2017-05-18 - TRAFFIC ANALYSIS EXERCISE - FANCY THAT

ASSOCIATED FILES:

All ZIP files on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SCENARIO

Roger Finster is a miserly old man, somewhat like Ebenezer Scrooge, only if Scrooge had never been visited by his Christmas ghosts.  His favorite phrase when he's happy (a very rare occasion) is "Fancy that!"


Shown above:  Roger's happy face.

 

Roger owns a business called Finster's Fine Jewelry.  You've been hired to provide IT services and security support for his one-man shop.  Today, you stop by Roger's office and hear him swearing at his computer.  You think to yourself, "Well, fancy that!"  Since Roger is an old man from a byegone era, his curse words consist of outdated phrases like "consarn it" and "dadburn contraption."  Eventually, he tells you he's opened an email that he shouldn't have.


Shown above:  Roger's angry face is similar to his happy face.

 

You quickly find two malicious emails that were sent to Roger's business account.  You ask him which one he opened, but he can't rememeber.  Well, fancy that!  Now you must retrieve network traffic for that infection.


Shown above:  According to Roger, "These emails all look the same to me!"

 

YOUR TASK

Now you have a pcap of traffic from Roger's infected computer, and you have the two malicious emails he received.  Your task?  Determine which email Roger infected his computer with.  You should also figure out the actual malware that infected his computer.  It'd also be nice if you did a proper incident report, just to practice.

 

ANSWERS

 

Click here to return to the main page.