Malware Traffic Analysis 1 Lab
Q1) What is the IP address of the Windows VM that gets infected?

Or using Brim.
event_type=='alert'

Answer: 172.16.165.165
Q2) What is the IP address of the compromised web site?
ip.addr == 172.16.165.165 && http

Or we can use Brim.
_path=='http' id.orig_h==172.16.165.165 | cut id.orig_h, id.resp_h, uri

Answer: 82.150.140.30
Q3) What is the IP address of the server that delivered the exploit kit and malware?

Answer: 37.200.69.143
Q4) What is the FQDN of the compromised website?
ip.addr == 172.16.165.165 && http

Then follow TCP stream.

Or using Brim.
_path=='http' id.orig_h==172.16.165.165 | cut id.orig_h, id.resp_h, host

Answer: ciniholland.nl
Q5) What is the FQDN that delivered the exploit kit and malware?

Answer: stand.trustandprobaterealty.com
Q6) What is the redirect URL that points to the exploit kit (EK) landing page?
ip.addr == 37.200.69.143

Then follow TCP stream.

Answer: http://24corp-shop.com/
Q7) Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with "J". Provide the full application name.
event_type=='alert' | cut alert.signature

Answer: Java
Q8) How many times was the payload delivered?

Or using Wireshark.
ip.src == 37.200.69.143 && http

Answer: 3
Q9) The compromised website has a malicious script with a URL. What is this URL?
The IP address 82.150.140.30 is associated with the compromised website. Let's filter the data using this IP.
ip.addr == 82.150.140.30 && http

Then let's follow the HTTP stream.

Answer: http://24corp-shop.com/
Q10) Extract the two exploit files. What are the MD5 file hashes? (comma-separated)
_path=='files' | cut mime_type, md5

Answer: 7b3baa7d6bb3720f369219789e38d6ab,1e34fdebbf655cebea78b45e43520ddf
Last updated