2014-11-16 - TRAFFIC ANALYSIS EXERCISE
PCAP AND ANSWERS
- ZIP of this week's PCAP: 2014-11-16-traffic-analysis-exercise.pcap.zip
- ZIP of this week's answers (PDF file): 2014-11-16-traffic-analysis-exercise-answers.pdf.zip
- ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
- I'm posting a traffic analysis exercise I've developed for my co-workers and some recently-hired analysts at the office.
- Using this pcap, @tehsyntx examined how to decode the payload delivered by the exploit kit: http://thembits.blogspot.se/2014/12/rig-exploit-kit-shellcode-analysis.html
LEVEL 1 QUESTIONS:
1) What is the IP address of the Windows VM that gets infected?
2) What is the host name of the Windows VM that gets infected?
3) What is the MAC address of the infected VM?
4) What is the IP address of the compromised web site?
5) What is the domain name of the compromised web site?
6) What is the IP address and domain name that delivered the exploit kit and malware?
7) What is the domain name that delivered the exploit kit and malware?
LEVEL 2 QUESTIONS:
1) What is the redirect URL that points to the exploit kit (EK) landing page?
2) Besided the landing page (which contains the CVE-2013-2551 IE exploit), what other exploit(s) sent by the EK?
4) How many times was the payload delivered?
5) Submit the pcap to VirusTotal and find out what snort alerts triggered. What are the EK names are shown in the Suricata alerts?
LEVEL 3 QUESTIONS:
1) Checking my website, what have I (and others) been calling this exploit kit?
2) What file or page from the compromised website has the malicious script with the URL for the redirect?
3) Extract the exploit file(s). What is(are) the md5 file hash(es)?
4) VirusTotal doesn't show all the VRT rules under the "Snort alerts" section for the pcap analysis. If you run your own version of Snort with the VRT ruleset as a registered user (or a subscriber), what VRT rules fire?