Trident Lab
Q1) The attacker conducted a port scan on the victim machine. How many open ports did the attacker find?
tcp.flags.syn == 1 && tcp.flags.ack == 0

The attacker's IP address is 192.168.112.128. If the victim responds to an open port, it will reply with packets containing the SYN and ACK flags. Let's filter for these responses.
tcp.flags.syn == 1 && tcp.flags.ack == 1 && ip.dst == 192.168.112.128

Or using NetworkMiner.

Answer: 7
Q2) What is the victim's email address?
smtp

Or using NetworkMiner.

Answer: joshua@cyberdefenders.org
Q3) The malicious document file contains a URL to a malicious HTML file. Provide the URL for this file.
http.request.method == GET and ip.dst == 192.168.112.128


Answer: http://192.168.112.128/word.html
Q4) What is the Microsoft Office version installed on the victim machine?

Answer: 15.0.4517
Q5) The malicious HTML contains a js code that points to a malicious CAB file. Provide the URL to the CAB file?
http.request.method == GET and ip.dst == 192.168.112.128

Alternatively, we can download the file and perform a search within it.
grep -i ".cab" word.html

Answer: http://192.168.112.128/word.cab
Q6) The exploit takes advantage of a CAB vulnerability. Provide the vulnerability name?
From https://github.com/klezVirus/CVE-2021-40444

Answer: zipslip
Q7) Analyzing the dll file what is the API used to write the shellcode in the process memory?
strings word.cab

Answer: WriteProcessMemory
Last updated