TShark Challenge I: Teamwork - (T-Shark & Virus Total) (TryHackMe)

Introduction

This room presents you with a challenge to investigate some traffic data as a part of the SOC team. Let's start working with TShark to analyse the captured traffic. We recommend completing the TShark: The Basics and TShark: CLI W ireshark Features rooms first, which will teach you how to use the tool in depth.

Case: Teamwork!

An alert has been triggered: "The threat research team discovered a suspicious domain that could be a potential threat to the organisation."

The case was assigned to you. Inspect the provided teamwork.pcap located in ~/Desktop/exercise-files and create artefacts for detection tooling.

Your tools: TShark, VirusTotal.

Answer the questions below

Investigate the contacted domains.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.

What is the full URL of the malicious/suspicious domain address?

Enter your answer in defanged format. hxxp[://]www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]com/
When was the URL of the malicious/suspicious domain address first submitted to VirusTotal? 2017-04-17 22:52:53 UTC
Which known service was the domain trying to impersonate? PayPal
What is the IP address of the malicious domain?

Enter your answer in defanged format. 184[.]154[.]127[.]226

What is the email address that was used?

Enter your answer in defanged format. (format: aaa[at]bbb[.]ccc) johnny5alive[at]gmail[.]com

 tshark -r ~/Desktop/exercise-files/teamwork.pcap -Y "http.request.method == POST" -T fields -e http.file_data
 xBrowser=Mozilla+FireFox+v43&xOperatingSystem=Linux&xPlatForm=Desktop+Platform
 user=johnny5alive%40gmail.com&pass=johnny5alive&xBrowser=Mozilla+FireFox+v43&xOperatingSystem=Linux&xPlatForm=Desktop+Platform&xTimeZone=Mon+Apr+17+2017+22%3A00%3A35+GMT-0400+(EDT)&xResoLution=Computer%3A+1920x1080%3B+Browser+inner%3A+1920x762%3B+Browser+outer%3A+1920x1027&xLang=en-US