Description
The company of Mr. Garcia has been robbed of 74,300€ from his bank account. The theft was committed without the knowledge of Mr. García or people in charge of IT.
Some of the money has been retrieved thanks to the speed of the bank to block the target account, but Mr. Garcia is determined to know how this unfortunate incident occurred, as he invested in forming security technicians and purchasing a perimeter antivirus solution for workstations.
After the incident, we have been asked to do a forensic analysis of the machine, but unfortunately these devices have been handled incorrectly and have no value for our review. Fortunately the system administrator, before the network failure, (do not know if caused by the incident) got a file with network traffic of the same day as the theft of bank accounts.
Question: What IP is the attacker?
Resolution
We have filtered the traffic on HTTP packets (it seems to be a reverse download to the attacker).
There’s a HTTP GET on packet #78 :
Source: 172.16.65.129 (172.16.65.129)
Destination: 167.160.169.66 (167.160.169.66)
SHA256(167.160.169.66) : ff3cf619aa72e406c3e7eb2a29c55c6e7fbe2c9556aa4ec27c44586a8c153ed7
Flag is ff3cf619aa72e406c3e7eb2a29c55c6e7fbe2c9556aa4ec27c44586a8c153ed7