2015-08-07 - TRAFFIC ANALYSIS EXERCISE - ANSWERS
- ZIP of the PCAP: 2015-08-07-traffic-analysis-exercise.pcap.zip (15.4 MB)
- ZIP file of HTTPS logs: 2015-08-07-traffic-analysis-exercise-https-logs.zip (837.7 kb)
- ZIP file of HTTPS objects: 2015-08-07-traffic-analysis-exercise-https-artifacts.zip (10.6 MB)
- ZIP file of malicious emails: 2015-08-07-traffic-analysis-exercise-malicious-emails.zip (8.9 kb)
NOTE: All ZIP archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Below is an example for a write-up on this incident. (Click here for a text file of the write-up.)
How can you map the chain of events for this infection?
First, tlook at the traffic that caused the alerts. Check the IP addresses from the alerts and find them in the traffic, so you can document them in your incident report.
Next? You have 4 emails, and one of them kicked off the chain of events for the infection. Three of these emails have links. Use your mouse to hover over the links and check the URLs. See if any of these URLs appear in the HTTP traffic. One of them does.  See the images below for details.
Note how the URL from the email gives a 302 redirect to an HTTPS URL. At best, the pcap will only show the domain name used in the HTTPS traffic.
Check the HTTPS logs to find out what the URLs are for the HTTPS traffic for that domain. Reviewint the logs, we find two HTTPS GET requests for archives from that domain.
Let's look at the .rar file that was downloaded after Degrando clicked on the email link. Inside the .rar is a VBE file. This is a Visual Basic executable. Searching online, I found a converter, looked at the VB script for that executable, and saw the second HTTPS URL to the same domain for the zip file.
Instead of converting the VBE to VB script, you could just run the malware on a test host and find the same HTTPS URL.
The second file (the zip file) contains an executable. You can run this malware on a test host, or you could submit it to an online analysis tool like Hybrid-Analysis.com. Here is a link to the Hybrid-Analysis.com report of the malware.
Check the pcap in Wireshark, and you'll find the same traffic from Degrando's Windows desktop.
That confirms the email that kicked off the infection chain.
Ideally, you would also document the response actions in the timeline. For example, you should include when the host was taken off the network and when it was re-imaged (I always recommend re-imaging to ensure the malware is removed). Usually in these cases, you'd want to make sure the user changes any passwords they've used on the infected computer, an action which should also be documented in the timeline, if possible.
Click here to return to the main page.