Malware Analysis

Capture 1 part 3

We need to retrieve the filename of the dropped php meterpreter.

If we look at the traffic with the following filter

tcp.port == 18888 && http

We know can find the backdoor code in the packet 70339.

From there we can look at the function that drops a meterpreter.

The meterpreter functions has 4 arguments, “t”, “i”, “p” and “pa”, we can then filter all the traffic to look at all the POST REQUESTS.

tcp.port == 18888 && http.request.method == "POST"

The POST request at 283529 has all of them so we can make the assumption that it dropped a meterpreter.

We if go back and look at the following packets that follow the POST at 283529 we find some GET requests. It starts at 304321. We can see that the first three request for a php file replies back with a 404. The fourth one goes through.

The filename being SbOHtDQlsd.php

Flag is : SbOHtDQlsd.php