of the php site.

Answer: 847b4ad90b1daba2d9117a8e05776f3f902dda593fb1252289538acf476c4268

4. Which process was used to execute the malicious file?

Now, this was where I was struggling the hardest to get the answer. Wireshark does not seem to have any indication of what process the attacker used.

I eventually ended up throwing the file into VirusTotal to check what it gives me.

I had to go through each and every line on every tab to figure out what happened.

Go to Behavior → Scroll down until you come to Process Tree

Here we can see that the file uses a bunch of processes to execute, so I ended up googling each process to see what shows up.

Reading this gives us a good indication that it did use wscript.exe to execute.

Answer: WScript.exe

5. What is the file extension of the second malicious file utilized by the attacker?

Again, go to File → Export Objects → HTTP

Answer: .dll

6. What is the MD5 hash of the second malicious file?

Pretty much the same steps as what we did to get the sha256sum, this time just use md5sum to get the output.

Answer: e758e07113016aca55d9eda2b0ffeebe

0
Subscribe to my newsletter

Read articles from Solvenite directly inside your inbox. Subscribe to the newsletter, and don't miss out.

cyberdefenders#cybersecuritycybersecurityWrite Up#walkthroughCTF WriteupWriteupblueteamWiresharkblue teamNetwork Forensics

Written by

Solvenite
Solvenite