Malware-Traffic-Analysis.net - 2016-06-03 - Traffic analysis exercise

2016-06-03 - TRAFFIC ANALYSIS EXERCISE - GRANNY HIGHTOWER AT BOB'S DONUT SHACK

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

Zip archive with a pcap of the traffic: 2016-06-03-traffic-analysis-exercise.pcap.zip 6.1 MB (6,111,571 bytes)
Zip archive with files retrieved from Granny's infected computer: 2016-06-03-artifacts-from-infected-host.zip 754.4 kB (754,413 bytes)
Zip archive with some suspicious emails Granny received: 2016-06-03-traffic-analysis-exercise-suspicious-emails.zip 31.7 kB (31,663 bytes)

ZIP files on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

SCENARIO

Today is not just any Friday. It's first Friday of June, which is National Donut Day! With that in mind, you pick up a dozen donuts at Bob's Donut Shack before heading to work. The store is run by a woman affectionately called "Granny Hightower" by the locals. She's been running the donut shack since Bob (the original owner) died several years ago.

Shown above: Granny Hightower was selling donuts long before she became a granny.

As you walk into the store, Granny asks you to check a Windows desktop in her office. She's always been pretty sharp about computers, and you're happy to help out. Last month she even had you set up network monitoring for Bob's Donut Shack.

Shown above: Computers and donuts often come together in surprising ways.

Granny Hightower promises you a dozen donuts if you investigate what happened to her Windows desktop computer. A quick forensic check on that desktop reveals some malware, so you ask Granny to re-image the computer. You copy the malware and retrieve network traffic for the appropriate timeframe. Finally, you gather some suspicious emails from Granny's email server. It all fits on one of your thumb drives.

Shown above: You always carry a thumb drive for situations like this.

"Granny, I've got to get going," you say while dropping the thumb drive in your backpack. "Don't want to be late for work!"

"Don't forget your donuts," she replies.

A bit later, you arrive at your place of employment, ready for another shift as an analyst at the Security Operations Center (SOC). It's a slow night, so people are bored, and the donuts are quickly eaten. You soon have time to investigate what happened with Granny's computer.

EXERCISE QUESTIONS

Today's exercise asks the following questions:

What is the host name, MAC address, and IP address of Granny Hightower's computer?
What items of malware were found on Granny's computer?
How did the malware get there?

ANSWERS

Click here for the answers.

Click here to return to the main page.