Let's start investigating the file in Wireshark to try to deduce what happened. We will focus on gathering the following details:
- C2 server IP
- C2 server port
- Infected system IP
- Infected system's port
- Actions performed by the attacker
- Time of the attack
- Duration of the attack
Let's fire up Wireshark and choose Statistics | Conversations | TCP tab:
We can see that we have two conversations primarily between 192.168.46.128 and 192.168.46.129 on port 80 and 4433. Let's filter the conversation using TCP as the filter and analyze the output:
We can see that the first TCP packets (23-25) are nothing but the three-way handshake. However, next, we have a separate conversation starting from packet 71. Another strange thing is that the communication port being used is port 80. However, for some reason, the data being displayed is...