BTLO : Network Analysis – Ransomware

ABC Industries worked day and night for a month to prepare a tender document for a prestigious project that would secure the company’s financial future. The company was hit by ransomware, believed to be conducted by a competitor, and the final version of the tender document was encrypted. Right now they are in need of an expert who can decrypt this critical document. All we have is the network traffic, the ransom note, and the encrypted ender document. Do your thing Defender!​

Challenge Submission

What is the operating system of the host from which the network traffic was captured? 

Head to statistics → Capture File Properties to find out details of the network traffic.

What is the full URL from which the ransomware executable was downloaded? 

Filter the traffic for HTTP and search for the full URI in the Hypertext Transfer Protocol section.

Name the ransomware executable file? 

What is the MD5 hash of the ransomware

Export the file from the HTTP object list and find the md5 hash.

What is the name of the ransomware?

Search the hash in VirusTotal to find the common ransomware name.

What is the encryption algorithm used by the ransomware, according to the ransom note? 

What is the domain beginning with ‘d’ that is related to ransomware traffic? 

In the relations tabs at VirusTotal you are able to see a list of contacted URLs.

Decrypt the Tender document and submit the flag 

Download the Tesladecrypt decoder and decrypt the tender file to get the flag. 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: