2015-08-31 - TRAFFIC ANALYSIS EXERCISE - WHAT'S THE EK? - WHAT'S THE PAYLOAD?

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

TRAFFIC:

• Zip archive containing the pcap:  2015-08-31-traffic-analysis-exercise.pcap.zip   6.7 MB (6,704,031 bytes)

 

SCENARIO

Examine the pcap to determine the exploit kit (EK), the payload, and the compromised website that kicked off this infection chain.

 

QUESTIONS

For a full incident report, you'll want to include the following:

• IP address of the Windows computer that was infected.
• MAC address of the Windows computer that was infected.
• Host name of the Windows computer that was infected.
• Name of the exploit kit.
• Identification of the payload (for example: Bedep, CryptoWall 3.0, Dyre, Rovnix, Vawtrak, etc).
• Identification of the compromised website that kicked off this infection chain.
• Any Indicators of compromise (IOCs) from the traffic to include IP addresses and domain names.

 

 

ANSWERS

• Click here for the answers.