2019-06-22 - TRAFFIC ANALYSIS EXERCISE - PHENOMENOC
- Zip archive of the pcap: 2019-06-22-traffic-analysis-exercise.pcap.zip 4.1 MB (4,073,710 bytes)
- 2019-06-22-traffic-analysis-exercise.pcap (4,694,048 bytes)
- Zip archive of the alerts: 2019-06-22-traffic-analysis-exercise-alerts.zip 437 kB (162,193 bytes)
- 2019-06-22-traffic-analysis-exercise-alerts.jpg (450,132 bytes)
- 2019-06-22-traffic-analysis-exercise-alerts.txt (5,227 bytes)
- Zip archive of malware retrieved from the infected Windows host: 2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe.zip 275 kB (274,642 bytes)
- 2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe (584,192 bytes)
- All zip archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
LAN segment data:
- LAN segment range: 10.0.76.0/24 (10.0.76.0 through 10.0.76.255)
- Domain: phenomenoc.com
- Domain controller: 10.0.76.6 - Phenomenoc-DC
- LAN segment gateway: 10.0.76.1
- LAN segment broadcast address: 10.0.76.255
Review the pcap, alerts, and the extracted malware sample to answer the following questions:
- What is the IP address, MAC address, and host name of the infected Windows host?
- What is the Windows user account name for the infected Windows host?
- What was the delivery method for the malware?
- What was the IP address used by the delivery method for this infection?
- What is the SHA256 hash of the EXE retrieved from the infected Windows host?
- Based on the alerts, what type of malware infected the Windows host?
- What is the IP address of the post-infection traffic?
- What is the domain name used for the post-infection traffic?
- Click here for the answers.
Click here to return to the main page.