Malware compromise

 BTLO challenge, begun on 13.12.2022, finished on 13.12.2022

ok unzipping to get pcap file

ok now i can put this through wireshark but i can also strings it and try to answer questions like that. this will accomplish nothing special, i just have one less task to do.

you know this feels very disingenuous i dont know why let me open up wireshark lol. 

so following tcp stream shows me the GET/images... request coming from cochrimato.com

oh and the host ip is 10.11.27.101, thats in the first domain name query. also in the endpoints.

ok so filtered by tcp.stream eq 0(btw i googled what the eq 0, eq 1 means and its just a hierarchy definition by wireshark. so the first followed/retrieved stream is 0, then 1 etc etc). and the filename is spet10.spr

http://95.181.198.231/oiioiashdqbwe.rar is the url from where the post dreidex malware is received. got it by following tcp.stream eq 11

then going a little bit further we see 10.11.27.101 establishing a connection with 83.166.247.211 and then application data being transferred with tls encryption, after which the ip is 185.244.150.230, so thats the answer

Done!