Ask Your Question
0

Give me a hint

asked 2019-09-18 18:19:46 +0000

ObiDiss gravatar image

Hello, My name is Bob and i am new here. I am learnig to work with wireshark myself and trying to improve myself. A cybercrimeteam send me a pcapng file and asked me this. Quote: we intercept traffic in a ransomware case. Can you find out if the ransomware was sent? I have the ip adres and email adres from the ransomguy. It was sent thru SMTP How can i see if the ransome software was sent with the found mail? I Hope someone can help me.

With regards bob

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-19 02:56:04 +0000

Spooky gravatar image

updated 2019-09-19 02:57:19 +0000

Hi Bob,

You can start by looking at who was the sender and recipient of mail using SMTP filters.

After a client connect to an SMTP servers, the commands are (very) basically this:

mail from:[email protected]
rcpt to:[email protected]
data
<TEXT GOES HERE>
. (dot to signal)

You can use smtp.req.command == "mail" to display packets where the sender email is entered.

You can use smtp.req.command == "rcpt" to display packets where the recipient of an email is entered.

You can then see if any email look suspicious.

You then would need to look at all packets for that SMTP session to find out if the email did go through.

It's probably best to use "Follow TCP Stream" when you want to look at all packets.

You can use the following filters to dig deeper but may need to use them with tcp.stream == <streamID> &&

You could look for "250" response code containing "Message accepted for delivery" but this message would be very dependent on the software used on the SMTP server. It may not be there at all.

Trying this filter smtp.response.code == 250 is a start but all successful SMTP commands may return code 250.

This filter is probably better smtp.response.code == 250 && smtp.rsp.parameter contains "accepted for delivery"

Again, not sure what the server will respond with if anything at all. (It's ransomware after all)

You should look at RFC 5321 for more information on the SMTP protocol.

Hope this helps.

Cheers,

Spooky

edit flag offensive delete link more

Comments

Hi Spooky,

Thanks for the reply. I will try it immediatly.

Cheers,

Bob

ObiDiss gravatar imageObiDiss ( 2019-09-19 09:12:27 +0000 )edit

Hi again,

I have found the specific e-mail. It contains a zip file... Here i will put the stream.

+OK Dovecot ready.
**CAPA**
+OK
CAPA
TOP
UIDL
RESP-CODES
PIPELINING
AUTH-RESP-CODE
USER
SASL PLAIN
.
**AUTH PLAIN**
+
AGppbWhlbmRyYXh4AGppbW15aXNiYWFzIQ==
+OK Logged in.
STAT
+OK 2 2296
LIST
+OK 2 messages:
1 826
2 1470
**.
UIDL**
+OK
1 a2dbd506b264f8b93a9f7002201cb67e
2 c5e058d672f725176a448d3a1ec2f717
.
**RETR 2**
+OK 1470 octets
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from [172.217.20.69] (gmail.com [172.217.20.69])
    by snel-adsl.nl (Postfix) with ESMTP id F2F09201732
    for <[email protected]>; Fri, 24 Apr 2019 13:30:34 +0200

(CEST)
To: [email protected]
From: z3r0b3t404 <[email protected]>
Subject: ransom
Message-ID: <[email protected]>
Date: Fri, 24 Apr 2019 13:30:34 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0 ...
(more)
ObiDiss gravatar imageObiDiss ( 2019-09-19 11:46:54 +0000 )edit

That's not SMTP, that's IMAP. It's not a transcript of an SMTP session in which a client is sending the message, it's a transcript of an IMAP session in which a mail reading program is reading the message from the server to which it was delivered. Everything after +OK 1470 octets is the message being read.

If you want to find out what's in the zip file, you'll have to convert it from the Base 64 encoding used to binary, and then use some tool that can list files in, and extract files from, a ZIP archive.

Guy Harris gravatar imageGuy Harris ( 2019-09-19 16:03:24 +0000 )edit

Hi,

Ow well ok. I just followed the stream and found the mail. But thanks anyway

ObiDiss gravatar imageObiDiss ( 2019-09-19 19:06:54 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-09-18 18:19:46 +0000

Seen: 4,080 times

Last updated: Sep 19 '19

Related questions

tshark smtp filter decode.

Capturing SMTP traces

Info column SMTP shows "| | |" instead of the protocol commands

Dissector to parse smtp with specific content, but let normal smtp dissector handle it otherwise.

percentage of each TLS protocol in a pcap file

How can I identify number of recipients and attachment's size in ESMTP encrypted emails ?

TCP Retransmissions - SMTP using TLS

Interpretting packet data

Auth Plain problem [closed]

Plugin I built not loading with current Wireshark 4.0.3 install

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2