The answers to this month’s Unit 42 Wireshark quiz are available in a separate blog post located here. This month’s Wireshark quiz can help participants accomplish that goal. Palo Alto Networks encourages members of the security community to develop their skills, so we can all better protect our digital way of life. What type of account login data was stolen by the malware?.What is the public IP address of the victim’s host?.What type of CPU is used by the victim’s host?.How much RAM does the victim’s host have?.What is the victim’s Windows user account name?.What is the victim’s Windows host name?.When did the malicious traffic start in UTC?.Review the pcap and answer the following questions for this month’s Unit 42 Wireshark quiz: Despite the fake data, this traffic provides a better understanding of data stolen by Agent Tesla variants like OriginLogger. We populated the host with fake login data before we ran the malware. Of note, this traffic does not contain legitimate credentials. The SMTP traffic includes various login credentials from the infected host. This traffic contains additional information, so we can determine all four of the above identifiers. In addition to Windows system traffic, the pcap also contains unencrypted SMTP traffic generated by the malware. This month, our infected host is a stand-alone Windows client. When sharing threat intelligence, UTC ensures recipients understand the exact time regardless of time zone.Ĭan you identify the infected host? For a Windows computer, the basic identifiers are the following: When did this activity first occur? Format your answer as Universal Coordinated Time (UTC). Extract the pcap file from the password-protected ZIP archive. Download the ZIP archive containing the pcap from our Github repository. Use infected as the password to unlock the ZIP archive. Download the ZIP archive and extract the pcap as shown below in Figures 2 and 3. To obtain the pcap for this month’s quiz, visit our Github repository. The decoded malware presents a risk of infection when using a Windows computer. If decoded, this binary becomes a malicious DLL file, as previously noted in the indicators for this infection posted on Github. The pcap for this quiz contains HTTP traffic of an obfuscated binary. We recommend using the latest 3.x version of Wireshark, since it has more features, capabilities and bug fixes over previous Wireshark versions.įurthermore, we recommend using a non-Windows environment like BSD, Linux or macOS to analyze malicious traffic. To help, Unit 42 has published a series of tutorials and videos that include customizing Wireshark. Therefore, we encourage people to customize Wireshark after installing it. However, its default settings are not optimized for web-based malware traffic. Our analysis requires Wireshark, a well-known tool used to review pcaps. Post-infection activity contains unencrypted SMTP traffic with data stolen from the infected computer. Flow chart for the Agent Tesla variant infection.įor this month’s exercise, we generated a pcap of network traffic from this malware sample. You can also find further information on the associated malware binary. The original tweet contains our initial analysis. Related Unit 42 TopicsĪgentTesla, OriginLogger, pcap, Wireshark, Wireshark TutorialĮarlier this month, Palo Alto Networks Unit 42 tweeted about Agent Tesla-style activity from a possible OriginLogger infection that was found Thursday, Jan. The material provides experience reviewing real-world traffic from a live environment. To get the most benefit, readers should understand basic network traffic concepts and be somewhat familiar with Wireshark. These quizzes are designed for security professionals who investigate suspicious network activity, but anyone can participate. A separate Unit 42 blog post will present the answers with detailed explanations. This blog presents a packet capture (pcap) of malicious activity and asks questions based on information derived from the network traffic. Welcome to the January 2023 Unit 42 Wireshark quiz.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |