Malware Traffic Analysis 1 Lab

Q1) What is the IP address of the Windows VM that gets infected?

Or using Brim.

event_type=='alert'

Answer: 172.16.165.165

Q2) What is the IP address of the compromised web site?

ip.addr == 172.16.165.165 && http

Or we can use Brim.

_path=='http' id.orig_h==172.16.165.165 | cut id.orig_h, id.resp_h, uri

Answer: 82.150.140.30

Q3) What is the IP address of the server that delivered the exploit kit and malware?

Answer: 37.200.69.143

Q4) What is the FQDN of the compromised website?

ip.addr == 172.16.165.165 && http

Then follow TCP stream.

Or using Brim.

_path=='http' id.orig_h==172.16.165.165 | cut id.orig_h, id.resp_h, host

Answer: ciniholland.nl

Q5) What is the FQDN that delivered the exploit kit and malware?

Answer: stand.trustandprobaterealty.com

Q6) What is the redirect URL that points to the exploit kit (EK) landing page?

ip.addr == 37.200.69.143

Then follow TCP stream.

Answer: http://24corp-shop.com/

Q7) Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with "J". Provide the full application name.

event_type=='alert' |  cut alert.signature

Answer: Java

Q8) How many times was the payload delivered?

Or using Wireshark.

ip.src == 37.200.69.143 && http

Answer: 3

Q9) The compromised website has a malicious script with a URL. What is this URL?

The IP address 82.150.140.30 is associated with the compromised website. Let's filter the data using this IP.

ip.addr == 82.150.140.30 && http

Then let's follow the HTTP stream.

Answer: http://24corp-shop.com/

Q10) Extract the two exploit files. What are the MD5 file hashes? (comma-separated)

_path=='files' | cut mime_type, md5

Answer: 7b3baa7d6bb3720f369219789e38d6ab,1e34fdebbf655cebea78b45e43520ddf