Executive Summary

On February 8, 2021, an employee workstation at Asco Limited downloaded malicious files from a website called roanokemortgages.com. Soon after, the machine connected to several unfamiliar external servers and began sending data to them.

Traffic logs show that the infected computer (DESKTOP-MGVG60Z) used IP address 10.2.8.101 and belonged to user bill.cook. The downloads led to a chain of malware infections that gave attackers remote access and allowed them to steal information.

The incident was detected because the network intrusion detection system flagged unusual file downloads, connections on an uncommon port (8080), and repeated communications with known malicious servers.

A single drive-by-style download from one external site triggered a full loader → remote-access → stealer chain on an internal workstation within roughly two minutes.

Details About the Affected Host

The packet capture identified the following details about the compromised machine:

  • Hostname: NetBIOS traffic in the capture advertises DESKTOP-MGVG60Z as the computer's name.
  • Domain: The workstation belongs to the ASCOLIMITED domain, matching the company's network notes.
  • IP address: All suspicious traffic originates from 10.2.8.101, which is within the company's LAN range of 10.2.8.0/24.
  • MAC address: The source MAC during the first malware download is 00:12:79:41:c2:aa, identified in the Ethernet header.
  • User account: Kerberos authentication packets show the username bill.cook, indicating this user was logged in when the malware executed.

Timeline of Events (UTC)

The infection unfolded over roughly two minutes. Each step below is drawn directly from packets and IDS alerts in the capture:

  1. 15:59 — The infected host connects to 162.241.149.195 over HTTPS. This likely negotiates an encrypted channel just before the malicious downloads begin.
  2. 16:00 — The workstation checks its public IP by contacting api.ipify.org (54.235.147.252). Malware often does this to confirm internet connectivity.
  3. 16:00 — The host sends a check-in message to 213.5.229.12, which is tied to the Hancitor/Chanitor malware family. This suggests the loader has begun contacting command-and-control servers.
  4. 16:00 — The computer opens an HTTP session on port 8080 with 198.211.10.238. Intrusion detection alerts identify this as a possible shellcode delivery and later as a Cobalt Strike beacon — a tool used for remote control.
  5. 16:00 — Three files are downloaded from roanokemortgages.com (IP 8.208.10.147): 0801.bin, 0801s.bin, and 6ljhgfddgj.exe. These files are small executables that trigger malware-download alerts.
  6. 16:00–16:01 — Additional small binaries are retrieved from the same domain, and the host begins posting HTML form data to 185.100.65.29, indicating data exfiltration.
  7. 16:01 — Persistent beaconing to 198.211.10.238 on port 8080 confirms that a backdoor is active on the machine.

The sequence — public-IP check, loader check-in, beacon channel, then payload retrieval — is the textbook shape of an automated malware chain executing on a freshly compromised host.

Indicators of Compromise

The following artifacts can help identify other machines that might be infected:

Malware families

  • Hancitor/Chanitor — loader.
  • Cobalt Strike — remote access toolkit.
  • Ficker stealer — credential and data theft.

Command-and-control IPs

  • 162.241.149.195
  • 8.208.10.147
  • 213.5.229.12
  • 198.211.10.238
  • 185.100.65.29
  • 54.235.147.252

Malicious domains / URLs

  • roanokemortgages.com/0801.bin
  • roanokemortgages.com/0801s.bin
  • roanokemortgages.com/6ljhgfddgj.exe

Downloaded file names

  • 0801.bin
  • 0801s.bin
  • 6ljhgfddgj.exe

Victim identifiers

  • Hostname: DESKTOP-MGVG60Z
  • IP: 10.2.8.101
  • MAC: 00:12:79:41:c2:aa
  • User: bill.cook

Suspicious ports / protocols

  • TCP port 8080 — unusual for normal web traffic, used for command-and-control.
  • HTTP GET/POST to unknown servers.
  • NetBIOS and Kerberos traffic that revealed the host and user names.

Behavioural signs

  • External IP lookup immediately after infection.
  • Repeated small binary downloads.
  • Continuous beaconing.
  • Form-data exfiltration — all typical of an active intrusion.

Conclusion

The evidence shows that a workstation on Asco Limited's network was infected after visiting a malicious website and downloading multiple executable files. These files installed a malware loader (Hancitor/Chanitor), which then deployed Cobalt Strike for remote control and Ficker stealer to harvest credentials and other data.

The malware contacted several external servers, sent system information, and maintained a backdoor connection on port 8080.

Recommendations

Short-term actions

  • Isolate the infected workstation immediately to stop further data leakage.
  • Reset passwords for user bill.cook and any other accounts used on the machine.
  • Block the malicious IP addresses and roanokemortgages.com at the firewall so other hosts cannot reach them.
  • Search the network for the file names (0801.bin, 0801s.bin, 6ljhgfddgj.exe) and the MAC address 00:12:79:41:c2:aa to check if other computers have downloaded the malware.
  • Run antivirus scans on the affected machine and verify removal of the malware.

Long-term improvements

  • Implement stricter web filtering to prevent downloads from unknown domains.
  • Monitor for unusual outbound connections, especially on non-standard ports like 8080.
  • Update intrusion detection signatures regularly to detect new malware variants.
  • Educate users about phishing and malicious downloads to reduce the chance of future infections.