2015-02-15 - TRAFFIC ANALYSIS EXERCISE: THE FINAL ROUND

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

PCAP AND SUSPICIOUS FILES:

• 2015-02-15-traffic-analysis-exercise.pcap.zip   1.3 MB (1,284,313 bytes)
• 2015-02-15-traffic-analysis-exercise-suspicious-files.zip   146.6 kB (146,574 bytes)

 

BASED ON ADDITIONAL INFO FROM FILES ON THE INFECTED COMPUTER, YOU FINISH YOUR REPORT

Here is more information on the suspicious files from the zip archive sent by the UK office:

 

Get the SHA256 hashes, and you can add that information to the writeup you've already completed:

 

FINAL NOTES

• If you decided to stop at any of the earlier decision points, assuming you didn't make any mistakes, you should be good.  Once you've determined wether or not the malware was delivered, initiate procedures to take care of the situation.  From an incident response perspective, that's all you need.

• As analysts, we've got other events to investigate.  Spend too much time on one incident, and you might miss something even more important.

• Search through the traffic, and you'll find the HTTP GET request from the compromised website that goes to the Cushion redirect (tcp.stream eq 37) and the Cushion redirect that leads to the Nuclear EK landing page (tcp.stream eq 44).  That should take you through the full chain of events, from the comrpomised website to Nuclear EK.

 

Click here to exit this exercise and return to the main page.