I conducted a forensic analysis of a network intrusion that resulted in malware infection and data exfiltration. During my investigation, I identified a Windows 7 host (BEIJING-5CD1-PC) downloading a malicious executable payload (tkraw_Protected99.exe) via unencrypted HTTP. Following execution, the malware staged stolen host data and exfiltrated the package using unencrypted SMTP. I successfully traced the initial infection vector, extracted the payload for signature generation, and recovered the attacker's operational credentials and drop-zone email addresses.
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | User Execution | T1204 | Victim executed the downloaded payload (tkraw_Protected99.exe). |
| Discovery | System Information Discovery | T1082 | Malware queried public IP via bot.whatismyipaddress.com. |
| Collection | Input Capture | T1056 | Malware captured keystrokes and system data. |
| Exfiltration | Exfiltration Over Alternative Protocol | T1048 | Attacker exfiltrated data via unencrypted SMTP. |
| Indicator Type | Value | Context |
|---|---|---|
| IPv4 | 217.182.138.150 |
Malware staging server (France) |
| Domain | proforma-invoices.com |
Malware hosting and SMTP drop domain |
| Domain | macwinlogistics.in |
SMTP compromised sender domain |
| File (MD5) | 71826ba081e303866ce2a2534491a2f7 |
tkraw_Protected99.exe |
john.mayer@proforma-invoices.com |
Exfiltration sender account | |
sales.del@macwinlogistics.in |
Exfiltration sender account | |
it-support@proforma-invoices.com |
Exfiltration target (drop zone) |
This repository documents my forensic analysis of the HawkEye network capture challenge from CyberDefenders. I investigated a compromised network, identified the malware delivery mechanism, traced the attacker's infrastructure, and recovered the exfiltrated credentials using Wireshark and Linux command-line tools.
- Wireshark: Packet analysis, stream reassembly, and object extraction.
- Linux Terminal (Mint): Base64 decoding and MD5 hash generation.
- Network Protocols Analyzed: HTTP, DNS, SMTP, DHCP, Kerberos.
I began my investigation by establishing the baseline of the capture file and identifying "Patient Zero."
- Total Packets: 4003
- Capture Duration: 01:03:41 (Started: 2019-04-10 20:37 UTC)
- Victim IP (Internal):
10.4.10.132 - Victim MAC Address:
00:08:02:1c:47:ae(Hewlett Packard) - Victim Hostname:
BEIJING-5CD1-PC(Running Windows 7)
Evidence: Network Endpoints & Victim Identification
The following screenshot demonstrates my isolation of the most active MAC address and internal IP on the network using Wireshark's Endpoint Statistics.
By filtering for HTTP traffic (http.request.method == "GET"), I isolated the exact moment of compromise. The victim machine queried a fraudulent domain and downloaded a malicious payload.
- Malicious Domain:
proforma-invoices.com - Attacker IP:
217.182.138.150(Hosted in France on a LiteSpeed server) - Payload Name:
tkraw_Protected99.exe
Evidence: Malware Download via HTTP GET
This capture shows the victim machine requesting the executable from the attacker's server.
After identifying the file, I extracted the HTTP object directly from the PCAP and generated an MD5 hash to confirm the file's identity.
- MD5 Hash:
71826ba081e303866ce2a2534491a2f7
Evidence: File Extraction & Hashing
Terminal output verifying the MD5 checksum of the malware I extracted.
Once executed, the malware queried bot.whatismyipaddress.com to confirm the victim's public IP address (173.66.146.112). It then packaged the stolen data (keylogs, saved passwords, system info) and exfiltrated the data via an unencrypted SMTP connection to a server running Exim software in the United States.
By filtering the traffic for smtp and analyzing the AUTH LOGIN sequence, I intercepted the attacker's Base64-encoded credentials.
Evidence: Intercepted SMTP Authentication (TCP Stream)
The TCP stream reconstruction below reveals the unencrypted conversation between the malware and the email server, including the Base64 credentials and the exfiltration recipient I intercepted.
Decoding the Attacker's Drop Zone: Using Linux command-line tools, I decoded the intercepted Base64 strings to reveal the attacker's email accounts and passwords used for the data drop:
- Sender 1:
john.mayer@proforma-invoices.com| Password:access99(Decoded fromYWNjZXNzOTk=) - Sender 2:
sales.del@macwinlogistics.in| Password:Sales@11(Decoded fromU2FsZXM@MTE=) - Final Drop Destination:
it-support@proforma-invoices.com
Evidence: Base64 Decoding
Terminal execution decoding the intercepted SMTP password.
This lab demonstrated the critical importance of monitoring unencrypted protocols (HTTP/SMTP). The attacker successfully delivered a payload via a simple HTTP download and exfiltrated highly sensitive data in plain text (Base64 is encoding, not encryption), making the entire attack lifecycle visible to network defenders.