2015-08-07 - TRAFFIC ANALYSIS EXERCISE - SOMEONE WAS FOOLED BY A MALICIOUS EMAIL

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive containing the pcap:  2015-08-07-traffic-analysis-exercise.pcap.zip   15.4 MB (15,418,799 bytes)
• Zip archive containing the HTTPS logs:  2015-08-07-traffic-analysis-exercise-HTTPS-logs.zip   838.1 kB (838,144 bytes)
• Zip archive containing the HTTPS objects:  2015-08-07-traffic-analysis-exercise-HTTPS-artifacts.zip   10.6 MB (10,630,519 bytes)
• Zip archive containing the malicious emails:  2015-08-07-traffic-analysis-exercise-malicious-emails.zip   9.5 kB (9,538 bytes)

 

SCENARIO

You're an analyst at a Brazilian manufacturing corporation named World of Widgets.  On Wednesday 2015-08-05, you see the following alerts while working at the corporation's Security Operations Center (SOC):

 

You track these alerts to a Windows computer at IP address 192.168.137[.]113.  Authentication logs indicate the computer is used by someone named Degrando Rustlyn.

Your team contacts Degrando, who remembers opening a questionable email around the time his computer became infected.  Degrando deleted the message, and he can't remember which email it was or how he got any suspicious files to his desktop.

You retrieve a pcap of traffic for the timeframe of the alerts.  You also retrieve HTTPS traffic logs for that IP address.  Another analyst searches the company's mail servers and retrieves four malicious emails that might be related.

 

YOUR TASK

You now have:  1) a pcap of the traffic,  2) HTTPS traffic logs,  3) a collection of artifacts from that HTTPS traffic, and  4) malicious emails Degrando received during that timeframe.

Your task?  Figure out how the computer became infected and document your findings.  Your report should include:

• The infected computer's host name.
• The infected computer's MAC address.
• The infected computer's operating system.
• The date, time, subject line, and sender of the malicious email that caused the infection.
• Information on any malware associated with the infection.
• Domains and IP addresses of any related traffic.
• A timeline of events leading to the infection.

 

NOTE:  A well-written incident report starts with an executive summary.  The executive summary desribes what happened in a concise narrative (prefferably one or two sentences, three at most).  Details are included in the report after the executive summary, hopefully in an organized manner that's easy for the reader to follow.

 

ANSWERS

• Click here for the answers.