Resume
Resume

Network Analysis - Ransomware (Wireshark)

BLUE TEAM LABS

Brandon Nerios

3 min read

This lab is called "Network Analysis - Ransomware" and was provided by Blue Team Labs Online. In this lab you will see me use tools such as Wireshark and VirusTotal. I will use the following questions below to aid in my investigation.

Scenario: “ABC Industries worked day and night for a month to prepare a tender document for a prestigious project that would secure the company’s financial future. The company was hit by ransomware, believed to be conducted by a competitor, and the final version of the tender document was encrypted. Right now they are in need of an expert who can decrypt this critical document. All we have is the network traffic, the ransom note, and the encrypted ender document. Do your thing Defender!​”

  • What is the operating system of the host from which the network traffic was captured?

For the first question we will go into Wireshark and go over to the Statistics tab. In the Statistics tab we will want to select Capture File Properties

  • What is the full URL from which the ransomware executable was downloaded?

To narrow down the packets in Wireshark we will use the http filter. Which brings us to the following packet. In this packet we can see the full URL.

  • Name the ransomware executable file?

To see the name of the ransomware file we can look at the previous answer. At the end of the URL you can see the file name below. To verify that this is the correct file we can also click on File > Export Object > HTTP

  • What is the MD5 hash of the ransomware?

From the export section we can download the EXE to the Desktop. Once in the Desktop we will run md5sum safecrypt.exe.

  • What is the name of the ransomware?

We can take that MD5 hash and run it in virus total which leads us to the following Ransomware.

  • What is the encryption algorithm used by the ransomware, according to the ransom note?

From the Ransom note we can see that the algorithm used

  • What is the domain beginning with ‘d’ that is related to ransomware traffic?

When looking at the DNS traffic we can see two DNS entries that start with a 'D' we can take that information and then cross reference it with virus total to see if there are any contacted domains that match.

  • Decrypt the Tender document and submit the flag

When searching the web I was able to find a Decryptor by Trend Micro. When we download the software and decrypt the file we get the flag below.