Warzone 2
TryHackMe Challenge Walkthrough
Challenge Overview
ou work as a Tier 1 Security Analyst L1 for a Managed Security Service Provider (MSSP). Again, you’re tasked with monitoring network alerts.
An alert triggered: **Misc activity**, **A Network Trojan Was Detected**, and **Potential Corporate Privacy Violation**.
The case was assigned to you. Inspect the PCAP and retrieve the artifacts to confirm this alert is a true positive.
Your tools:
– Brim
– Network Miner
– Wireshark
Q & A
Q1 What was the alert signature for A Network Trojan was Detected?
We need to find an alert signature, so we can use Brim and check if any alert was triggered.
Start opening Brim
choose zone2.pcap file
select the query Suricate Alerts by Source and Destination
An Alert pop-up immediately about “a network trojan was detected” on the IP 185.11.164.8
So lets do a new search with that value and take a look on what happen on that IP
We can see an alert about download trojan, double click on the log to read the details and we get our signature
Answer
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
Q2 What was the alert signature for Potential Corporate Privacy Violation?
In the initial look at our ip we had 2 alert, so same drill for different alert
Answer
ET POLICY PE EXE or DLL Windows file download HTTP
Q3 What was the IP to trigger either alert? Enter your answer in a defanged format.
We see that a lot of stuff happen between our victim and this one IP, we already know it from the precedent 2 questions. just defang it with our Cyberchef (or at those [.], not that hard >D)
Answer
185[.]118[.]164[.]8
Q4 Provide the full URI for the malicious downloaded file. In your answer, defang the URI.
The log after the alert of the trojan was an http request, flagged as “http”, looking in the details we can find our answer in the left column and in the right column the confirmation that this request is correlated to the following chain of event.
the full URL is the combination of host and uri, then defanged with cyberchef
Answer
awh93dhkylps5ulnq-be[.]com/czwih/fxla[.]php?l=gap1[.]cab
Q5 What is the name of the payload within the cab file?
We found the name associated to the hash.. and the confirmation that this is no good news for our host
Answer
draw.dll
Q6 What is the user-agent associated with this network traffic?
we already noticed in the HTTP traffic
Answer
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E)
Q7 What other domains do you see in the network traffic that are labelled as malicious by VirusTotal? Enter the domains defanged and in alphabetical order. (format: domain[.]zzz,domain[.]zzz)
For this I would pick the query “HTTP Requests” and take a look at what we have
we have a many domains creating network traffic whit encoded payload
We can sort for status_code==200 to check which one of those is actually interesting
And 2 domains pass the bouncer
A quick look at virustotal RELATION tab and we can confirm that both the domains are labelled as malicious
Defang them with cyberchef to get the answer
Answer
a-zcorner[.]com,knockoutlights[.]com
Q8 There are IP addresses flagged as Not Suspicious Traffic. What are the IP addresses? Enter your answer in numerical order and defanged. (format: IPADDR,IPADDR)
The initial query “suricata Alerts by Source and Destination” showed us 2 “not suspicious traffic”
defang them as usual to get the answer
Answer
64[.]225[.]65[.]166,142[.]93[.]211[.]176
Q9 For the first IP address flagged as Not Suspicious Traffic. According to VirusTotal, there are several domains associated with this one IP address that was flagged as malicious. What were the domains you spotted in the network traffic associated with this IP address?
Lets start by checking the first IP on virustotal and look at the relation tab what is reported in the Passive DNS replication
There are many domain, now lets look in Brim and use the Query “Unique DNS Queries” filtering by the IP
and we get our answer (ofc as usual defang with cyberchef)
Answer
safebanktest[.]top, tocsicambar[.]xyz, ulcertification[.]xyz
Q10 Now for the second IP marked as Not Suspicious Traffic. What was the domain you spotted in the network traffic associated with this IP address?
Again same drill, different IP
This one has a huge list of domains
only one domain, defang it and finish this challenge!
Answer
2partscow[.]top
Conclusion
So what did we just witness?
A poor machine happily fetched a shady .cab file from a knockoff-looking domain, unwrapped a juicy draw.dll payload, and strolled straight into the claws of Cridex malware — all while sending GET requests like it was just browsing cat memes.
Suricata kindly screamed “Network Trojan,” VirusTotal lit up like a Christmas tree, and the user-agent tried to pretend it was Internet Explorer 7. On Windows 10. Bold move.
Along the way, we uncovered:
- Malicious downloads hiding behind msxmlhttp tricks
- Multiple shady domains with classic callback behavior
- Correlation across Suricata alerts, PCAP artifacts, and DNS queries
- Evidence of corporate policy violations and exfil possibilities
This wasn’t just packet inspection — it was network archaeology.
Time to reimage that host. And maybe send a polite email to the user with “stop clicking stuff” in 72pt Comic Sans.
$ Whoami
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.