Compromised

HTB Write-up

By Jacob Acuna
Posted on February 15, 2025

Overview

Sherlock Scenario: Our SOC team detected suspicious activity in Network Traffic, the machine has been compromised and company information that should not have been there has now been stolen – it’s up to you to figure out what has happened and what data has been taken.

Objective: This challenge gave us a PCAP file and made us use OSINT to gather intelligence on the malware affecting our system.

Tasks

Q1. What is the IP address used for initial access?

For this question, I opened wireshark and saw a lot of DNS traffic. But the first thing I did was see if we were able to export any HTTP objects and we were. Looking at the list we see an IP address that isn’t internal or a common scheme and has a weird filename. Investigating further we see that virus total recognizes this IP as malicious.

image

VirusTotal is a great tool to check if any hostnames, domains, or hashes are malicious. And indeed this is the IP address used for initial access.

image

162.252.172.54

Q2. What is the SHA256 hash of the malware? For this question, we should go ahead and export this object and navigate to it in our terminal. We should be doing this in a virtual machine as can potentially inject our machine. Once the object has been exported we are able to run the following command to compute the hash of the file ‘sha256sum 6ctf5JL’

image

9b8ffdc8ba2b2caa485cca56a82b2dcbd251f65fb30bc88f0ac3da6704e4d3c6

Q3. What is the Family label of the malware? For this question, we can navigate to virus total and see that it has labels for the malware.

image

Pikabot

Q4. When was the malware first seen in the wild (UTC)? For this challenge we can navigate to the Details tab on VirusTotal, and when we scroll down we can see the first seen in the wild.

image

2023-05-19 14:01:21

Q5. The malware used HTTPS traffic with a self-signed certificate. What are the ports, from smallest to largest? We can use the following command to find ssl certificates ‘ssl.handshake.type==11 and ip.dst==172.16.1.191’. We then have to naviagate the packet and we can find the ports used.

image

image

image

image

Q6. What is the id-at-localityName of the self-signed certificate associated with the first malicious IP? We find the packet that was sent right after the certificate request, and if we navigate to the bottom we can find the id-at-localityName.

image

Pyopneumopericardium

Q7. What is the notBefore time(UTC) for this self-signed certificate? For this question we can use the same packet and go to notBefore under validity.

image

2023-05-14 08:36:52

Q8. What was the domain used for tunneling? For this question, we can filter for DNS and search for any suspicious domain names and we see steasteel.net

image

steasteel.net

Conclusion

image

I had a lot of fun doing this challenge. It reminded me of when I worked as a SOC intern and had to perform OSINT on the different suspicious files we found on devices. Although tools like Virus Total are not a definitive answer as to whether or not a file is malicious, it is a good start. In my malware analysis class, we are currently learning about fuzzy hashing, which is an interesting topic when considering threat intelligence and adversaries trying to evade detection by changing a single letter and completely changing the entire hash.

Fuzzy hashing sections a file up and hashes each section, then compares them to other known hash segments and grades a score on similarity. A higher similarity score means there are more file segments that match the known malicious one, and it is likely to be the same file with little changes.

Tags: HackTheBox Sherlock Compromised SOC Malware Analysis
Share: LinkedIn