2014-11-16 - TRAFFIC ANALYSIS EXERCISE: QUESTIONS ABOUT EXPLOIT KIT (EK) TRAFFIC
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
PCAP AND ANSWERS
- 2014-11-16-traffic-analysis-exercise.pcap.zip 2.1 MB (2,132,438 bytes)
- 2014-11-16-traffic-analysis-exercise-answers.pdf.zip 844.5 kB (844,464 bytes)
NOTES:
- I'm posting a traffic analysis exercise I've developed for my co-workers and some recently-hired analysts at the office.
- Using this pcap, @tehsyntx examined how to decode the payload delivered by the exploit kit: http://thembits.blogspot.se/2014/12/rig-exploit-kit-shellcode-analysis.html
QUESTIONS
LEVEL 1 QUESTIONS:
1) What is the IP address of the Windows VM that gets infected?
2) What is the host name of the Windows VM that gets infected?
3) What is the MAC address of the infected VM?
4) What is the IP address of the compromised web site?
5) What is the domain name of the compromised web site?
6) What is the IP address and domain name that delivered the exploit kit and malware?
7) What is the domain name that delivered the exploit kit and malware?
LEVEL 2 QUESTIONS:
1) What is the redirect URL that points to the exploit kit (EK) landing page?
2) Besided the landing page (which contains the CVE-2013-2551 IE exploit), what other exploit(s) sent by the EK?
4) How many times was the payload delivered?
5) Submit the pcap to VirusTotal and find out what snort alerts triggered. What are the EK names are shown in the Suricata alerts?
LEVEL 3 QUESTIONS:
1) Checking my website, what have I (and others) been calling this exploit kit?
2) What file or page from the compromised website has the malicious script with the URL for the redirect?
3) Extract the exploit file(s). What is(are) the md5 file hash(es)?
4) VirusTotal doesn't show all the VRT rules under the "Snort alerts" section for the pcap analysis. If you run your own version of Snort with the VRT ruleset as a registered user (or a subscriber), what VRT rules fire?