Hello, My name is Bob and i am new here. I am learnig to work with wireshark myself and trying to improve myself. A cybercrimeteam send me a pcapng file and asked me this. Quote: we intercept traffic in a ransomware case. Can you find out if the ransomware was sent? I have the ip adres and email adres from the ransomguy. It was sent thru SMTP How can i see if the ransome software was sent with the found mail? I Hope someone can help me.
With regards bob
Hi Bob,
You can start by looking at who was the sender and recipient of mail using SMTP filters.
After a client connect to an SMTP servers, the commands are (very) basically this:
mail from:[email protected]
rcpt to:[email protected]
data
<TEXT GOES HERE>
. (dot to signal)
You can use smtp.req.command == "mail" to display packets where the sender email is entered.
You can use smtp.req.command == "rcpt" to display packets where the recipient of an email is entered.
You can then see if any email look suspicious.
You then would need to look at all packets for that SMTP session to find out if the email did go through.
It's probably best to use "Follow TCP Stream" when you want to look at all packets.
You can use the following filters to dig deeper but may need to use them with tcp.stream == <streamID> &&
You could look for "250" response code containing "Message accepted for delivery" but this message would be very dependent on the software used on the SMTP server. It may not be there at all.
Trying this filter smtp.response.code == 250 is a start but all successful SMTP commands may return code 250.
This filter is probably better smtp.response.code == 250 && smtp.rsp.parameter contains "accepted for delivery"
Again, not sure what the server will respond with if anything at all. (It's ransomware after all)
You should look at RFC 5321 for more information on the SMTP protocol.
Hope this helps.
Cheers,
Spooky
Hi Spooky,
Thanks for the reply. I will try it immediatly.
Cheers,
Bob
Hi again,
I have found the specific e-mail. It contains a zip file... Here i will put the stream.
+OK Dovecot ready.
**CAPA**
+OK
CAPA
TOP
UIDL
RESP-CODES
PIPELINING
AUTH-RESP-CODE
USER
SASL PLAIN
.
**AUTH PLAIN**
+
AGppbWhlbmRyYXh4AGppbW15aXNiYWFzIQ==
+OK Logged in.
STAT
+OK 2 2296
LIST
+OK 2 messages:
1 826
2 1470
**.
UIDL**
+OK
1 a2dbd506b264f8b93a9f7002201cb67e
2 c5e058d672f725176a448d3a1ec2f717
.
**RETR 2**
+OK 1470 octets
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from [172.217.20.69] (gmail.com [172.217.20.69])
by snel-adsl.nl (Postfix) with ESMTP id F2F09201732
for <[email protected]>; Fri, 24 Apr 2019 13:30:34 +0200
(CEST)
To: [email protected]
From: z3r0b3t404 <[email protected]>
Subject: ransom
Message-ID: <[email protected]>
Date: Fri, 24 Apr 2019 13:30:34 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0 ...That's not SMTP, that's IMAP. It's not a transcript of an SMTP session in which a client is sending the message, it's a transcript of an IMAP session in which a mail reading program is reading the message from the server to which it was delivered. Everything after +OK 1470 octets is the message being read.
If you want to find out what's in the zip file, you'll have to convert it from the Base 64 encoding used to binary, and then use some tool that can list files in, and extract files from, a ZIP archive.
Hi,
Ow well ok. I just followed the stream and found the mail. But thanks anyway
Comments