DanaBot Lab

CyberDefenders Network Forensics Lab

Scenario

The SOC team has detected suspicious activity in the network traffic, revealing that a machine has been compromised. Sensitive company information has been stolen. Your task is to use Network Capture (PCAP) files and Threat Intelligence to investigate the incident and determine how the breach occurred.

Question 1

Which IP address was used by the attacker during the initial access?

Answer 1

The logs show that the IP address 62.173.142.148 accessed the site and login.php page.

Press enter or click to view image in full size

Question 2

What is the name of the malicious file used for initial access?

Answer 2

I looked through the logs while filtering for packets only coming from the IP address stated above. I found a file that was attached to packet 8 called allegato_708.js. Which was used for initial access.

Question 3

What is the SHA-256 hash of the malicious file used for initial access?

Answer 3

I found an Any.Run report that already done a full analysis of the file. Giving me the SHA-256 hash.

Press enter or click to view image in full size

Question 4

Which process was used to execute the malicious file?

Answer 4

The Any.Run report has a behavior graph attached to it. Giving a visual overview of how the malware operates. It starts with allegato_708.js executing via wscript.exe.

Press enter or click to view image in full size

Question 5

What is the file extension of the second malicious file utilized by the attacker?

Answer 5

The second file, CvFDjHTeuG.dll, is executed not soon after launch via rundll32.exe.

Press enter or click to view image in full size

Question 6

What is the MD5 hash of the second malicious file?

Answer 6

Under the Dropped Files section in the Any.Run report, it shows the MD5 hash of CvFDjHTeuG.dll.

Lab complete!