2017-12-15 - TRAFFIC ANALYSIS EXERCISE - TWO PCAPS, TWO EMAILS, TWO MYSTERIES!
- Zip archive for pcap 1 of 2: 2017-12-15-traffic-analysis-exercise-1-of-2.pcap.zip 6.2 MB (6,236,273 bytes)
- Zip archive for pcap 2 of 2: 2017-12-15-traffic-analysis-exercise-2-of-2.pcap.zip 2.4 MB (2,403,001 bytes)
- Zip archive of the two emails: 2017-12-15-traffic-analysis-exercise-emails.pcap.zip 280 kB (280,289 bytes)
- All zip archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
This exercise presents you with two pcaps and two emails with malicious attachments. Your task is to determine what happened in each pcap.
Shown above: It's a Homer Simpson situation for each pcap.
Shown above: Homer, after he reads your incident report.
Draft an incident report for each pcap. Use the emails to figure out the malware for each infection. Each of your two incident reports should include:
- Date, start time, and end time of the malicious activity in UTC (GMT).
- IP address of the Windows host from in the pcap.
- Mac address of the Windows host in the pcap.
- Host name for the Windows host in the pcap.
- What type(s) of malicious activity were noted.
- Indicators of the malicious activity (IP addresses, domain names, file hashes, etc).
- A summary of what happened.
- Click here for the answers.
Click here to return to the main page.