# Malware Traffic Analysis 1 Lab Q1) What is the IP address of the Windows VM that gets infected?

Or using Brim. ```xquery event_type=='alert' ```

Answer: 172.16.165.165 Q2) What is the IP address of the compromised web site? ``` ip.addr == 172.16.165.165 && http ```

Or we can use Brim. ```xquery _path=='http' id.orig_h==172.16.165.165 | cut id.orig_h, id.resp_h, uri ```

Answer: 82.150.140.30 Q3) What is the IP address of the server that delivered the exploit kit and malware?

Answer: 37.200.69.143 Q4) What is the FQDN of the compromised website? ``` ip.addr == 172.16.165.165 && http ```

Then follow TCP stream.

Or using Brim. ```xquery _path=='http' id.orig_h==172.16.165.165 | cut id.orig_h, id.resp_h, host ```

Answer: ciniholland.nl Q5) What is the FQDN that delivered the exploit kit and malware?

Answer: stand.trustandprobaterealty.com Q6) What is the redirect URL that points to the exploit kit (EK) landing page? ``` ip.addr == 37.200.69.143 ```

Then follow TCP stream.

Answer: Q7) Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with "J". Provide the full application name. ```xquery event_type=='alert' | cut alert.signature ```

Answer: Java Q8) How many times was the payload delivered?

Or using Wireshark. ``` ip.src == 37.200.69.143 && http ```

Answer: 3 Q9) The compromised website has a malicious script with a URL. What is this URL? The IP address 82.150.140.30 is associated with the compromised website. Let's filter the data using this IP. ``` ip.addr == 82.150.140.30 && http ```

Then let's follow the HTTP stream.

Answer: Q10) Extract the two exploit files. What are the MD5 file hashes? (comma-separated) ```xquery _path=='files' | cut mime_type, md5 ```

Answer: 7b3baa7d6bb3720f369219789e38d6ab,1e34fdebbf655cebea78b45e43520ddf --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/malware-traffic-analysis-1-lab.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.