2015-02-15 - TRAFFIC ANALYSIS EXERCISE
PCAP AND SUSPICIOUS FILES:
- ZIP - pcap of the traffic: 2015-02-15-traffic-analysis-exercise.pcap.zip
- ZIP - suspicious files: 2015-02-15-traffic-analysis-exercise-suspicious-files.zip
NOTE: ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
YOU HAVE EVERYTHING AND FINISH YOUR REPORT
Here's what you should've found when looking at the pcap.
Let's go through this, step-by-step. First, load the pcap in wireshark. Hopefully, you've set it up as I've described in my tutorial here. You can find the host name and mac address for this IP address in the DHCP or NetBIOS name service (NBNS) traffic. See the images below for details:
Use http.request for the filter and see the web browsing traffic. At the botton, you'll find the last few HTTP GET requests for Nuclear EK.
The exploit kit should send files in the following sequence:
- Landing page
- Exploit (Flash, Java, Silverlight, etc)
- Malware payload after the exploit was successful
In most exploit kits, including Nuclear, these are all sent from same IP address and domain. Here are highlights from the pcap, so you can see if the malware payload was delivered.
Here are files from the infected computer:
- If you decided to stop at any of the earlier decision points, assuming you didn't make any mistakes, you should be good. Once you've determined wether or not the malware was delivered, initiate procedures to take care of the situation. From an incident response perspective, that's all you need.
- As analysts, we've got other events to investigate. Spend too much time on one incident, and you might miss something even more important.
- Search through the traffic, and you'll find the HTTP GET request from the compromised website that goes to the Cushion redirect (tcp.stream eq 37) and the Cushion redirect that leads to the Nuclear EK landing page (tcp.stream eq 44). That should take you through the full chain of events, from the comrpomised website to Nuclear EK.
Click here to exit this exercise and return to the main page.