2015-10-28 - TRAFFIC ANALYSIS EXERCISE - MIDGE FIGGINS INFECTED HER COMPUTER

ASSOCIATED FILES:

ZIP files on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SCENARIO

At your company's Security Operations Center (SOC), an analyst saw an alert for Gootkit and discovered an infected computer.  The alert was traced to Midge Figgins, who is an executive assistant for your Chief Executive Officer (CEO).

Midge's Windows desktop computer was confiscated, and the Help Desk re-imaged it.  Before it was re-imaged, a Help Desk technician retrieved malware from the infected host.


Shown above: Registry key related to malware found on the infected host.

 

Unfortunately, the analyst didn't document his findings.  No one knows how Midge Figgins infected her computer, and people are now asking about it.

You've been tasked to write an incident report.  You talk with Midge, but she doesn't remember anything unusual.  You only have a pcap of the traffic and malware from the infected host.


Shown above: Wireshark with a pcap of the infection traffic related to Midge's computer.

 

REPORTING

Your incident report should include:

 

ANSWERS