June 2, 2026
[ BTLO ] Network Analysis — Ransomware
Description: ABC Industries worked day and night for a month to prepare a tender document for a prestigious project that would secure the…
Arya Utomo
3 min read
Description: ABC Industries worked day and night for a month to prepare a tender document for a prestigious project that would secure the company's financial future. The company was hit by ransomware, believed to be conducted by a competitor, and the final version of the tender document was encrypted. Right now they are in need of an expert who can decrypt this critical document. All we have is the network traffic, the ransom note, and the encrypted ender document. Do your thing Defender!
Evidence: ransom_traffic.pcapng Tender.pdf.micro
Question 1 : What is the operating system of the host from which the network traffic was captured? (Look at Capture File Properties, copy the details exactly)
To answer question number one, we just need to open Wireshark and navigate to Capture File Properties in the Statistics menu.
Answer : 32-bit Windows 7 Service Pack 1, build 7601
Question 2 : What is the full URL from which the ransomware executable was downloaded?
To find out which malware files have been downloaded, here I will try to filter using the http "GET" method, because to download a file the http "GET" method is required.
Answer : http://10.0.2.15:8000/safecrypt.exe
Question 3 : Name the ransomware executable file?
This has been previously identified in the malware source URL endpoint, namely safecrypt.exe
Answer : safecrypt.exe
Question 4 : What is the MD5 hash of the ransomware?
To get the hash of the file to carry out threat intelligence in the future, here we have to get the malware file, Wireshark has provided a feature to export the http object in the file menu.
File > Export Object -> HTTP
Next, after getting the file, we will check the hash using md5sum.
Answer : 4a1d88603b1007825a9c6b36d1e5de44
Question 5 : What is the name of the ransomware?
After we obtained the MD5 hash of the malware, we will then perform threat intelligence to answer further questions about this malware. Here, I am using Virus Total.
Answer : Teslacrypt
Question 6 : What is the encryption algorithm used by the ransomware, according to the ransom note?
To find the encryption algorithm here, I searched using Google or we did osint to dig up information about what algorithm the malware used to encrypt its victims.
Answer : RSA-4096
Question 7 : What is the domain beginning with 'd' that is related to ransomware traffic?
for this problem we just need to use virus total and dig up information in the Relations section of the Contacted URLs information and look for domains that start with "d" as asked previously.
Answer : dunyamuzelerimuzesi.com
Question 8 : Decrypt the Tender document and submit the flag
Here I try to find a decoder for the malware on the internet. dan ketemu pada situs talosintelligence.com
Then I just install and run the tool to decrypt the Tender.pdf.micro file.
Answer : BTLO-T3nd3r-Fl@g
Conclusion: Through meticulous network forensic analysis of the
ransom_traffic.pcapngfile, the attack lifecycle was successfully reconstructed, identifying the initial compromise from the download of the TeslaCrypt ransomware executable (safecrypt.exe) viahttp://10.0.2.15:8000/safecrypt.exeonto a Windows 7 host. Although the malware heavily encrypted the critical enterprise asset (Tender.pdf.micro) using a robust RSA-4096 algorithm and established connections to the malicious domaindunyamuzelerimuzesi.com, the threat was effectively neutralized. Leveraging threat intelligence and utilizing the official TeslaCrypt decryption utility from Cisco Talos, the critical tender document was safely restored to its original format, successfully securing the final flag:BTLO-T3nd3r-Fl@g.