2014-12-04 - TRAFFIC ANALYSIS EXERCISE: QUESTIONS ABOUT EXPLOIT KIT (EK) TRAFFIC

NOTICE:

PCAP AND ANSWERS:

 

QUESTIONS

BASIC QUESTIONS:

1) What is the IP address of the Windows host that gets infected?
2) What is the MAC address of the infected Windows host?
3) What is the domain name of the compromised web site?
4) What is the IP address of the compromised web site?
5) What is the domain name that delivered the exploit kit and malware payload?
6) What is the IP address that delivered the exploit kit and malware payload?

 

MORE ADVANCED QUESTIONS:

1) What snort events (either VRT or EmergingThreats) are generated by this pcap?
2) What is the exploit kit (EK)?
3) What is the redirect URL that points to the exploit kit (EK) landing page?
4) What is the IP address of the redirect URL that points to the exploit kit (EK) landing page?
5) Which tcp stream shows the malware payload being delivered?
6) What is the domain name and IP address of the HTTPS callback traffic caused by this malware infection?

 

EXTRA QUESTIONS:

1) Extract the malware payload, deobfuscate it, and remove the shellcode at the beginning.  This should give you the actual payload (a DLL file) used for the infection.  What's the MD5 hash of the payload?
2) A Flash file was used in conjunction with the redirect URL.  What URL was used to retrieve this flash file?
3) In the traffic, we see HTTP POST requests to www.earthtools.org and www.ecb.europa.eu.  Why are we seeing these HTTP POST requests?
4) What web browser was used by the infected host?
5) What 3 exploits were sent by the exploit kit during this infection, and which one was successful?