2015-09-11 - TRAFFIC ANALYSIS EXERCISE - A BRIDGE TOO FAR ENTERPRISES
- ZIP of the PCAP: 2015-09-11-traffic-analysis-exercise.pcap.zip (9.9 MB)
- ZIP archive of malware from the infected host: 2015-09-11-traffic-analysis-exercise-malware-from-infected-host.zip (353 kB)
- ZIP archive of malicious emails sent to the user: 2015-09-11-traffic-analysis-exercise-emails.zip (415 kB)
NOTE: All zip archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
You're an analyst at a Canadian corporation named A Bridge Too Far Enterprises. On Friday 2015-09-11, you see the following alerts while working at the corporation's Security Operations Center (SOC):
You've been having some issues with your IDS appliances, so there are likely other alerts from the network during that timeframe. You're just not seeing them.
Shortly after the alerts appear, your Help Desk receives a call from someone complaining of ransomware infection. The caller is Greggory Franklion (pronounced "frank lion"). One of your forensic experts examines Greggory's infected Windows computer. The results? Greggory's computer was infected by CryptoWall 3.0 twice. The two infections occurred within minutes of each other. The forensics crew recovers two CryptoWall 3.0 malware samples from the infected host.
Shown above: Two different sets of decrypt instructions from the CryptoWall samples.
You retrieve a pcap of traffic for the appropriate timeframe. Another analyst searches the company's mail servers and retrieves four malicious emails Greggory received earlier that day. They somehow made it through the spam filters.
Shown above: The four malicious emails sent to Greggory.
You now have: 1) a pcap of the traffic, 2) malware samples from the infected host, and 3) malicious emails sent to Greggory during that timeframe.
Your task? Figure out how Greggory's computer experienced two CryptoWall infections. Document your findings. Your report should include:
- The infected computer's host name.
- The infected computer's MAC address.
- The infected computer's operating system.
- Domains and IP addresses of any traffic relaed to the infections.
- A timeline and chain of events for each of the infections.
- Click here for the answers.