2015-05-08 - TRAFFIC ANALYSIS EXERCISE

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

TRAFFIC

The image below shows the traffic in Wireshark.  As always, I recommend changing the default column display in Wireshark as covered in this tutorial:  http://malware-traffic-analysis.net/tutorials/wireshark/index.html

 


Click on the above image to see it full-size.

 

 

BREAK POINT

You've documented the traffic, and now it's time to state what happened.  A full analysis should include Snort events (or any other alerts) you've been able to generate from the pcap (from reading it with Snort or using tcpreplay in Security Onion).  You should also be able to extract a malware sample from the pcap and submit it to Virus Total.