2015-10-28 - TRAFFIC ANALYSIS EXERCISE - MIDGE FIGGINS INFECTED HER COMPUTER

ASSOCIATED FILES:

• ZIP archive containing the PCAP:  2015-10-28-traffic-analysis-exercise.pcap.zip   9.7 MB (9,654,231 bytes)
• ZIP archive of malware found on the infected host:  2015-10-28-traffic-analysis-exercise-malware.zip   74.4 kB (74,396 bytes)

ZIP files on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SCENARIO

At your company's Security Operations Center (SOC), an analyst saw an alert for Gootkit and discovered an infected computer.  The alert was traced to Midge Figgins, who is an executive assistant for your Chief Executive Officer (CEO).

Midge's Windows desktop computer was confiscated, and the Help Desk re-imaged it.  Before it was re-imaged, a Help Desk technician retrieved malware from the infected host.

Shown above: Registry key related to malware found on the infected host.

 

Unfortunately, the analyst didn't document his findings.  No one knows how Midge Figgins infected her computer, and people are now asking about it.

You've been tasked to write an incident report.  You talk with Midge, but she doesn't remember anything unusual.  You only have a pcap of the traffic and malware from the infected host.

Shown above: Wireshark with a pcap of the infection traffic related to Midge's computer.

 

REPORTING

Your incident report should include:

• Date and time of the activity.
• The infected computer's IP address.
• The infected computer's MAC address.
• The infected computer's host name.
• Domains and IP addresses of any related traffic.
• The root cause of the infection.
• Information about malware found on the infected host.

 

ANSWERS

• Click here for the answers.