Malware-Traffic-Analysis.net - 2019-10-05 - Traffic analysis exercise

2019-10-05 - TRAFFIC ANALYSIS EXERCISE - TINSOLUTIONS

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

Zip archive of the pcap: 2019-10-05-traffic-analysis-exercise-pcaps.zip 20.3 MB (20,261,587 bytes)

2019-10-05-traffic-analysis-exercise-part-1.pcap (13,788,900 bytes)

2019-10-05-traffic-analysis-exercise-part-2.pcap (4,555,509 bytes)

2019-10-05-traffic-analysis-exercise-part-3.pcap (4,619,029 bytes)

Zip archive of the alerts: 2019-10-05-traffic-analysis-exercise-alerts.zip 984 kB (984,311 bytes)

2019-10-05-traffic-analysis-exercise-alerts-part-1.jpg (19,242 bytes)

2019-10-05-traffic-analysis-exercise-alerts-part-1.txt (4,611 bytes)

2019-10-05-traffic-analysis-exercise-alerts-part-2.jpg (434,536 bytes)

2019-10-05-traffic-analysis-exercise-alerts-part-2.txt (4,571 bytes)

2019-10-05-traffic-analysis-exercise-alerts-part-3.jpg (327,377 bytes)

2019-10-05-traffic-analysis-exercise-alerts-part-3.txt (3,770 bytes)

Zip archive of the emails: 2019-10-05-traffic-analysis-exercise-emails.zip 173 kB (173,106 bytes)

2019-10-05-traffic-analysis-exercise-email-Deadlines.eml (90,100 bytes)

2019-10-05-traffic-analysis-exercise-email-EFT-Payment-Confirmation.eml (195,088 bytes)

2019-10-05-traffic-analysis-exercise-email-Fedex-delivery-notification.eml (14,529 bytes)

SCENARIO

LAN segment data:

LAN segment range: 172.16.2[.]0/24 (172.16.2[.]0 through 172.16.2[.]255)
Domain: tinsolutions[.]net
Domain controller: 172.16.2[.]2 (Tinsolutions-DC)
LAN segment gateway: 172.16.2[.]1
LAN segment broadcast address: 172.16.2[.]255

YOUR TASK

In the past three days, three Windows hosts on the internal corporate network for tinsolutions[.]net were infected with malware. You have packet captures (pcaps) of network traffic when each host became infected. You also have the associated alerts on this network traffic. Finally, you have the three emails that kicked off the infection activity. Your task is to answer the following questions for each infection:

What date and time did the infection activity start?
What is the IP address of the Windows infected host?
What is the MAC address of the Windows infected host?
What is the host name of the infected Windows host?
What is the user account name from the infected Windows host?
What type of malware(s) was the host infected with?
Which email was responsible for kicking off this infection activity?

ANSWERS

Click here for the answers.

Click here to return to the main page.