2015-05-08 - TRAFFIC ANALYSIS EXERCISE
- PCAP of the traffic: 2015-05-08-traffic-analysis-exercise.pcap.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
You can separate the traffic into exploit kit activity (the first part) and post-infection traffic (the second part).
Here's the first part:
Here's the second part:
Shown above: Screenshot from Sguil RealTimeEvents tab in Security Onion.
Shown above: Sguil alerts all escalated, so you can see the indivdual events.
This exploit kit can send multiple payloads, but only one was sent in this pcap. To export the payload from the pcap, use File --> Export Object --> HTTP
The image below shows the 221,184 bytes of malware payload, which was falsely labled as text/html in the HTTP response headers sent by the server:
Follow the associated TCP stream, and you'll see this is a Windows-based executable file:
I ran the file on a Windows host to confirm the malware:
If you need to confirm you extracted the malware correctly, you can grab a copy here at malwr.com. You'll need to be a registered user to download the sample.
Hope you found this useful. Thanks for reading!
Click here to return to the main page.