2. Virustotal
3. CyberChef (If Needed)
If You Don’t Know What these tools are, you can check out Below!!!
1. What is Brim?
Brim is an open source desktop application for security and network specialists. Brim makes it easy to search and analyze data from: packet captures, like those created by Wireshark, and. structured logs, especially from the Zeek network analysis framework.
2. What is Virustotal?
It is a Website used to Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, and automatically share them with the security community.
3. What is Cyberchef?
CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser.
Open the Brim Application inside Tools Directory
Choose the Zone2.pcap file Available on the Desktop
Click on →Suricate Alerts by Source and Destination Under Query Section
We Have found that the IP 185.118.164.8 is Affected by a Trojan, So Let’s find for any Logs of that IP
Type the IP on the Search Bar
Ans: ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
Double Click the Traffic which has the word Policy on Its Signature, to Check the Activity Log
Ans: ET POLICY PE EXE or DLL Windows file download HTTP
The IP we Found on the 1st Question Triggers the Alert, But We Have to Enter the IP in Defanged Manner. You can use the Cyberchef tool to Defang it!
Ans: 185[.]118[.]164[.]8
Open the Http Traffic
Double Click the Traffic. The Full URL is the Combination of Host and Uri
Use Cyber Chef to Defang it
Ans: awh93dhkylps5ulnq-be[.]com/czwih/fxla[.]php?l=gap1[.]cab
Double-click the traffic tagged Notice and Look Carefully, there’s a Virustotal Link with a Hash. Let’s Search Manually with the hash
https://www.virustotal.com/en/search/?query=f3e9e7f321deb1a3408053168a6a67c6cd70e114
We Found the Hash — f3e9e7f321deb1a3408053168a6a67c6cd70e114
Search the Hash on Virustotal Manually
Ans: draw.dll
Open the HTTP Traffic to Find the User-Agent
Ans: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E)
On the Relations Tab, you can see the Malware Detections of URLs
a-zcorner.com
knockoutlights.com
These two URLS are Highly Malicious as it has Highest Detections.
–> We Have to Defang the Urls in Alphabetical Order
Ans: a-zcorner[.]com,knockoutlights[.]com
Click Suricata Alerts by source and Destination Under Query Section that we Already Found on First Question.
There are two URLS marked Not Suspicious
Write the IPs in Defanged Alphabetical Order 64..,142…
Ans: 64[.]225[.]65[.]166,142[.]93[.]211[.]176
Search the 1st Non-Suspicious IP 64.225.65.166 on Virustotal
The First 3 Domains based on Detections are the Mal URLS.
Ans: safebanktest[.]top,tocsicambar[.]xyz,ulcertification[.]xyz
Now use the Search Query on grim to Find the Domain Related to the 2nd Non-Malicious IP
142.93.211.176 | cut query
Ans: 2partscow[.]top
Thank you for Reading!!
Happy Hacking ~
Tryhackme , THM , warzone , warzone2 , tryhackme writeups , tryhackme walkthrough , warzone2 walkthrough , ctf , warzone2 writeup , warzone2 Answers , brim , brim tool , virustotal , cyberchef , karthikeyan nagaraj , cyberw1ng