2014-12-08 - TRAFFIC ANALYSIS EXERCISE

PCAP AND ANSWERS:

 

NOTES:

 

QUESTIONS

BASIC QUESTIONS:

1) What is the date and time of this activity?
2) What is the IP address of the Windows host that gets infected?
3) What is the MAC address of the infected Windows host?
4) What is the host name of the infected Windows host?
5) What is the domain name of the compromised web site?
6) What is the IP address of the compromised web site?
7) What is the domain name that delivered the exploit kit (EK) and malware payload?
8) What is the IP address that delivered the EK and malware payload?

 

MORE ADVANCED QUESTIONS:

1) What snort events (either VRT or EmergingThreats) are generated by this pcap?
2) What EK is this (Angler, Nuclear, Neutrino, etc)?
3) What is the redirect URL that points to the EK landing page?
4) What is the IP address of the redirect URL that points to the EK landing page?
5) How many times is the malware payload delivered?  (It's encrypted each time.)
6) Which HTTP request (GET or POST) is the post-infection traffic caused by the malware?

 

EXTRA QUESTIONS:

1) What browser was used by the infected Windows host?
2) What different exploits were sent by the EK during this infection?
3) What is the date of these exploits?  (When were they created or modified?)
4) What is the size of the malware payload?