2015-02-24 - TRAFFIC ANALYSIS EXERCISE

PCAP:

NOTE: ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

ANSWER CHECK - ROUND 3

Get the payload and decrypt it?  First, you'll need to extract the payload from Wireshark.  Go to File --> Export Objects --> HTTP as shown below:

 

The payload is sent multiple times by the exploit kit domain.  It's 182 kB in size.  I saved mine to a file named: extracted-binary

 

Next, go to http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an and look near the end of the blog entry.  You'll find a link to the python script that can decrypt the payload.

 

Follow the link to the github page, where you can copy and paste the script to a text file on your local host.  I saved mine to a file named: fiesta-decrypt.py

 

Hopefully you're using Linux or some other Unix/BSD variant.  Make sure the decrpyt script is executable.  In the image below, I used the file command to get some general information on the file.  It only shows as "binary data."  After running the python script, try file on the decrypted binary, and it should show a PE32 executable.

 

Now you can submit the decrypted file to VirusTotal or reverse engineer the malware sample.

 

FINAL NOTES

There's more information in the pcap.  You'll find the compromised website that kicked off the infection chain of events, and you might be able to block it.  The exploit kit sent an exploit before each malware payload.  There's at least a Flash, Java, PDF, Silverlight, and IE exploit.  The 0x3a blog post (link) has more information on Fiesta for those interested.

 

Click here to return to the main page.