Warzone2
PCAP analysis using Wireshark and Brim
Another day, another alert.
You work as a Tier 1 Security Analyst L1 for a Managed Security Service Provider (MSSP). Again, you're tasked with monitoring network alerts.
An alert triggered: Misc activity, A Network Trojan Was Detected, and Potential Corporate Privacy Violation.
The case was assigned to you. Inspect the PCAP and retrieve the artifacts to confirm this alert is a true positive.
Your tools:
HTTP Traffic Analysis:
Use the http display filter to view only HTTP traffic.
From this view, we can identify file download request first, followed by long GET requests with changing parameters.
Malicious File Downloaded
GET request to http://awh93dhkylps5ulnq-be.com/czwih/fxla.php?l=gap1.cab to the IP 185.118.164.8
Select the GET request - follow http steam, we can confirm the file transferred is EXE since there are file signatures in the payload, which are MZ and this program cannot be run in DOS mode
File Hash Lookup
To analyze the malware file or perform a file-hash lookup in threat-intelligence platforms:
Export the file using File → Export Objects → HTTP.
Under Content-Type, choose application/octet-stream.
Select the file and click Save.
Open a terminal and check the file type. Even if the file extension looks different (for example .cab), using the file command shows it is a PE32 executable for Microsoft Windows.
Next, calculate the MD5 hash of the file.
If you only need the hash, you can also use Brim. Go to File Activity under the Queries tab and copy the MD5 or SHA1 hash from there.
Look up the hash on VirusTotal. The original file name appears as draw.dll, and it is flagged as malicious
Post-Download Activity:
Immediately after the file is downloaded, we observe continuous GET requests to multiple domains with long and changing parameters
Following the HTTP streams shows that these requests represent communication between the infected host and the C2 server.
These GET requests are used for beaconing, where the infected system periodically checks in with the attacker and waits for instructions.
The same HTTP requests can also be observed in Brim under HTTP Requests.
Analyzing GET Responses
Follow the streams to inspect the responses.
Some requests return 200 OK, indicating that the C2 server is actively responding to the infected host.
A 404 response in this context does not indicate an error. It usually means the infected host checked in with the C2 server and no new command was issued.
Let’s analyze the responses to the GET requests and identify:
Which IP addresses are responding
Whether the responses are 404 or 200 OK
Which servers are involved
We observe responses coming from malicious servers using ECAcc and nginx/1.10.3, replying to long-URI GET requests.
To make this easier, filter only HTTP traffic, then add useful fields as columns.
Select a field → right-click → Apply as Column (or press Ctrl + Shift + I).
Next, double-click the Length column to sort packets by size.
We can see that, besides the initial file download, there are two other response 200 OK with large payloads, which indicates that actual data or payloads are being transferred, not just simple commands.
Notable packet numbers include:
574
979
3127
Follow these HTTP streams to inspect what data is being transferred.
Malicious Domains in HTTP Traffic
On Brim, sort the HTTP hosts (domains) and review their reputation
Besides common Microsoft-related domains, the following domains are flagged as malicious on VirusTotal:
a-zcorner.com
awh93dhkylp5ulnq-be.com
ec.atdmt.com
knockoutlights.com
Mapping Domains to IP Addresses Using DNS
DNS response analysis allows us to map domains ↔ IP addresses, which helps confirm whether suspicious or flagged IPs are associated with malicious activity in the PCAP.
First, identify domains in DNS traffic.
In Wireshark: dns.flags.response == 1
Then add columns:
Right-click Name (under Queries)→ Apply as Column
Right-click Address (under Answers) → Apply as Column
or address filet press (Ctrl+alt+I) to add those 2 as columsn,
The Name shows the queried domain.
The Address shows the resolved IP.
On BRIM: under Queries, choose “Unique DNS queries”: But here we only see domains
use _path==”dns” | cut query, answers | sort | uniq | sort -r This displays DNS queries and their resolved IP addresses, similar to adding columns in Wireshark.
Answer the questions below
- What was the alert signature for A Network Trojan was Detected?
Ans: ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
This displays full alert details in Brim, including source IP, destination IP, signature name, and action. use filter event.type=="alert"
- What was the alert signature for Potential Corporate Privacy Violation?
Ans: ET POLICY PE EXE or DLL Windows file download HTTP
- What was the IP to trigger either alert? Enter your answer in a defanged format.
Ans: 185[.]118[.]164[.]8
This IP address is responsible for hosting and delivering the malicious EXE file that was downloaded.
- Provide the full URI for the malicious downloaded file. In your answer, defang the URI.
Ans: awh93dhkylps5ulnq-be[.]com/czwih/fxla[.]php?l=gap1[.]cab
- What is the name of the payload within the cab file?
Ans: draw.dll
The file name was identified by calculating the file hash using Wireshark or Brim and validating it through a VirusTotal lookup.
- What is the user-agent associated with this network traffic?
Ans: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E)
The compromised internal host 10.6.3.102 is using this User-Agent while making requests and communicating with the C2 servers.
- What other domains do you see in the network traffic that are labelled as malicious by VirusTotal? Enter the domains defanged and in alphabetical order. (format: domain[.]zzz,domain[.]zzz)
Check the Misc Activity alert in Brim, or review the IP addresses observed during suspicious GET requests.
To identify the associated domains, refer to the Malicious Domains in HTTP Traffic section.
- There are IP addresses flagged as Not Suspicious Traffic. What are the IP addresses? Enter your answer in numerical order and defanged. (format: IPADDR,IPADDR)
Ans: 64[.]225[.]65[.]166,142[.]93[.]211[.]176
In Brim, apply the filter Not Suspicious Traffic to view the alert details
We observe only two source IP addresses communicating with the infected host that are marked as not suspicious, meaning this traffic is allowed even though it is part of the overall activity.
- For the first IP address flagged as Not Suspicious Traffic. According to VirusTotal, there are several domains associated with this one IP address that was flagged as malicious. What were the domains you spotted in the network traffic associated with this IP address? Enter your answer in a defanged format. Enter your answer in alphabetical order, in a defanged format. (format: domain[.]zzz,domain[.]zzz,etc)
Refer to the section “Mapping Domains to IP Addresses Using DNS.”
After looking up the first IP address on VirusTotal, we identified three domains flagged as malicious. The same domains are visible in our DNS traffic, confirming that they are associated with this IP inside the PCAP.
- Now for the second IP marked as Not Suspicious Traffic. What was the domain you spotted in the network traffic associated with this IP address? Enter your answer in a defanged format. (format: domain[.]zzz)
The second IP address is 142.93.211.176.
To find its associated domain, analyze DNS traffic the same way as before. OR
In Wireshark, use:
dns # DNS traffic
dns.flags.response == 0 # DNS queries
dns.flags.response == 1 # only DNS responses (includes query + answer in Packet list)
dns.qry.name contains "example.com"
# Show DNS queries for a specific domain and identify which IPs requested it
dns.a == 192.36.27.92
# Show DNS responses where the resolved IP address is 192.36.27.92
This will display the domain name that resolves to 142[.]93[.]211[.]176, which is the required answer.
Ans: 2partscow[.]top
Thank you for reading, and I hope you enjoyed this walkthrough.
and feel free to connect and share your thoughts on this lab in the comments.
