BACKGROUND
During routine monitoring of internal network traffic, several suspicious communication patterns emerged from the IP address 172.17.0.99. The traffic showed outgoing HTTP POST activity, SMB connections, and Kerberos activity. Because the traffic was leaving the internal subnet to an external IP address and targeting sensitive ports, further investigation of the .pcap files was conducted.
INCIDENT SUMMARY
HTTP POST traffic to external IP addresses, user-agent spoofing, and exploitation of internal services such as SMB and Kerberos were found in the PCAP files. Endpoint 172.17.0.99 (hostname: DESKTOP-RNVO9AT) is suspected to have been infected by info-stealer malware, specifically the Win32/Koi Stealer variant.
For more details about this project, you can access the link above or copy the following link.
https://medium.com/@HETSHI/analisis-forensik-digital-investigasi-aktivitas-koi-stealer-dari-traffic-pcap-74ebeb655787
For more details about this project, you can access the link above or copy the following link.
https://medium.com/@HETSHI/analisis-forensik-digital-investigasi-aktivitas-koi-stealer-dari-traffic-pcap-74ebeb655787