2015-02-15 - TRAFFIC ANALYSIS EXERCISE

PCAP:

NOTE: ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SECOND DECISION POINT - WITH THOSE SNORT EVENTS, YOU FINISH THE REPORT

Here's what you should've found when looking at the pcap.

 

Let's go through this, step-by-step.  First, load the pcap in wireshark.  Hopefully, you've set it up as I've described in my tutorial here.  You can find the host name and mac address for this IP address in the DHCP or NetBIOS name service (NBNS) traffic.  See the images below for details:

 

Use http.request for the filter and see the web browsing traffic.  At the botton, you'll find the last few HTTP GET requests for Nuclear EK.

 

The exploit kit should send files in the following sequence:

 

In most exploit kits, including Nuclear, these are all sent from same IP address and domain.  Here are highlights from the pcap, so you can see if the malware payload was delivered.

 

SECOND DECISION POINT - ALTERNATE CHOICE

Still not 100 percent satisfied, are you?  People at your UK location find the computer (a Dell desktop) and perform some forensics.  They send you a ZIP archive of some suspicious files they found on the computer.

 

FINAL NOTES IF YOU CHOSE TO STOP HERE

 

Click here to exit this exercise and return to the main page.