2019-06-22 - TRAFFIC ANALYSIS EXERCISE - PHENOMENOC

ASSOCIATED FILES:

• Zip archive of the pcap:  2019-06-22-traffic-analysis-exercise.pcap.zip   4.1 MB (4,073,710 bytes)

• 2019-06-22-traffic-analysis-exercise.pcap   (4,694,048 bytes)

• Zip archive of the alerts:  2019-06-22-traffic-analysis-exercise-alerts.zip   437 kB (162,193 bytes)

• 2019-06-22-traffic-analysis-exercise-alerts.jpg   (450,132 bytes)
• 2019-06-22-traffic-analysis-exercise-alerts.txt   (5,227 bytes)

• Zip archive of malware retrieved from the infected Windows host:  2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe.zip   275 kB (274,642 bytes)

• 2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe   (584,192 bytes)

NOTES:

• All zip archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

 

SCENARIO

LAN segment data:

• LAN segment range:  10.0.76.0/24 (10.0.76.0 through 10.0.76.255)
• Domain:  phenomenoc.com
• Domain controller:  10.0.76.6 - Phenomenoc-DC
• LAN segment gateway:  10.0.76.1
• LAN segment broadcast address:  10.0.76.255

 

YOUR TASK

Review the pcap, alerts, and the extracted malware sample to answer the following questions:

• What is the IP address, MAC address, and host name of the infected Windows host?
• What is the Windows user account name for the infected Windows host?
• What was the delivery method for the malware?
• What was the IP address used by the delivery method for this infection?
• What is the SHA256 hash of the EXE retrieved from the infected Windows host?
• Based on the alerts, what type of malware infected the Windows host?
• What is the IP address of the post-infection traffic?
• What is the domain name used for the post-infection traffic?

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.