Scribd
Upload
508 views2 pages

2021-09-10 - Traffic Analysis Quiz Answers: Executive Summary

The document summarizes a traffic analysis quiz that examines a pcap file showing a Windows host infected with BazarLoader malware through the TA551 threat actor campaign. It provides the network context, scenario details, required tasks, and answers identifying the compromised host, indicators of compromise including domains and IP addresses communicating with the malware, and analysis notes.

Uploaded by

Praveen Rai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
508 views2 pages

2021-09-10 - Traffic Analysis Quiz Answers: Executive Summary

The document summarizes a traffic analysis quiz that examines a pcap file showing a Windows host infected with BazarLoader malware through the TA551 threat actor campaign. It provides the network context, scenario details, required tasks, and answers identifying the compromised host, indicators of compromise including domains and IP addresses communicating with the malware, and analysis notes.

Uploaded by

Praveen Rai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

2021-09-10 - TRAFFIC ANALYSIS QUIZ ANSWERS

Link to quiz:
• https://www.malware-traffic-analysis.net/2021/09/10/index.html

Links to some tutorials I've written that should help with this exercise:

• Customizing Wireshark - Changing Your Column Display


• Using Wireshark: Identifying Hosts and Users
• Using Wireshark - Display Filter Expressions
• Using Wireshark: Exporting Objects from a Pcap

SCENARIO:
• LAN segment range: 10.9.10.0/24 (10.9.10.0 through 10.9.10.255)
• Domain: angrypoutine.com
• Domain Controller: 10.9.10.9 - ANGRYPOUTINE-DC
• LAN segment gateway: 10.9.10.1
• LAN segment broadcast address: 10.9.10.255

TASK:
• Write an incident report based on the pcap and alerts.
• The incident report should contain the following:
• Executive Summary
• Details (of the infected Windows host)
• Indicators of Compromise (IOCs)

ANSWERS:
Executive Summary
On 2021-09-10 at approximately 23:17 UTC, a Windows host used by
Hobart Gunnarsson was infected with BazarLoader through the TA551
(Shathak) campaign.

Details
MAC address: 00:4f:49:b1:e8:c3
IP address: 10.9.10.102
Host name: DESKTOP-KKITB6Q
Windows user account: hobart.gunnarsson

Page 1 of 2
2021-09-10 - TRAFFIC ANALYSIS QUIZ ANSWERS

Indicators of Compromise (IOCs)


Traffic to retrieve BazarLoader DLL:
• 194.62.42.206 port 80 - simpsonsavingss.com - GET
/bmdff/BhoHsCtZ/MLdmpfjaX/5uFG3Dz7yt/date1?BNLv65=pAAS

Bazar C2 traffic:
• 167.172.37.9 port 443 - HTTPS traffic
• 94.158.245.52 port 443 - HTTPS traffic

NOTES:
The URL with /bmdff/ in the GET request returned a 64-bit DLL for
BazarLoader. This /bmdff/ pattern has been used for the previous several
weeks by the TA551 (Shathak) campaign.

SHA256 hash: eed363fc4af7a9070d69340592dcab7c78db4f90710357de29e3b6


24aa957cf8
• File size: 284,816 bytes
• File description: BazarLoader DLL
• Tria.ge analysis: https://tria.ge/211004-vc7nsaggej

This DLL file is Windows-based malware, and it will infect a Windows computer if
given the chance. I strongly recommend you do these procedures in a non-
Windows environment.

Here's sandbox analysis of an email with a password-protected zip archive


containing a Word doc on any.run. That Word doc generated an HTTP GET
request to the same domain simpsonsavingss.com as seen in our exercise
pcap.
• https://app.any.run/tasks/66e29996-8ad2-4d3e-b6a2-c74306b5ef3b/

This email also fits patterns of TA551 (Shathak) activity.

No follow-up Cobalt Strike or DarkVNC as we sometimes see with TA551


BazarLoader.

Page 2 of 2

You might also like