Class: CYBR-405

Notes:

1. Overview

In order to understand this lab, it is necessary to become familiar with the basic Wireshark layout to identify network protocols and the search feature to filter packets in Wireshark.

In Figure 1 the different areas of Wireshark are shown. For this lab, each exercise will require a search using the display filter at the top, and the expansion of the data in frame details. Various information about the network traffic including IP source and destination, as well as port numbers, and other information is shown in the column display. You will need to analyze the column display to select a packet of interest and expand the data below to investigate further. You can also change the column view to display more relevant information based on the search criteria.

A complete guide to Wireshark documentation can be found here - https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroFeatures

An example of a Kerberos attack and how it works can be found here - https://medium.com/@robert.broeckelmann/kerberos-wireshark-captures-a-windows-login-example-151fabf3375a

2. Lab Tasks

2.1 Task 1

What is the MAC address of the Windows client at 192.168.2.147?
Hint: how do you search by IP address in Wireshark?

Answer: bc:5f:f4:a6:d1:29

Used Wireshark display filter ip.addr == 192.168.2.147 to isolate traffic. Selected a packet and expanded the Ethernet II header. Matched the IP address in the IPv4 section to determine the corresponding MAC address.

Process

1. Open PCAP file
2. Use a display filter to find the IP: ip.addr == 192.168.2.147
3. Click on any packet
4. Expand the Ethernet II section to see the source and destination MAC addresses.
5. Identify which MAC belongs to 192.168.2.147
   • Expand the Internet Protocol Version 4 section in the same packet
   • Match IP to MAC address
     • In my case the source IP is 192.168.2.147, therefore its MAC address is the source MAC address: bc:5f:f4:a6:d1:29
       

2.2 Task 2

What is the host name for the Windows client at 192.168.2.147?
Hint: What is NetBIOS Name Service?

Answer: LYAKH-WIN7-PC

Applied the filter nbns && ip.addr == 192.168.2.147 to identify NetBIOS Name Service traffic. Observed NBNS registration packets containing multiple names. The hostname of the Windows client is identified as LYAKH-WIN7-PC, while the other name corresponds to a domain/workgroup (DNIPROMOTORS).

Process

1. Filter for NBNS traffic and narrow it down to our IP
   • nbns && ip.addr == 192.168.2.147
2. Look for "Name query" or "Name registration" packets
   
3. Click a packet and expand NBNS
4. In the Packet Details pane, expand: NetBIOS Name Service
   

When multiple NBNS names appear:

If you expand one of those packets, you’ll see:

• <00> → workstation name (hostname)
• <20> → file server service

2.3 Task 3

Based on the Kerberos traffic, what is the Windows user account name used on 192.168.2.147?

Hint: Note the username is different from the name of the Windows client. These may be a helpful reference

• https://medium.com/@robert.broeckelmann/kerberos-wireshark-captures-a-windows-login-example-151fabf3375a
• https://www.golinuxcloud.com/kerberos-auth-packet-analysis-wireshark/

Answer: jermija.lyakh

I filtered on Kerberos traffic in Wireshark and inspected AS-REQ packets associated with the Windows client. In the Kerberos request body, I expanded the cname field and found CNameString: jermija.lyakh, which identifies the Windows user account name. The value lyakh-win7-pc corresponds to the host name, not the user account.

Process

Start with this display filter:

kerberos && ip.addr == 192.168.2.147

That limits you to Kerberos packets involving the Windows client. Kerberos login traffic commonly includes AS-REQ, AS-REP, TGS-REQ, and TGS-REP messages, and the username is typically visible in the request-side fields.

Now click one of the early AS-REQ packets if you see them. Those are usually the clearest for username discovery. In the middle pane, expand:

• Kerberos
• then the request body / principal fields
• look for a field named cname, CNameString, or anything showing Client Name

In Kerberos, cname is the client principal name, which is the user account being authenticated.

2.4 Task 4

What is the URL that returns a Windows executable file?
Hint - HTTP GET requests are used to request data from URLs

Answer: http://micropcsystem.com/hojuks/vez.exe

Applied the filter http.request.method == "GET" to identify HTTP requests made by the infected host. Located a GET request for a Windows executable file (.exe) and examined the HTTP details. The full request URI was found to be **http://micropcsystem.com/hojuks/vez.exe, which corresponds to the downloaded executable.

Process

Filter HTTP traffic and narrow to GET requests: http.request.method == "GET"

Click through packets and in the middle pane expand: Hypertext Transfer Protocol

You’ll see something like:

• Note that this GET request is requesting a /hojuks/vex.exe file
• This could be a virus!

To get the full URL we just combine:

http:// + Host + Request URI

So the URL we are looking for is:

http://micropcsystem.com/hojuks/vez.exe

• It’s an HTTP GET request
• It downloads a file ending in .exe
• It originates from the infected machine (192.168.2.147)

2.5 Task 5

What is the SHA256 file hash of the Windows executable file returned from that URL?

Do NOT run or open this file on your computer!

• All you need to do is run a SHA256 check on the file from the command line. If you want to play around with the file please open in a sandbox like anyrun.com

Hint: This reference may help: https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/

Answer: 43092b2993c9d9cfab01aa340bc378cad547ae0938c6803cb580271139798765

Used Wireshark’s "Export Objects > HTTP" feature to extract the executable file downloaded from the identified URL. Saved the file locally without executing it. Computed the SHA256 hash using the command: sha256sum vez.exe.

Process

Export the file from Wireshark

• In Wireshark go to: File → Export Objects → HTTP

Then:

1. Click the .exe file
2. Click Save
3. Save it somewhere like: Downloads/vez.exe

Open terminal and run:

┌──(kali㉿kali)-[~/Downloads]
└─$ sha256sum vez.exe
43092b2993c9d9cfab01aa340bc378cad547ae0938c6803cb580271139798765  vez.exe

2.6 Task 6

Upload the file hash to VirusTotal.com and report your findings. What kind of malware is this? Can you investigate further and explain how this malware works?

Answer: Trojan (fareit family)

After uploading the SHA256 hash to VirusTotal, the file was flagged as malicious by 65 out of 72 security vendors. Most vendors classify it as a Trojan, specifically part of the Fareit (also known as Pony) malware family.

Fareit is a type of credential-stealing malware that mainly targets Windows systems. Its main goal is to steal sensitive information from the victim's computer, especially saved credentials like usernames and passwords. It can extract data from web browsers, FTP clients, email applications, and cryptocurrency wallets.

Once the malware is executed, it runs in the background without the user noticing and begins collecting information about the system and stored credentials. It can also bypass or disable some security protections, making it harder to detect. After gathering the data, the malware sends the stolen information to a command-and-control server, where attackers can access it. This data is often used for financial gain and illicit activity.

Another important aspect of Fareit is that it may be able to download and install additional malware on the infected system. This can lead to further compromise or turn the system into part of a botnet.

Overall from what I have researched, Fareit is considered a highly effective and widely used malware because it combines credential theft, persistence, and additional payloads. All of this makes it a serious virus.

Process

Key indicators:

• 65/72 vendors flagged it as malicious → extremely high confidence
• Threat category: trojan
• Popular threat label: trojan.fareit/diqu
• Family labels: fareit, diqu, hploki

What is a Fareit/Pony malware?

• Credential Stealer Trojan
• It is designed to:
  • Steal saved passwords
  • Extract browser data
  • Collect FTP / VPN / email credentials
  • Send them to an attacker-controlled server

How it works?

• Step 1 — Infection
  • User downloads .exe
  • Executes it → malware runs
• Step 2 — Data harvesting
  • It searches the system for:
    • Browser passwords (Chrome, Firefox, IE)
    • Cookies and session tokens
    • Stored credentials (FTP clients, email apps)
• Step 3 — Persistence
  • From the screenshot tags:
    • persistence
    • runtime-modules
    • long-sleeps
  • This means it:
    • Stays on the system after reboot
    • Avoids detection (sleeps / delays execution)
    • Loads components dynamically
• Step 4 - Exfiltration
  • Sends stolen data to a Command & Control (C2) server
  • Often via HTTP POST requests
• Step 5 — Additional payloads (sometimes)
  • Can download more malware
  • Turn system into part of a botnet