Malware Traffic Analysis 1 Lab
Last updated
Last updated
Q1) What is the IP address of the Windows VM that gets infected?
Or using Brim.
Answer: 172.16.165.165
Q2) What is the IP address of the compromised web site?
Or we can use Brim.
Answer: 82.150.140.30
Q3) What is the IP address of the server that delivered the exploit kit and malware?
Answer: 37.200.69.143
Q4) What is the FQDN of the compromised website?
Then follow TCP stream.
Or using Brim.
Answer: ciniholland.nl
Q5) What is the FQDN that delivered the exploit kit and malware?
Answer: stand.trustandprobaterealty.com
Q6) What is the redirect URL that points to the exploit kit (EK) landing page?
Then follow TCP stream.
Answer: http://24corp-shop.com/
Q7) Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with "J". Provide the full application name.
Answer: Java
Q8) How many times was the payload delivered?
Or using Wireshark.
Answer: 3
Q9) The compromised website has a malicious script with a URL. What is this URL?
The IP address 82.150.140.30 is associated with the compromised website. Let's filter the data using this IP.
Then let's follow the HTTP stream.
Answer: http://24corp-shop.com/
Q10) Extract the two exploit files. What are the MD5 file hashes? (comma-separated)
Answer: 7b3baa7d6bb3720f369219789e38d6ab,1e34fdebbf655cebea78b45e43520ddf