Thanks to everyone who participated in the May 2021 forensic contest originally posted two weeks ago. We received 45 submissions through our contact page, and most people had all the correct answers. Unfortunately, we could only pick one winner. In this case, our winner was the first to submit the correct information. Join us in congratulating this month's winner, Pratik! Pratik will receive a Raspberry Pi 4 kit.
You can still find the pcap for our May 2021 forensic contest at this Github repository.
IP address of the infected Windows computer:
Host name of the infected Windows computer:
User account name on the infected Windows computer:
Date and time the infection activity began in UTC (the GMT or Zulu timezone):
The family or families of malware on the infected computer:
To help in your analysis of this activity, please review the Requirements section in our original diary for this contest.
Malware from the pcap
The iniitial malware activity in the pcap is seen when the victim's host retreived a Windows EXE or DLL from 185.183.99[.]115 on 2021-05-04 at 22:16:52 UTC.
The URL hosting this malware was reported to URLhaus, where it is tagged as Qakbot malware. The IP address is also related to some malicious Excel spreadsheets with file names that start with Outstanding-Debt- and end with 05042021.xlsm.
Here's a Wireshark filter I use to review suspected Qakbot traffic:
Use a basic web filter and scroll down to the end of the pcap. You should see indicators the infected host became a spambot and was contacting various email servers over TCP ports 25 and 465.
Qakbot infection activity follows noticeable patterns, which we covered in today's diary. The traffic isn't much different than cases I've reported before, like this example from February 2021.
Thanks to all who participated in the May 2021 forensic contest, and congratulations again to Pratik for winning this month's competition!
You can still find the pcap and malware at this Github repository.
May 19th 2021
|Thread locked Subscribe||
May 19th 2021
1 month ago