2015-09-11 - TRAFFIC ANALYSIS EXERCISE - A BRIDGE TOO FAR ENTERPRISES

NOTICE:

ASSOCIATED FILES:

 

SCENARIO

You're an analyst at a Canadian corporation named A Bridge Too Far Enterprises.  On Friday 2015-09-11, you see the following alerts while working at the corporation's Security Operations Center (SOC):

 

You've been having some issues with your IDS appliances, so there are likely other alerts from the network during that timeframe.  You're just not seeing them.

Shortly after the alerts appear, your Help Desk receives a call from someone complaining of ransomware infection.  The caller is Greggory Franklion (pronounced "frank lion").  One of your forensic experts examines Greggory's infected Windows computer.  The results?  Greggory's computer was infected by CryptoWall 3.0 twice.  The two infections occurred within minutes of each other.  The forensics crew recovers two CryptoWall 3.0 malware samples from the infected host.


Shown above: Two different sets of decrypt instructions from the CryptoWall samples.

 

You retrieve a pcap of traffic for the appropriate timeframe.  Another analyst searches the company's mail servers and retrieves four malicious emails Greggory received earlier that day.  They somehow made it through the spam filters.


Shown above: The four malicious emails sent to Greggory.

 

YOUR TASK

You now have:  1) a pcap of the traffic,  2) malware samples from the infected host, and  3) malicious emails sent to Greggory during that timeframe.

Your task?  Figure out how Greggory's computer experienced two CryptoWall infections.  Document your findings.  Your report should include:

 

ANSWERS