1. Investigate the DNS queries
Command: tshark -r directory-curiosity.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
Answer: xxx-xxxxxxx[.]xxx
2. What is the total number of HTTP requests sent to the malicious domain?
Command: tshark -r directory-curiosity.pcap -Y "http.request.full_uri" | grep "141.164.*" | nl
Answer: xx
3. What is the IP address associated with the malicious domain?
Command: tshark -r directory-curiosity.pcap -Y "dns" -T fields -e dns.qry.name -e dns.a
Answer: xxx[.]xxx[.]xx[.]xxx
4. What is the server info of the suspicious domain?
Command: tshark -r directory-curiosity.pcap -Y "http" -T fields -e http.host -e http.server -e http.user_agent
Answer: xxxxxx/x.x.xx (xxxxx) xxx/x xxx_xxx/x.x.xx xxxxxxx/x.x.xx xxx/x.x.x
5. Follow the "first TCP stream" in "ASCII". What is the number of listed files?
Command: tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
Answer: x
6. What is the filename of the first file?
Command: tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -q
Answer: xxx[.]xxx
7. Export all HTTP traffic objects. What is the name of the downloaded executable file?
Command: tshark -r directory-curiosity.pcap --export-objects http,/home/ubuntu/Desktop/extracted-by-tshark -q
Answer: xxxxxx[.]xxx
8. What is the SHA256 value of the malicious file?
Command: sha256sum vlauto.exe
Answer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
9. Search the SHA256 value of the file on VirusTotal. What is the "PEiD packer" value?
Answer: .xxx xxxxxxxxxx
10. Search the SHA256 value of the file on VirusTotal. What does the "Lastline Sandbox" flag this as?
Answer: xxxxxxx xxxxxx
