2015-07-24 - TRAFFIC ANALYSIS EXERCISE - WHERE'D THE CRYPTOWALL COME FROM?

TRAFFIC:

 

SCENARIO

You've been hired as an analyst for a small company with approximately 200 employees in an office building.  So far, intrusion and malware detection is host-based through a commercial anti-virus product.  At this point, network security monitoring consists of a Snort setup using registered Snort rules.  You have access to the last 12 hours of network traffic through a SAN server.

On Friday 2015-07-24 at starting at 14:59 UTC, you notice at least a dozen Snort events with the following characteristics:

This is post-infecion traffic for CryptoWall ransomware, so it's time to investigate!  You retrieve a pcap from the SAN server.  The pcap has all network traffic by 192.168.137.85 from 14:56 to 15:04 UTC.

Due to a synchronization issue when the traffic was recorded, your pcap has the wrong date.  It reads 2015-07-23, but it should be 2015-07-24.  All times in the pcap appear to be correct.

You know CryptoWall 3.0 has been making the rounds.  This malware has been seen from malicious spam and different exploit kits.  Your gut feeling?  This CryptoWall infection was probably caused by an exploit kit.  You'll need to prove it, though.

 

YOUR TASK

Investigate the pcap and document your findings.  Your report should include:

 

 

ANSWERS