2014-11-08 - TRAFFIC ANALYSIS EXERCISE: QUESTIONS INVOLVING EXPLOIT KIT (EK) ACTIVITY
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
PCAP AND ANSWERS
- 2014-11-08-traffic-analysis-exercise.pcap.zip 5.0 MB (5,005,627 bytes)
- 2014-11-08-traffic-analysis-answers.pdf.zip 2.0 MB (1,969,831 bytes)
NOTES:
- In restoring my old blog pages, I found this, and I can't find that it was ever publicly posted, so apparently this is the first traffic analysis exercise I ever made.
- I had originally made this as training material for some of my newer coworkers at Rackspace.
QUESTIONS
LEVEL 1 QUESTIONS:
1) What is the IP address of the workstation (the VM) that gets infected?
2) Search the nbns traffic in the pcap to find the host name of the infected VM.
3) What is the MAC address of the infected VM?
4) What is the IP address and domain name that delivered the malware?
5) What is the IP address and domain name of the compromised web site?
LEVEL 2 QUESTIONS:
1) What is the redirect URL that points to the exploit kit landing page?
2) What type of exploits (Java, Flash, PDF) were sent by the exploit kit?
3) What is the MD5 hash of the malware payload?
4) What type of callback traffic is generated by the malware?
LEVEL 3 QUESTIONS:
1) What snort-based alerts are generated by the pcap?
2) What is the name of the exploit kit from this pcap?
3) What ET PRO signature for the post-infection traffic that helps identify the malware?
4) What file from the compromised website has an iframe for the redirect URL?