Practise Analysing Traffic and Writing an Incident Report
I found a blog which provides PCAP and alert files of incidents occurring. I'll be using one of these files to write up an incident report.
Executive Summary:
On 2019-03-19 at 01:44 UTC, a Windows host used Bobby Tiger was infected with Remcos RAT and Dridex.
Details of the infected Windows host:
• IP address: 10.0.90.215
• MAC address: 64:32:a8:57:2b:42 (IntelCor_57:2b:4)
• Host name: BOBBY-TIGER-PC
• Windows user account name: bobby.tiger
Indicators of Compromise:
• 209.141.34.8 port 80 - 209.141.34.8 - GET /test1.exe
• 103.1.184.108 port 2404 - toptoptop1.online - Remcos RAT traffic
• 217.23.14.81 port 80 - 217.23.14.81 - GET /f4.exe
• 31.22.4.176 port 3389 - HTTPS/SSL/TLS traffic caused by Dridex
• 203.45.1.75 port 443 - HTTPS/SSL/TLS traffic caused by Dridex
• 115.112.43.81 port 443 - HTTPS/SSL/TLS traffic caused by Dridex
• 46.105.131.77 port 443 - HTTPS/SSL/TLS traffic caused by Dridex
• 109.230.231.176 port 443 - attempted TCP connections, no response from the server
• 189.189.64.242 port 443 - attempted TCP connections, no response from the server
Files extracted from the infection traffic:
SHA256 hash: 2a9b0ed40f1f0bc0c13ff35d304689e9cadd633781cbcad1c2d2b92ced3f1c85
File size: 811,520 bytes
File location: http://209.141.34.8/test1.exe
File identification: PE32 executable (GUI) Intel 80386, for MS Windows
File description: First EXE file retrieved by the infected Windows host for Remcos RAT
SHA256 hash: 5865e801e6324166d6d05b39a14f2a8a798c6eb652831f78c2634f2b7a400eaf
File size: 176,128 bytes
File location: http://217.23.14.81/f4.exe
File identification: PE32 executable (console) Intel 80386, for MS Windows
File description: Second EXE file retrieved by the infected Windows host for Dridex
Executive Summary:
On 2019-03-19 at 01:44 UTC, a Windows host used Bobby Tiger was infected with Remcos RAT and Dridex.
Details of the infected Windows host:
• IP address: 10.0.90.215
• MAC address: 64:32:a8:57:2b:42 (IntelCor_57:2b:4)
• Host name: BOBBY-TIGER-PC
• Windows user account name: bobby.tiger
Indicators of Compromise:
• 209.141.34.8 port 80 - 209.141.34.8 - GET /test1.exe
• 103.1.184.108 port 2404 - toptoptop1.online - Remcos RAT traffic
• 217.23.14.81 port 80 - 217.23.14.81 - GET /f4.exe
• 31.22.4.176 port 3389 - HTTPS/SSL/TLS traffic caused by Dridex
• 203.45.1.75 port 443 - HTTPS/SSL/TLS traffic caused by Dridex
• 115.112.43.81 port 443 - HTTPS/SSL/TLS traffic caused by Dridex
• 46.105.131.77 port 443 - HTTPS/SSL/TLS traffic caused by Dridex
• 109.230.231.176 port 443 - attempted TCP connections, no response from the server
• 189.189.64.242 port 443 - attempted TCP connections, no response from the server
Files extracted from the infection traffic:
SHA256 hash: 2a9b0ed40f1f0bc0c13ff35d304689e9cadd633781cbcad1c2d2b92ced3f1c85
File size: 811,520 bytes
File location: http://209.141.34.8/test1.exe
File identification: PE32 executable (GUI) Intel 80386, for MS Windows
File description: First EXE file retrieved by the infected Windows host for Remcos RAT
SHA256 hash: 5865e801e6324166d6d05b39a14f2a8a798c6eb652831f78c2634f2b7a400eaf
File size: 176,128 bytes
File location: http://217.23.14.81/f4.exe
File identification: PE32 executable (console) Intel 80386, for MS Windows
File description: Second EXE file retrieved by the infected Windows host for Dridex
Comments
Post a Comment