2015-07-24 - TRAFFIC ANALYSIS EXERCISE - ANSWERS

TRAFFIC:

NOTE:  Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

ANSWERS

The infected computer's host name:

The infected computer's MAC address:

The infected computer's operating system and browser:

Exploit kit (Angler, Magnitude, or Nuclear?):

IP address and domain name used by the exploit kit:

Compromised website that caused the exploit kit traffic:

Domains and IP addresses from the CryptoWall 3.0 post-infection traffic:

What was vulnerable one the user's computer? (the browser, Flash, Java, Silverlight, etc.):

 

HINTS

Finding the computer's host name and mac address through DHCP traffic in the pcap:

 

Finding the OS and browser?  Look for the user-agent string in one of the requests to Google.  In the example below, you see it's Windows 7 (NT 6.1) and this user-agent string is used for Internet Explorer 11 (rv:11.0):

 

Snort events using Suricata in Security Onion (with the EmergingThreats and ET PRO rulesets) show alerts for the Angler exploit kit on 185.43.223.164:

 

Filter in Wireshark on 185.43.223.164 to find the domain name used by Angler EK:

 

Follow the TCP stream for the first HTTP GET request by Angler EK, and you'll see the "referer" line showing the compromised website that kicked off this infection chain:

 

In Security Onion, I use Squil.  Squil will group alerts according to source IP.  That means there could be several destination IPs.  Select the alert and hit F9 to escalate these events and see them individually:

 

Go to the "Escallated Events" tab in Squil, and you'll see individual events with all the destination IP addresses:

 

You can double-check the CryptoWall >Below shows the Flash version as 18.0.0.203, which is vulnerable to Flash exploits used by Angler EK.  Of note, 6i3cb6owitcouepv.ministryordas.com is a domain for the page that the user went to for decrypt instructions.  Traffic to ip-addr.es is the CryptoWall 3.0 checking the infected host's IP address.

 

Below shows the Flash version as 18.0.0.203, which is vulnerable to Flash exploits used by Angler EK: