2017-05-18 - TRAFFIC ANALYSIS EXERCISE - FANCY THAT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive with a pcap of traffic from the infected computer:  2017-05-18-traffic-analysis-exercise.pcap.zip   2.2 MB (2,169,666 bytes)
• Zip archive with the two suspicous emails:  2017-05-18-traffic-analysis-exercise-emails.zip   222.6 kB (222,613 bytes)

SCENARIO

Roger Finster is a miserly old man, somewhat like Ebenezer Scrooge, only if Scrooge had never been visited by his Christmas ghosts.  His favorite phrase when he's happy (a very rare occasion) is "Fancy that!"

Shown above:  Roger's happy face.

 

Roger owns a business called Finster's Fine Jewelry.  You've been hired to provide IT services and security support for his one-man shop.  Today, you stop by Roger's office and hear him swearing at his computer.  You think to yourself, "Well, fancy that!"  Since Roger is an old man from a byegone era, his curse words consist of outdated phrases like "consarn it" and "dadburn contraption."  Eventually, he tells you he's opened an email that he shouldn't have.

Shown above:  Roger's angry face is similar to his happy face.

 

You quickly find two malicious emails that were sent to Roger's business account.  You ask him which one he opened, but he can't rememeber.  Well, fancy that!  Now you must retrieve network traffic for that infection.

Shown above:  According to Roger, "These emails all look the same to me!"

 

YOUR TASK

Now you have a pcap of traffic from Roger's infected computer, and you have the two malicious emails he received.  Your task?  Determine which email Roger infected his computer with.  You should also figure out the actual malware that infected his computer.  It'd also be nice if you did a proper incident report, just to practice.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.