2014-12-08 - TRAFFIC ANALYSIS EXERCISE: QUESTIONS ABOUT EXPLOIT KIT (EK) TRAFFIC
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
PCAP AND ANSWERS:
- 2014-12-08-traffic-analysis-exercise.pcap.zip 1.3 MB (1,297,244 bytes)
- 2014-12-08-traffic-analysis-exercise-answers.pdf.zip 229.4 kB (229,405 bytes)
QUESTIONS
BASIC QUESTIONS:
1) What is the date and time of this activity?
2) What is the IP address of the Windows host that gets infected?
3) What is the MAC address of the infected Windows host?
4) What is the host name of the infected Windows host?
5) What is the domain name of the compromised web site?
6) What is the IP address of the compromised web site?
7) What is the domain name that delivered the exploit kit (EK) and malware payload?
8) What is the IP address that delivered the EK and malware payload?
MORE ADVANCED QUESTIONS:
1) What snort events (either VRT or EmergingThreats) are generated by this pcap?
2) What EK is this (Angler, Nuclear, Neutrino, etc)?
3) What is the redirect URL that points to the EK landing page?
4) What is the IP address of the redirect URL that points to the EK landing page?
5) How many times is the malware payload delivered? (It's encrypted each time.)
6) Which HTTP request (GET or POST) is the post-infection traffic caused by the malware?
EXTRA QUESTIONS:
1) What browser was used by the infected Windows host?
2) What different exploits were sent by the EK during this infection?
3) What is the date of these exploits? (When were they created or modified?)
4) What is the size of the malware payload?