Malware Traffic Analysis 1 Lab
Last updated
Last updated
Q1) What is the IP address of the Windows VM that gets infected?
Or using Brim.
event_type=='alert'
Answer: 172.16.165.165
Q2) What is the IP address of the compromised web site?
ip.addr == 172.16.165.165 && http
Or we can use Brim.
_path=='http' id.orig_h==172.16.165.165 | cut id.orig_h, id.resp_h, uri
Answer: 82.150.140.30
Q3) What is the IP address of the server that delivered the exploit kit and malware?
Answer: 37.200.69.143
Q4) What is the FQDN of the compromised website?
ip.addr == 172.16.165.165 && http
Then follow TCP stream.
Or using Brim.
_path=='http' id.orig_h==172.16.165.165 | cut id.orig_h, id.resp_h, host
Answer: ciniholland.nl
Q5) What is the FQDN that delivered the exploit kit and malware?
Answer: stand.trustandprobaterealty.com
Q6) What is the redirect URL that points to the exploit kit (EK) landing page?
ip.addr == 37.200.69.143
Then follow TCP stream.
Answer: http://24corp-shop.com/
Q7) Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with "J". Provide the full application name.
event_type=='alert' | cut alert.signature
Answer: Java
Q8) How many times was the payload delivered?
Or using Wireshark.
ip.src == 37.200.69.143 && http
Answer: 3
Q9) The compromised website has a malicious script with a URL. What is this URL?
The IP address 82.150.140.30 is associated with the compromised website. Let's filter the data using this IP.
ip.addr == 82.150.140.30 && http
Then let's follow the HTTP stream.
Answer: http://24corp-shop.com/
Q10) Extract the two exploit files. What are the MD5 file hashes? (comma-separated)
_path=='files' | cut mime_type, md5
Answer: 7b3baa7d6bb3720f369219789e38d6ab,1e34fdebbf655cebea78b45e43520ddf