2015-02-15 - TRAFFIC ANALYSIS EXERCISE
- ZIP - pcap of the traffic: 2015-02-15-traffic-analysis-exercise.pcap.zip
NOTE: ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
FIRST DECISION POINT - YOU FINISH YOUR ANALYSIS BASED ONLY ON THE PCAP
Here's what you should've found when looking at the pcap:
Let's go through this, step-by-step. First, load the pcap in wireshark. Hopefully, you've set it up as I've described in my tutorial here. You can find the host name and mac address for this IP address in the DHCP or NetBIOS name service (NBNS) traffic. See the images below for details:
Use http.request for the filter and see the web browsing traffic. At the botton, you'll find the last few HTTP GET requests for Nuclear EK.
The exploit kit should send files in the following sequence:
- Landing page
- Exploit (Flash, Java, Silverlight, etc)
- Malware payload after the exploit was successful
In most exploit kits, including Nuclear, these are all sent from same IP address and domain. Here are highlights from the pcap, so you can see if the malware payload was delivered.
FIRST DECISION POINT - ALTERNATE CHOICE
You want to know what alerts triggered and include them in your report. What exactly was that malware payload? With a determined look on your face, you investigate further. (Careful... Your face might settle into that look permanently.) The other analysts are still reviewing events, and someone will notify you if anything else unusual happens.
- Click here to find out more about your Nuclear EK activity.
FINAL NOTES IF YOU CHOSE TO STOP HERE
- You've determined wether or not the malware as delivered, and you initiated procedures to take care of the situation. From an incident response perspective, that's all you need.
- You've got other snort events to investigate. No other infected computers will escape notice--not on your watch! Spend too much time on one incident, and you might miss something even more important.
Click here to exit this exercise and return to the main page.