2015-02-08 - TRAFFIC ANALYSIS EXERCISE

PCAP AND MORE:

NOTE: ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SECOND DECISION POINT - YOU FINISH YOUR REPORT WITH INFORMATION FROM THE MALICIOUS EMAIL

First things first.  You already looked at the pcap in wireshark.  Hopefully, you've set it up as I've described in my tutorial here.  Use http.request for the filter and see what we've got:

 

A Google search on the domain names will indicate what's going on.  You'll find a submission to malwr.com that shows the same network traffic (under the "Network Analysis" section).  You'll also find a blog entry on TechHelpList.com discussing the same URLs from the pcap.

 

With that information, you might not need the EmergingThreats events generated by running the pcap through Snort or Security Onion:

 

INITIAL ASSESSMENT

An incident report of the activity should also include a technical details section after the short summary.  It would have all URLs, domains, IP addresses, and other malicious traffic associated with the incident.

 

ADDITIONAL INFORMATION FROM THE MALICIOUS EMAIL

Here's the malicious email:


Shown above:  The email attachment (a zip file).

 

Here's the malware from the email:


Shown above:  The email attachment (a zip file).

 


Shown above:  Extracted malware from the zip file.

 

You look up the information on VirusTotal and Malwr.com:

 

Make sure you inlcude the email information and these file hashes in your report.

 

SECOND DECISION POINT - ALTERNATE CHOICE

You call Mike and confirm this was the email he used to infect his computer.  You've alse confirmed the malware from the email was Upatre (TechHelpList confirms this in comments on the extracted malware from VirusTotal).  You find the Dyreza malware on the forensic image from Mike's computer.

 

FINAL NOTES IF YOU CHOSE TO STOP HERE

 

Click here to return to the main page.