TWO PCAPS I PROVIDED FOR UISGCON CTF IN 2018

ASSOCIATED FILES:

• UISGCON-traffic-analysis-task-pcap-1-of-2.pcap.zip   1.6 MB (1,591,817 bytes)
• UISGCON-traffic-analysis-task-pcap-2-of-2.pcap.zip   14.1 MB (14,120,502 bytes)

NOTE:

• Zip archives are password-protected with the standard password.  If you don't know it, see the "about" page of this website.

 

BACKGROUND

Earlier this year, I provided two pcaps as part of a Capture The Flag (CTF) competition for UISGCON14 in October 2018.  UISGCON is an annual cyber security conference in the Ukraine (link), and this was the 14th UISGCON.

 

According to the website, "UISGCON is the oldest and well-known Ukrainian conference on Information Security, driven by community and organized under the aegis of the NGO 'Ukrainian Information Security Group' (UISG)..."  From what I understand, these two pcap files were part of 25 tasks used in the conference's CTF.

I'm told this material can go public now.  These pcaps contain activity I routinely post about here at malware-traffic-analysis.net, so it shouldn't be a big challenge for anyone who follows this blog.

 

DETAILS

FIRST PCAP:  UISGCON-traffic-analysis-task-pcap-1-of-2.pcap.zip

LAN SEGMENT PROPERTIES:

• IP range:  172.16.1.0/24 (172.16.1.0 through 172.16.1.255)
• Gateway IP:  172.16.1.1
• Broadcast IP:  172.16.1.255
• Domain Controller (DC):  Maricheika-DC at 172.16.1.3
• Domain:  maricheika.net

TASKS I SUGGESTED:

• State the time and date of this infection.
• Determine the IP address of the infected Windows client.
• Determine the host name of the infected Windows client.
• Determine the MAC address of the infected Windows client.
• Determine the Windows user account name used on the infected Windows client.
• Determine the SHA256 hash of the Word document downloaded by the victim.
• Determine the type of malware used in the initial infection.
• Determine the public IP address of the infected Windows client.

 

SECOND PCAP:  UISGCON-traffic-analysis-task-pcap-2-of-2.pcap.zip

LAN SEGMENT PROPERTIES:

• IP range:  10.1.75.0/24 (10.1.75.0 through 10.1.75.255)
• Gateway IP:  10.1.75.1
• Broadcast IP:  10.1.75.255
• Domain Controller (DC):  PixelShine-DC at 10.1.75.4
• Domain:  pixelshine.net

TASKS I SUGGESTED:

• State the time and date of this infection.
• Determine the IP address of the infected Windows client.
• Determine the host name of the infected Windows client.
• Determine the MAC address of the infected Windows client.
• Determine the Windows user account name used on the infected Windows client.
• Determine the SHA256 hash of the Word document downloaded by the victim.
• Determine the SHA256 hash of the first malware binary sent to the infected Windows client.
• Determine the time the Domain Controller (DC) at 10.1.75.4 became infected.
• Determine the SHA256 hash of the second malware binary sent to the infected Windows client (same file retrieved as radiance.png and table.png).
• What are the two file hashes for executables you can retrieve from the SMB traffic using Wireshark?
• Determine the two families of malware the Windows client was infected with.
• Determine the one family of malware the DC was infected with.
• Determine the public IP address of the infected Windows client.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.