2014-11-23 - TRAFFIC ANALYSIS EXERCISE: QUESTIONS ABOUT EXPLOIT KIT (EK) TRAFFIC

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

PCAP AND ANSWERS

• 2014-11-23-traffic-analysis-exercise.pcap.zip   2.1 MB (2,057,599 bytes)
• 2014-11-23-traffic-analysis-exercise-answers.pdf.zip   100.8 kB (100,830 bytes)

 

QUESTIONS

BASIC QUESTIONS:

1) What is the IP address of the Windows VM that gets infected?
2) What is the MAC address of the infected VM?
3) What is the IP address of the compromised web site?
4) What is the domain name of the compromised web site?
5) What is the IP address and domain name that delivered the exploit kit and malware?
6) What is the domain name that delivered the exploit kit and malware?

 

MORE ADVANCED QUESTIONS:

1) What is the exploit kit (EK) that delivers the malware?
2) What is the redirect URL that points to the exploit kit (EK) landing page?
3) What is the IP address of the redirect URL that points to the exploit kit (EK) landing page?
4) Submit the pcap to VirusTotal and find out what snort alerts triggered.  Do any of the alerts indicate what this exploit kit this is?
5) Extract the malware payload from the pcap.  What is the MD5 or SHA256 hash?

 

EXTRA QUESTIONS:

1) If you use Suricata, what EmergingThreats signatures fire on the exploit kit traffic?
2) What exploit (which CVE) is used by this EK?

 

---