2015-02-24 - TRAFFIC ANALYSIS EXERCISE: FINAL ANSWERS/NOTES

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

PCAP:

• 2015-02-24-traffic-analysis-exercise.pcap.zip   5.6 MB (5,624,704 bytes)

 

ANSWER CHECK - ROUND 3

Get the payload and decrypt it?  First, you'll need to extract the payload from Wireshark.  Go to File --> Export Objects --> HTTP as shown below:

 

The payload is sent multiple times by the exploit kit domain.  It's 182 kB in size.  I saved mine to a file named: extracted-binary

 

Next, go to https://github.com/0x3a/tools/blob/master/fiesta-payload-decrypter.py for the python script that can decrypt the payload.

 

You can copy and paste the script to a text file on your local host.  I saved mine to a file named: fiesta-decrypt.py

 

Hopefully you're using Linux or some other Unix/BSD variant.  Make sure your script is executable.  In the image below, I used the file command to get some general information on the file.  It only shows as "binary data."  After running the python script, try file on the decrypted binary, and it should show a PE32 executable.

 

Now you can submit the decrypted file to VirusTotal or reverse engineer the decyrpted malware sample.

 

FINAL NOTES

There's more information in the pcap.  You'll find the compromised website that kicked off the infection chain of events, and you might be able to block it.  The exploit kit sent an exploit before each malware payload.  There's at least a Flash, Java, PDF, Silverlight, and IE exploit.  The 0x3a blog post (link) has more information on Fiesta for those interested.

 

Click here to return to the main page.