Malware Traffic Analysis Dot Net Series WOKEMOUNTAIN (Video Only)
The writeups will be a series to document my learning experience with Wireshark and IR report writing for the malicious traffic from Malware-Traffic-Dot-Net, hope you will enjoy it :)
Note, this series will be video only :)
Malware Traffic Analysis Dot Net Series WOKEMOUNTAIN Video Walkthrough
Update for finding the Windows User Account which not included in the video
Apply filter “kerberos.CNameString” in wireshark, look for kerberos CNAME.string, we find the Windows User Account is “orlando.mccoy”
Reference: Find Windows User Account in Wireshark
Scenario
LAN segment data:
LAN segment range: 10.1.21.0/24 (10.1.21.0 through 10.1.21.255)
Domain: wokemountain.com
Domain controller: 10.1.21.2 - WokeMountain-DC
LAN segment gateway: 10.1.21.1
LAN segment broadcast address: 10.1.21.255My IR Report
Executive Summary:
At 2021-01-20 23:40:38 UTC, the user orlando.mccoy on workstation DESKTOP-NB72TZA was infected by the malwares.
Victim:
IP: 10.1.21.101
Hostanme: DESKTOP-NB72TZA.wokemountian.com
Mac: AcerLan_d3:47:8b (00:60:67:d3:47:8b) - Acer Workstation
User Account: orlando.mccoy
IOC:
209.141.51.196 mx14.songlige.com
- Zeus / Perkesh Malwares
- Dotted Quad
- Zbot
- VBSCript
72.21.81.200 - cs9.wpc.v0cdn.net
208.67.222.222 - resolver1.opendns.com (DNS)
162.0.224.165 - server1.oniriapictures.com
193.239.84.250 - booloolo3.com
- Zeus Panda Banker
84.252.95.102 - booloolo4.com
- Zeus Panda Banker
greatewallfirewall.xyz
1.bin
LK9tdZ
grab32.rar c740046d69e8211be323df6851f2ebc396c83b419d4d8b4074817313ae2e90d2