2015-05-29 - TRAFFIC ANALYSIS EXERCISE

• ZIP of the traffic:  2015-05-29-traffic-analysis-exercise.pcap.zip

 

NOTES

• I'm trying something different this time:  I'm not writing a summary about this traffic.
• Instead, the answers section has a series of 20 images that show how to find some of the important stuff.

• Those brave enough can submit an incident report to admin@malware-traffic-analysis.net, and I'll post the best write-up.
• Submissions should only be plain text (no word documents, PDF files, etc).
• Deadline for the submissions is 23:59 UTC on Friday, June 4th 2015.
• I'll review any submissions and update this post with what I think is the best write-up sometime on Tuesday, June 8th 2015.

 

• UPDATE:  I received only one submission from one of my coworkers, and I'll be giving him feedback directly (not posting it here on the blog).

 

SCENARIO

You're working as an analyst at your organization's Security Operations Center (SOC).  One of the other analysts was investigating alerts on a Windows host, and the computer is infected.  That analyst retrieved a pcap of network traffic from the associated IP address.

You've been asked to review the pcap and document your findings in an incident report.  Be sure to include the date and time of the activity, IP adress, MAC address, and host name of the computer.  Try to identify the malware and include any indicators of compromise (IOC) found during your investigation.

 

 

ANSWERS

• Click here to see a page to help you get the answers.