2020-05-28 - TRAFFIC ANALYSIS EXERCISE - CATBOMBER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2020-05-28-traffic-analysis-exercise.pcap.zip   6.1 MB (6,148,841 bytes)

• 2020-05-28-traffic-analysis-exercise.pcap   (8,322,070 bytes)

 

 

SCENARIO

LAN segment data:

• LAN segment range:  10.5.28[.]0/24 (10.5.28[.]0 through 10.5.28[.]255)
• Domain:  catbomber[.]net
• Domain controller:  10.5.28[.]8 - Catbomber-DC
• LAN segment gateway:  10.5.28[.]1
• LAN segment broadcast address:  10.5.28[.]255

 

QUESTIONS

This month's pcap is a Trickbot infection in an Active Directory (AD) environment where the infection spreads to the Domain Controller (DC).

• Based on the Trickbot infection's HTTP POST traffic, what is the IP address, host name, and user account name for the infected Windows client?
• What is the other user account name and other Windows client host name found in the Trickbot HTTP POST traffic?
• What is the infected user's email password?
• Two Windows executable files are sent in the network traffic.  What are the SHA256 file hashes for these files?

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.