2015-06-30 - TRAFFIC ANALYSIS EXERCISE - ANSWERS
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2015-06-30-traffic-analysis-exercise.pcap.zip 1.2 MB (1,241,381 bytes)
- 2015-06-30-traffic-analysis-exercise-malware.zip 508.3 kB (508,299 bytes)
NOTES
- I've included a zip archive of the EK landing page, flash exploit, deobfuscated malware payload, and follow-up malware from the infected host (see the above malware archive).
- Post-infection malware found on the infected host was: C:\Users\[username]\thugbfmm.exe - 50.7 MB (50,675,712 bytes)
- Analysis of deobfuscated malware payload on hybrid-analysis.com: link
- Analysis of the post-infection malware from the infected host on hybrid-analysis.com: link
- The following tutorial shows how I set up my column display in Wireshark for some of the answers:
ANSWERS AND HINTS
See the image below for answers:
Filtering on http.request will give you a quick rundown. Click on the image below for a full-size view:
Some signature hits from Emerging Threats using Sguil on Security Onion. This identifies the exploit kit:
Signature hits from the Talos (Sourcefire VRT) ruleset also identify the exploit kit:
Using the Wireshark filter shown in the image below helps identify some of the post-infection traffic from the infected host:
Filter on udp, and you'll find an interesting reverse DNS lookup (PTR), and you'll also see NetBIOS traffic to an external host.
Looking at the EK traffic, you'll find the payload is obfuscated, as we've seen before with this and other EKs:
You can extract the EK landing page, Flash exploit, and obfuscated malware payload as noted in the next two images:
The Python script shown below can be used to deobfuscate the EK malware payload:
