Advent of Cyber 4 - Day 13

Link: Advent Of Cyber 4 on TryHackMe

Question 1

View the "Protocol Hierarchy" menu. What is the "Percent Packets" value of the "Hypertext Transfer Protocol"?

Answer: 0.3

Question 2

View the "Conversations". Navigate to the TCP section. Which port number has received more than 1000 packets?

Answer: 3389

Question 3

What is the service name of the used protocol that received more than 1000 packets?

Answer: RDP

Question 4

Filter the DNS packets. What are the domain names? Enter the domains in alphabetical order and defanged format. (format: domain[.]zzz,domain[.]zzz)

Answer: bestfestivalcompany[.]thm,cdn[.]bandityeti[.]thm

Question 5

Filter the HTTP packets. What are the names of the requested files? Enter the names in alphabetical order and in defanged format. (format: file[.]xyz,file[.]xyz)

Answer: favicon[.]ico,mysterygift[.]exe

Question 6

Which IP address downloaded the executable file? Enter your answer in defanged format.

Answer: 10[.]10[.]29[.]186

Question 7

Which domain address hosts the malicious file? Enter your answer in defanged format.

Answer: cdn[.]bandityeti[.]thm

Question 8

What is the "user-agent" value used to download the non-executable file?

Answer: Nim httpclient/1.6.8

Question 9

Export objects from the PCAP file. Calculate the file hashes. What is the sha256 hash value of the executable file?

Answer: 0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f

Question 10

Search the hash value of the executable file on VirusTotal. Navigate to the "Behaviour" section. There are multiple IP addresses associated with this file.

What are the connected IP addresses? Enter the IP addressed defanged and in numerical order. (format: IPADDR,IPADDR)

Answer: 20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]64,23[.]216[.]147[.]76