2015-06-30 - TRAFFIC ANALYSIS EXERCISE - ANSWERS

 

NOTES

 

ANSWERS AND HINTS

See the image below for answers:

 

Filtering on http.request will give you a quick rundown.  Click on the image below for a full-size view:

 

Some signature hits from Emerging Threats using Sguil on Security Onion.  This identifies the exploit kit:

 

Signature hits from the Talos (Sourcefire VRT) ruleset also identify the exploit kit:

 

Using the Wireshark filter shown in the image below helps identify some of the post-infection traffic from the infected host:

 

Filter on udp, and you'll find an interesting reverse DNS lookup (PTR), and you'll also see NetBIOS traffic to an external host.

 

Looking at the EK traffic, you'll find the payload is obfuscated, as we've seen before with this and other EKs:

 

You can extract the EK landing page, Flash exploit, and obfuscated malware payload as noted in the next two images:

 

 

The Python script shown below can be used to deobfuscate the EK malware payload: