2019-03-19 - TRAFFIC ANALYSIS EXERCISE - LITTLETIGERS

ASSOCIATED FILES:

  • 2019-03-19-traffic-analysis-exercise.pcap   (7,774,934 bytes)
  • 2019-03-19-traffic-analysis-exercise-alerts.jpg   (727,927 bytes)
  • 2019-03-19-traffic-analysis-exercise-alerts.txt   (8,166 bytes)
  • 2019-03-19-traffic-analysis-exercise-malware-and-artifacts-list.txt   (791 bytes)
  • 2019-03-19-scheduled-task-Klngszns.xml.txt   (3,520 bytes)
  • AppData/Local/Temp/dwn.exe   (176,128 bytes)
  • AppData/Local/Temp/FYRINGSSEDDELEN.exe   (400,270,337 bytes)
  • AppData/Local/Temp/FYRINGSSEDDELEN.vbs   (110 bytes)
  • AppData/Local/Temp/IXP000.TMP/ADDSTA~2.EXE   (400,270,337 bytes)
  • AppData/Local/Temp/qwerty2.exe   (811,520 bytes)
  • AppData/Roaming/0y1w/notepad.exe   (193,536 bytes)
  • AppData/Roaming/0y1w/VERSION.dll   (671,744 bytes)
  • AppData/Roaming/0y1w/VyPUKP9r.xws   (503,812 bytes)
  • AppData/Roaming/ccaM/dialer.exe   (35,328 bytes)
  • AppData/Roaming/ccaM/PrBhQkFh.xQE   (503,812 bytes)
  • AppData/Roaming/ccaM/TAPI32.dll   (675,840 bytes)
  • AppData/Roaming/GbYBz/BdeUISrv.exe   (48,640 bytes)
  • AppData/Roaming/GbYBz/UmkFPCoM.xuy   (503,812 bytes)
  • AppData/Roaming/GbYBz/WTSAPI32.dll   (671,744 bytes)
  • AppData/Roaming/jrv0q/OLEACC.dll   (671,744 bytes)
  • AppData/Roaming/jrv0q/P19wUKcA.xcF   (503,812 bytes)
  • AppData/Roaming/jrv0q/psr.exe   (732,672 bytes)
  • AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/Ogtqhhyuwind.lnk   (835 bytes)

NOTES:

 


Shown above:  I'm a big fan of experience gained through manual pcap analysis.

 

SCENARIO

LAN segment data:

 

YOUR TASK

Review the pcap and alerts, then write an incident report for this infected Windows host.  The zip archive of malware and artifacts is a bonus, provided to help you better understand this infection, if needed.  See below for a suggested template for an incident report.

Executive summary:

On 2019-03-19 at ??:?? UTC, a Windows host used by ????????? was infected with ???????

Details of the infected Windows host:

IP address:
MAC address:
Host name:
Windows user account name:

Indicators of Compromise:

[List of URLs, domains, IP addresses, and SHA256 hashes related to the infection should appear in this section]

 

ANSWERS

 

Click here to return to the main page.