June 10, 2026
BTLO — Network Analysis — TeslaCrypt Ransomware
Scenario: ABC Industries worked day and night for a month to prepare a tender document for a prestigious project that would secure the…
Efe Özel
3 min read
Scenario: ABC Industries worked day and night for a month to prepare a tender document for a prestigious project that would secure the company's financial future. The company was hit by ransomware, believed to be conducted by a competitor, and the final version of the tender document was encrypted. Right now they are in need of an expert who can decrypt this critical document. All we have is the network traffic, the ransom note, and the encrypted ender document. Do your thing Defender!
Q1: What is the operating system of the host from which the network traffic was captured? (Look at Capture File Properties, copy the details exactly)
We can look at the properties of the package to find the operating system on which the package was captured.
Q2: What is the full URL from which the ransomware executable was downloaded?
We know a file is being downloaded and so we can capture a download in network packets.
I just filtered by http and then as a result we see 2 packages.
Probably this packets is malicious download process we see the ip and url path but we also need to find the port therefore open the Hypertext Transfer Protocol section.
Q3: Name the ransomware executable file?
In the previous question we find what is the url path to downloaded file, this url path also it is downloaded file name
Q4: What is the MD5 hash of the ransomware?
We knew an a file downloaded but how can we check the md5 hash? In the wireshark File → Export Object → HTTP
Q5: What is the name of the ransomware?
How can we find ransomware name? We can research md5 hash in the VirusTotal or like this platforms
Q6: What is the encryption algorithm used by the ransomware, according to the ransom note?
OR you can research in the internet.
Q7: What is the domain beginning with 'd' that is related to ransomware traffic?
For this question you can filter by "dns" in the wireshark or you can look at the HybridAnalysis results because this website shows network traffic from malicious file.
These DNS queries started with "d".
OR
Q8: Decrypt the Tender document and submit the flag
For this question we need to use tool for the decode .pdf file. There is a TeslaCrypt Decoder tool published by CISCO Talos. Thanks to this tool we can decode the files encrypted by TeslaCrypt.
You can download CISCO Talos site.
After the downloaded this tool we add the file and decode.
And then success! we look in that directory wherever the previous encoded file is.
This file now encoded pdf file, if you entered the inside you can see the real content.
In this Lab Scenario Summary,
Attacker did:
- Download an .exe file in a host machine
- Encrypt important .pdf file on the host machine with the TeslaCrypt ranwsomware
And we did:
- Found downloaded .exe file
- Research md5 hash
- Research What kind of malware?
- What is the ransomware name?
- How we decrypt this file?
- Decode the file eith TeslaCrypt Decryption tool
Efe Ozel — SOC L1