7.3 TCPReplay Part 3

00:03

Okay, So what do we know so far?

00:06

We know that.

00:08

Ah, Windows host. We don't know the host name yet.

00:11

Was or who was using? It was infected with Hawkeye Key Logger FTP Have an I P address. We don't have Mac host name, account name.

00:20

We do have some indicators of compromise, so three i p addresses and this

00:26

domain has

00:28

Deanna server.

00:30

So let's see what else we can find.

00:32

I'm I'm interested in finding out to some of this information to get it out of the way.

00:37

So

00:39

we already have our source. I peep end up here.

00:42

We do not have this pen. We just have it apply to this dashboard.

00:46

So it's non persistent between dashboards.

00:50

Let's come over to connections.

00:56

All right, so

00:59

if we're looking for ah,

01:03

we're looking for a Mac address,

01:07

I'm going to say that D h cp is probably the best place to find it.

01:15

So from here, we can either filter on the HCP or we can come over and go to the D H CP dashboard. Let's see what we can find down here.

01:23

So we have two logs from 2 27

01:30

Let's see what we can see in Captain me.

01:38

All right? Nothing. Nothing too interesting in there.

01:42

Oh,

01:45

I could probably find it if we dig in tow Wire shark.

01:48

But I'm lazy, so let's just go directly to the D h d p log r GHT P d h cp dashboard.

02:00

All right, so HCP domain name is beguile soft.

02:10

Let's expand our d h cp log.

02:15

Okay, so it looks like here we have our host name.

02:20

Let's see if this will let me

02:25

no

02:44

row when seven. Dash pc

02:47

with a Mac. Oh, this.

02:50

See if I can type this without any Evers

02:57

69

03:00

09

03:07

Okay, we'll call that. Good.

03:09

All right. So

03:13

you're still missing our account name and our

03:17

a person. Who is he using it?

03:20

Based on this, I think, Is it except the end?

03:23

Yeah.

03:25

Based on this, I'm guessing that this is somebody's name, but

03:30

let's see what we can find.

03:35

So let's come back to connections.

03:46

So we know we have a domain controller and looking through here, we can see that there is some kerber gross,

03:53

uh, traffic

03:53

and curb rose is frequently used for authenticating toe a domain controller.

03:59

So Let's take a look at curb Rose. I can find it.

04:17

All right. So we have cobras traffic here. We scroll down a little bit.

04:24

Looks like this is the person who was using it. It

04:28

it's Adriana, bro. Okay.

04:39

All right.

04:41

So we

04:46

I spell her name correctly. Yes. Looks like it.

04:55

Oh, right.

04:59

So we have I pee mak host name accounts, user name.

05:03

Still missing the time stamp.

05:11

Well, let's see if this is still open.

05:23

All right? I'm not seeing a time stamp in there really quick.

05:26

That's just stick in here,

05:46

all right? I'm not seeing any time stamps on here

05:49

June 30th. Okay? This is the time that I ran the pea cap,

05:55

so we'll see if we can find it somewhere else. But

06:00

so we we know that this

06:01

device,

06:03

you know, the information on it. We know that it was infected with a key logger, But I'm curious what

06:10

we saw or what What this key logger actually got. So we know that this is a f t p key logger. So everything is sent over ftp.

06:20

So let's take a look in ftp and see what we can see.

06:30

All right, So there are five FTP arguments.

06:35

One that ends with a t x t.

06:41

Okay. Couple in with t x t. If I recall, I think these ones end with a J peg.

06:47

Here we have our FTP user name.

06:50

Everything's all report 21 to these couple of

06:55

hosts.

06:58

Let's see what we can see if we pivot to one of the's.

07:01

Okay, so we have the same general information and

07:05

as we had before,

07:08

so we looks like they did take a couple of text files. That's

07:13

good to know, but we still don't know what's in those.

07:16

Since we were able to see the user name and password that suggests that

07:21

the files that were taken were sent in clear text.

07:26

So let's come over here to files.

07:43

All right? Doesn't see. Look like we're seeing anything there.

07:46

Let's see where else we can find him.

07:54

All right, so we have our FTP data here. Let's filter on that

08:03

scrolls all the way down to the bottom and pivot to cap me,

08:07

see what we can see,

08:13

Right?

08:13

So based on what I'm seeing right here, this looks like one of the text files.

08:20

So information we have clipboard records, so it doesn't look. Looks like it was checking the Adriana's clipboard for any information. Doesn't look like there's anything in there.

08:31

Key log records. Que huh?

08:33

Looks like she was doing some work in Microsoft Word at

08:37

10:01 p.m. On five to.

08:41

So it looks like the infection likely happened around this time.

08:45

Ah, and they wrote it was a dark and store the back state. They did some back spacing

08:52

me night. The pancake.

08:56

Okay,

08:58

it looks like that it was able to cap capture some information in Microsoft Word.

09:03

Look at the 2nd 1

09:13

All right, so this is just looking through here. This looks like a whole lot of gibberish,

09:20

but from looking at the ftp arguments, we know that's not the case. This is very likely one of the pictures. So we are downloading the pea cap right here, and we are pivoting from cap me to wire shark.

09:37

Okay, so we have

09:39

our

09:43

cap or R p cap from cat me open and wire shark,

09:46

and we want to take a look at the entire TCP stream. And since everything in here is from the same TCP stream we can just

09:54

click on any one of the packets and go to follow TCP Stream,

10:00

and this will reassemble it for us.

10:03

You see this number raising right here? That means that is just three assembling everything for us. Once that finishes up,

10:09

we will get the option to show and save data as something

10:18

what will want to save it as it is raw.

10:20

Really?

10:22

So we go to show and save data as raw.

10:24

It'll change the format.

10:26

Then we go to save ads.

10:31

Give us a moment. Say, picture one that

10:37

day, Peg,

10:41

I'll just go over to files

10:46

to do downloads

10:48

and let's see if we can open it up.

10:54

Okay, Cool. Looks like a picture of their desktop. And this is where they had Microsoft Word open and they were writing their novel.

11:05

Okay, so that's cool.

11:11

Can close out of this.

11:13

And just as a general note for any investigation, anything that you're doing, any time that you pull a pea cap any time that you pull a picture out of the pea cap documents at all. Really Well, um,

11:26

it's just a good practice when you are doing an investigation.

11:35

Okay? So this looks like another one of the text files. Looks like checked for clipboard records. There is Ah,

11:41

time.

11:43

Okay, so this is another time. It looks like this is probably closer to the time of infection, but

11:50

let's look a little bit more Have XL open book one hat

11:54

9 39

11:56

And they put some information in,

11:58

and they saved it as accounts payable,

12:01

which

12:05

is potentially sensitive information for this organization.

12:07

Okay,

12:09

so let's take another look. See what we have.

12:22

All right, So this is another picture.

12:24

Let's just go over the process again when we're time. Really quick.

12:28

So we open our P Captain Weir, Shark.

12:35

Choose any image in her any

12:39

pack it in here and do follow TCP streams.

12:43

And we wait for this number to reach the top.

12:58

All right. Looks like we're good to go.

13:01

Go to show and save data as a rock.

13:05

Then save as see what this one is. So

13:11

but you're too dot jpeg

13:15

download should still be open.

13:22

It's interesting.

13:24

Okay, so it looks like we only got half of or part of the picture.

13:30

Noticed.

13:33

Noticed when we pivoted over this number was still going up.

13:37

So let's try saving that again as the same thing.

13:50

Okay, Cool.

13:50

So it looks like we got the full desktop that time, along with a time stamp of when it was captured.

13:58

All right, let's take a look at the last one.

14:03

Okay, so this should be another one of the text files. If you'll remember, there were two pictures that were taken and three text files.

14:11

All right, so looking through here, we have an operating system until recovery,

14:16

So pc name, local time.

14:20

Going to guess that this is more than likely the time of infection. That's at least the time that things were starting to get captured.

14:33

Help pica type.

14:35

Since I don't feel like converting that to you, T C will just say PM

14:43

So we have installed language. Some version ing information that it's Microsoft Windows seven.

14:50

So this could be interesting information for if they were to install a back door and they wanted to move around the organization. We at least know that one of their hosts is running Windows seven. And where there's one, there's probably more.

15:05

All right, so looks like a grab passwords from the Web browser. So

15:11

looks like they're Gmail password there. Gmail

15:16

User name is Adriana, bro. At gmail dot com. Password is

15:20

superstrong.

15:22

All right, then. They also have an account on B b t dot com. User name, Adriana dot bro. Same password.

15:31

Then it looks like they use Microsoft Outlook. And they have Adriana Bro configured on there

15:39

using pop three, which is

15:41

excellent to use, I guess,

15:43

uh,

15:45

and they are using the same password there, too,

15:48

and doesn't look like these last parts of the

15:52

Trojan were able to grab anything. So

15:58

looking back at this investigation,

16:02

so

16:03

we know this information here. Of course. We know. At approximately 9 36 Windows Host used by I, Adriana Adriana Bro was infected with Hawkeye Key longer. FTP.

16:15

We know I p address Mac address, host, name, account, name. We have some of our indicators of compromise, so

16:22

we know for across the organization. If anybody is reaching out to any of these, then

16:30

we should probably take a look at those hosts to see what's going on. And we also know that

16:36

this malware was able to take a couple of screenshots of the

16:41

desktop that Adriana was using it also got the information that she put into Microsoft Word and Microsoft Excel. And it also we also know that

16:52

it got her Gmail password and the password to user name and password to a site called B b t dot com.

17:00

So on all of those sites, she should probably change her password

17:06

and any other websites that she or any other application that she uses that same password on she should probably change it there to just I'm under the assumption that if she uses it across to sites, then she'll use it across more. So

17:22

all in all way, we were able to you learn quite a few things about this malware infection by using security onion and looking through the B cap,

17:33

so I hope that you were able to get some value out of this