2017-08-29 - TRAFFIC ANALYSIS POP QUIZ

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-08-29-traffic-analysis-pop-quiz.pcap.zip   1.9 MB (1,903,144 bytes)

 

DISCUSSION

I'm trying something a little different here.  This isn't actually a "pop quiz" but an opportunity to learn.  I just don't know what to call it.  Feel free to review the pcap, get the indicators (IP addresses, domains, etc.), and start Google searching to see how much you can figure out on your own.

Shown above:  Traffic from the pcap filtered to show some (but not all) of the indicators.

 

You won't get any explanations on how to figure it out.  Instead, you'll find an incident report.  Of course, you could just review the associated report and treat this like a regular blog post.  After all, I'm not your mother, so I can't force you do to anything.  Think of me as your crazy (not creepy) uncle.  Maybe a wacky (not weird) neighbor.  The type of person that only wants what's best for you.

The next page contains a link to the incident report with some graphics and details on what actually happened.  It also has associated artifacts from the infected host, and that archive contains any emails, if applicable.

 

ALL ASSOCIATED FILES

• Click here for all the associated files (the answers).

 

Click here to return to the main page.