Malware-Traffic-Analysis.net - 2017-06-28 - Traffic analysis exercise

2017-06-28 - TRAFFIC ANALYSIS EXERCISE - INFECTION AT THE JAPAN FIELD OFFICE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

Zip archive with a pcap of traffic from the infected computer: 2017-06-28-traffic-analysis-exercise.pcap.zip 7.5 MB (7,504,577 bytes)
Zip archive with text files containing the Snort and Suricata alerts: 2017-06-28-traffic-analysis-exercise-alerts.zip 52.1 kB (52,053 bytes)

SCENARIO

You work as a security analyst for a company with locations world-wide, and it recently opened a field office in Japan.

Shown above: It's a very small office in Tokyo, so you might have a hard time finding it.

On Tuesday 2017-06-27, you notice several high-priority alerts from two different Intrusion Detection Systems (IDS). One IDS is running Snort using the Snort subscription ruleset, and the other is running Suricata using the EmergingThreats Pro ruleset.

The results indicate a Windows computer was infected at your company's Japan field office. You are tasked to investigate! You have the pcap, a text file containing the Snort alerts, and a text file containing the Suricata alerts.

For this traffic analysis exercise, please answer the following questions:

What is the MAC address, IP address, and host name of the infected Windows computer?
What is the date and time (in UTC) the computer was infected?
Based on the Snort and Suricata alerts, what was the computer infected with?
Based on indicators from first HTTP GET request, determine how the computer was infected.
Based on the previous answer, what is the SHA256 hash for the file that probably infected the computer?
The pcap contains 3 Windows executable files sent over HTTP. Export them from the pcap. What are the SHA256 file hashes of the those 3 files?

Note: Times for the Suricata alerts are not correct, because they were generated using tcpreplay some hours after the original infection.

You feel bad for the businessman who infected his computer at the company's Japan field office. Rumor has it he's been forced to use a tablet while his computer is getting fixed.

Shown above: Using a tablet for work is often frustrating.

ANSWERS

Click here for the answers.

Click here to return to the main page.