Evil Corp's Child 2

Challenge:

The malware uses four different ip addresses and ports for communication, what IP uses the same port as https? Submit the flag as: flag{ip address}.

Use the file from Evil Corp's Child.

Solution:

Using the Zeek logs from the analysis during Evil Corp's Child 1 I search files.log for the MD5 in order to get the timestamp at which the malware was downloaded. Based on the challenge description, the same port as https (e.g. port 443) I search the ssl.log for all connections following the malware download timestamp, and filter out Microsoft related noise.

The zeek-cut utility provides a way to output specific fields from a log. I extract the timestamp, destination IP, destination port, and the issuer of the SSL certificate (so I can filter out Microsoft related noise).

$ cat ssl.log | /opt/zeek/bin/zeek-cut ts id.resp_h id.resp_p issuer | awk '$1 > "1595629994.362662"' | grep -iv microsoft | grep -P "\t443"

1595631188.775092	213.136.94.177	443	CN=9mutiothesse.Ofyagewi.finance,O=Ongndwan Mwidin LLC.,L=Luxembourg,C=LU
1595631941.295009	213.136.94.177	443	CN=9mutiothesse.Ofyagewi.finance,O=Ongndwan Mwidin LLC.,L=Luxembourg,C=LU
1595632723.503151	213.136.94.177	443	CN=9mutiothesse.Ofyagewi.finance,O=Ongndwan Mwidin LLC.,L=Luxembourg,C=LU

There are three connections that match and all have the same destination IP. The complete flag is flag{213.136.94.177}