RingZer0-195 - Capture 1 part 1
Malware Analysis
Capture 1 part 1 PCAP
We’re looking for the ip and port of the exploited server.
We can start looking at the conversations in the pcap.
Statistics -> Conversations
There’s a lot of things going on. A lot of 24.37.41.158 talking to a lot of IPs. There’s only 3 connections from another ip to 24.37.41.158. That’s something keeping in mind.
Next a quick look at the Protocol hierarchy. We can see that a lot of data has been transfered and something random protocol like Sinec H1, Sippy RTP proxy.
Nothing pops out. The top 3 protocol used are Data, SSL and HTTP.
HTTP
After looking quickly at some traffic the http traffic has some suspicious traffic. Starting at packet 5137. There’s a GET request for a file called upload.php. If we look at all the conversations between the two ips and the same port, the packet 168781 is a POST request in the uploads/ directory.
Using the filter
tcp.dst = 18888 && http
Allows us to clearly see the upload happening at 70339.
The exploited server is 24.37.41.154:18888