Carnage
TryHackMe Challenge Walkthrough
Challenge Overview
Eric Fischer from the Purchasing Department at Bartell Ltd has received an email from a known contact with a Word document attachment. Upon opening the document, he accidentally clicked on “Enable Content.” The SOC Department immediately received an alert from the endpoint agent that Eric’s workstation was making suspicious connections outbound. The pcap was retrieved from the network sensor and handed to you for analysis.
Task: Investigate the packet capture and uncover the malicious activities.
Credit goes to [Brad Duncan](https://www.malware-traffic-analysis.net/) for capturing the traffic and sharing the pcap packet capture with InfoSec community.
NOTE: DO NOT directly interact with any domains and IP addresses in this challenge.
Threat Analysis Summary
Analyst Summary Report
Incident Title
Malicious ZIP Dropper and Cobalt Strike C2 Activity
Victim Host
10.9.23.102
Timeline of Events:
- 2021-09-24 16:44:38 — HTTP GET to attirenepal[.]com for documents.zip
- Immediately after — XLS file identified in TCP stream: chart-1530076591.xls
- 16:45:xx — Encrypted HTTPS connections to:
- finejewels[.]com[.]au
- thietbiagt[.]com
- new[.]americold[.]com
- 16:46:16 — Victim sends POST requests with encoded data to maldivehost[.]net
- Follow-up — C2 beaconing from:
- 185[.]125[.]204[.]174
- 185[.]106[.]96[.]158 (confirmed Cobalt Strike)
Tools Used
- Wireshark
Indicators of Compromise (IOCs)
- Domains:
- attirenepal[.]com, maldivehost[.]net, finejewels[.]com[.]au, thietbiagt[.]com, new[.]americold[.]com, `survmeter.live, securitybusinpuff.com
- IPs:
- 208.91.128.6, 185.125.204.174, 185.106.96.158
- Files:
- documents.zip, chart-1530076591.xls
Infection Chain Timeline
16:44:38
Victim 10.9.23.102 downloads documents.zip from attirenepal[.]com via LiteSpeed
16:44:38
ZIP file contains chart-1530076591.xls
16:46:16
Victim begins POSTing encoded data to maldivehost[.]net
16:46:16
Encrypted HTTPS connections initiated to multiple domains:
- finejewels[.]com[.]au → 148.72.192.206
- thietbiagt[.]com → 210.245.90.247
- new[.]americold[.]com → 148.72.53.144
16:46:16
Two IPs begin probing the victim:
- 185.125.204.174 (port 8080)
- 185.106.96.158 (port 80)
16:46:16
Tracking beacon sent: GET /spfpoolh/cacerts.crl returns image/gif
16:46:50+
Victim sends GET requests to the C2 IPs
Afterward
C2 behavior continues, possible data exfiltration detected
MITRE ATT&CK Mapping
| Phase | ID | Technique | Description |
|---|---|---|---|
| Initial Access | T1204.002 | User Execution: Malicious File | documents.zip containing .xls macro from attirenepal[.]com |
| Command & Control | T1071.001 | Application Layer Protocol: Web | POST request to maldivehost[.]net and Cobalt Strike IPs |
| C2 Infrastructure | T1583.001 | Acquire Infrastructure: Domain | Use of multiple domains for payload delivery and staging |
| Discovery | T1082 | System Information Delivery | Possibly trough macro payload |
| Exfiltration | T1041 | Exfil over C2 Channel | Encrypted POST data after infection phase |
| Defense Evasion | T1001.003 | Data Obfuscation: protocol impersonation | Traffic disguised as OCSP and GIF requests |
Reference: [MITRE ATT&CK Navigator] ( https://attack.mitre.org/ )
INITIAL RECON
Time to open carnage.pcap and begin the forensic joyride.
First thing: the question asks for a specific timestamp format. Because why not?
Head to View > Time Display Format and pick something human-readable — preferably one that doesn’t look like binary soup.
Next, let’s see who’s been busy on the wire.
Go to Statistics > Endpoints > IPv4, sort by packets
And bingo: one IP is making the rest look unemployed.
Top talker: 10.9.23.102 with 54MB of glorious traffic. Definitely our victim.
Let’s keep that one on a leash.
Now let’s look for the first contact.
Filter by http and look for any GET or POST requests.
Boom — the first HTTP packet is from 10.9.23.102 requesting a documents.zip file. And the server obliges with a shiny 200 OK.
Peeking at the packet details, the domain behind the gift is attirenepal[.]com.
Looks like our infection kicks off here. Follow the TCP stream to see what’s wrapped inside that zip.
And what do we find? A charming .xls file named chart-1530076591.xls, served with love from a LiteSpeed webserver. If you think this is just a spreadsheet and not a macro-laced disaster waiting to happen — bless your heart.
Right after the download, our victim starts POSTing multiple times to 208[.]91[.]128[.]6 Chunked encoding, all accepted — classic exfil or C2 behavior.
Domain involved? maldivehost[.]net. Totally legit name.
Totally not suspicious.
Meanwhile, things escalate.
Two IPs (185[.]125[.]204[.]174 on port 8080 and 185[.]106[.]96[.]158 on port 80) start hammering the victim, trying to handshake like it’s speed dating for C2 servers.
Then it gets weird: one of them sends a GET /spfpoolh/cacerts.crl, and the server responds with… an image/gif? Yep. Before the TLS session even kicks off.
That’s almost certainly a tracking beacon or pre-exploitation profiler — the digital version of asking “Are you online?” before pushing a payload.
And then the victim starts responding like they’re old friends. GET requests go out, all warmly accepted. Cozy..
- The victim downloads documents.zip from attirenepal[.]com
- The ZIP contains chart-1530076591.xls
- Served via LiteSpeed webserver
- This is clearly the delivery stage of a trojan/macro dropper
- Victim begins POSTing encrypted chunks to 208[.]91[.]128[.]6 (aka maldivehost[.]net)
- Meanwhile, 185[.]125[.]204[.]174 and 185[.]106[.]96[.]158 bombard the host with connection attempts
- One sends a beacon disguised as a GIF
- Eventually, successful handshake → victim sends back GET requests
- Possibly exfiltration or further staging
Time to confirm just how shady this party is.
attirenepal[.]com? Yep — flagged as malicious on VirusTotal
maldivehost[.]net? Also bad news.
Q & A
Q1 What was the date and time for the first HTTP connection to the malicious IP? (answer format: yyyy-mm-dd hh:mm:ss)
The first connection is definitely our first packet 1735
Answer
2021-09-24 16:44:38
Q2 What is the name of the zip file that was downloaded?
We saw in the initial recon
Answer
documents.zip
Q3 What was the domain hosting the malicious zip file?
we checked this one too
Answer
attirenepal[.]com (defanged)
Q4 Without downloading the file, what is the name of the file in the zip file?
we found this following the TCP stream of the first packet
Answer
chart-1530076591.xls
Q5 What is the name of the webserver of the malicious IP from which the zip file was downloaded?
we found this one following the TCP stream
Answer
LiteSpeed
Q6 What is the version of the webserver from the previous question?
in the same TCP stream we can find the version of the server in the field “x-powered-by”
Answer
PHP/7.2.34
Q7 Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?
We now zoom in on a more precise timeframe:
- The initial infection began at 16:44:38
- POST traffic to maldivehost[.]net began at 16:46:16
That gives us a clean window to find out what else the victim may have contacted — especially over HTTPS.
Lets start finding our DNS request from the host victim:
ip.src==10.9.23.102 && dns && frame.time >= "2021-09-24 16:44:38" && frame.time <= "2021-09-24 16:46:16"
This reveals 3 shady domains:
- finejewels[.]com[.]au
- thietbiagt[.]com
- new[.]americold[.]com
To be sure those are the 3 domains lets follow the udp stream and see the ip of those domains
finejewels[.]com[.]au -> 148[.]72[.]192[.]206
thietbiagt[.]com -> 210[.]245[.]90[.]247
new[.]americold[.]com -> 148[.]72[.]53[.]144
Now lets check the full communication filtering for bidirectional traffic:
ip.addr==10.9.23.102 && ip.addr==148.72.192.206 || ip.addr==210.245.90.247 || ip.addr==148.72.53.144
And we find:
– TCP handshake on port 443
– TLS handshake with SNI
– Large encrypted application data flowing
Confirmed: These 3 domains served content — likely more malware.
Answer
finejewels[.]com[.]au, thietbiagt[.]com, new[.]americold[.]com
Q8 Which certificate authority issued the SSL certificate to the first domain from the previous question?
Well we can check on dns lookup or directly on virustotal that we have already open
Answer
GoDaddy
Q9 What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers. (answer format: enter the IP addresses in sequential order)
So we know that our host communicated to185[.]125[.]204[.]174 and 185[.]106[.]96[.]158
Let’s check those 2 ip address on virus total
So those are our 2 ip
Answer
185[.]125[.]204[.]174, 185[.]106[.]96[.]158
Q10 What is the Host header for the first Cobalt Strike IP address from the previous question?
We saw at the beginning but lets just check the hypertect transfer protocol of the first packet
Answer
ocsp.verisign.com
Q11 What is the domain name for the first IP address of the Cobalt Strike server? You may use VirusTotal to confirm if it's the Cobalt Strike server (check the Community tab).
for this one still with thesame filter of before
ip.addr==185.106.96.158 && http
we can go view -> name resolution -> resolve network address
Let’s check on virustotal what we found to be sure
And this is it
Answer
survmeter.live
Q12 What is the domain name of the second Cobalt Strike server IP? You may use VirusTotal to confirm if it's the Cobalt Strike server (check the Community tab).
same drill
Answer
securitybusinpuff.com
Q13 What is the domain name of the post-infection traffic?
well we noticed at the beginning
so just check for the victim host ip addr and http.method POST and see what we got
ip.addr==10.9.23.102 && http.request.method=="POST"
Answer
maldivehost.net
Q14 What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?
Just check the post of the first packet
Answer
zLIisQRWZI9
Q15 What was the length for the first packet sent out to the C2 server?
Just look at the length column
Answer
281
Q16 What was the Server header for the malicious domain from the previous question?
just follow the http stream of the packet we are inspecting
Answer
Apache/2.4.49 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4
Q17 The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (**answer format**: yyyy-mm-dd hh:mm:ss UTC)
lets look for
ip.addr==10.9.23.102 && dns && frame contains "api"
Answer
2021-09-24 17:00:04
Q18 What was the domain in the DNS query from the previous question?
We can see in the screenshot before
Answer
api.ipify.org
Q19 Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?
Let’s try to check for smtp
Answer
farshin@mailfa.com
Q20 How many packets were observed for the SMTP traffic?
Well, we close with an easy one, just look at the bottom
Answer
1439
Conclusion
So, what have we learned?
- Don’t open ZIP files from sketchy fashion domains unless you’re dying to join a Cobalt Strike fan club.
- If your XLS file comes with a side of LiteSpeed and PHP/7.2, it’s not a spreadsheet — it’s a life choice.
- And if your machine suddenly starts making friends with servers named maldivehost[.]net and securitybusinpuff[.]com, it’s time to pack it up and go back to paper.
From ZIP to beacon to exfil, Carnage delivered a full buffet of “don’t do this in production”, served with just enough misdirection and encrypted traffic to keep any SOC analyst awake at night.
On to the next incident. Preferably one with fewer GIFs and more firewalls.
$ Whoami
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.