The "Weird Python" Capture the Flag Series - Part 2
In this blog series, we attempt to complete a Capture The Flag (CTF) challenge posted by The Honeynet Project using Gigasheet. While the challenge is quite dated (2015), the analysis techniques we showcase in this blog are still relevant today.
The challenge is called "Weird Python" and is available for public download via The Honeynet Project's website. It presents a series of twelve questions one must answer by analyzing a packet capture file.
Part 1 of this blog provides the analysis methodology to find the answers to the following questions (questions 1 and 2 of the challenge):
BYOD seems to be a very interesting topic. What did your boss do during the conference?
What method did the attacker use to infect your boss? Which systems (i.e. IP addresses) are involved?
In this blog, we continue analyzing the same data set as in Part 1, but this time providing the answers to the following questions (questions 3 and 4 of the challenge):
Based on the PCAP, which files were exfiltrated? List the filenames.
Can you sketch an overview of the general actions performed by the malware?
Below is the challenge excerpt, copied from honeynet.org.
"Your Boss John went to a BYOD conference lately. Yeah, he's that kind of security guy… After some mumble about targeted attacks happening during the event, your team finally got their hands on a PCAP with his traffic. Your colleague Pete Galloway investigated the incident. Yesterday, he casually mentioned that he found some weird Python bytecode, but couldn't make much sense out of "random" payloads yet. Today, Pete didn't come to work. Five minutes ago, he sent a company-wide mail with a total of four words: "F*** you, I quit. ". What has happened!?"
Upload the PCAP file name "conference.pcap" downloaded from the Honeynet Project's website to Gigasheet, and let's get started.
Question 3: Based on the PCAP, which files were exfiltrated? List the filenames.
To begin this analysis, let us pick up where we left off in Part 1.
In Part 1, we concluded that the IP addresses involved in the security incident were 184.108.40.206, 220.127.116.11, and 18.104.22.168, where:
22.214.171.124 is the IP address of the N' Game's official site at www.thewayoftheninja.org
126.96.36.199 is the IP address of the legitimate "N" game's download site at www.harveycartel.org
188.8.131.52 is the malicious IP address of the attacker at ninja-game.org
Let's start by applying a filter on the DST.IP column to find all connections destined to the attacker's IP address and reveal the files exfiltrated during the attack.
The filtering above returns all the traffic originating from the Boss's computer to the attacker's IP address.
We have already established in Part 1 of this blog series that packet #5675 with "HTTP GET /nv2/Nv2-PC.zip HTTP/1.1" in the INFO column downloaded the Nv2-PC.zip file that contained the executable, Nv2-PC.exe.
We can look for HTTP POST requests in the INFO column to identify data sent from the Boss' computer to the attacker's IP. HTTP POST requests are often used for file uploads and form submissions and can be leveraged to exfiltrate data.
We can apply a second filter to the INFO column, looking for any connections containing HTTP POST requests.
The result reveals seven (7) HTTP POST requests for files that appear to be Base64-encoded. We can use the column "wrap" function to expand the INFO column to see the complete URL in the POST requests.
When decoded, we see that the contents of the HTTP POST requests are the exfiltrated data, and they include:
We can now answer Question 3: Based on the PCAP, which files were exfiltrated? List the filenames.
The names of the exfiltrate files are “sensitive documents.doc”, “EmiratesETicket1.pdf”, and “EmiratesETicket2.pdf”.
Question 4: Can you sketch an overview of the general actions performed by the malware?
To answer this question, we can use a Threat Intelligence Platform or a sandbox environment to execute the malware and identify the actions it performs. While Gigasheet integrates with some Threat Intelligence feeds, such as Gigasheet OSINT Feeds, GEO IP, GreyNoise, Recorded Future, and VirusTotal, and can help determine the malware’s actions, we decided to execute the malicious file on Hybrid Analysis Sandbox for this investigation to provide an alternate analysis method.
We can see from the Hybrid Analysis Sandbox the file has a 100/100 threat score, indicating that it is, in fact, malicious. To sketch the overview of the general actions performed by the malware, we inspect the MITRE Attack Techniques Detection from the report and then corroborate our findings with what we've learned about the malware so far. For example, the MITRE Attack Techniques Detection report listed exfiltration as a likely technique used in this attack; we confirm this from our findings in question 1 above. We also know that data exfiltration is the action performed by the malware.
With this, we can sketch the overview of actions performed by the malware as shown below:
Continue on in Part 3, where we continue answering questions by analyzing packets in Gigasheet.