2017-12-15 - TRAFFIC ANALYSIS EXERCISE - TWO PCAPS, TWO EMAILS, TWO MYSTERIES!

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive for pcap 1 of 2:  2017-12-15-traffic-analysis-exercise-1-of-2.pcap.zip   6.2 MB (6,236,273 bytes)
• Zip archive for pcap 2 of 2:  2017-12-15-traffic-analysis-exercise-2-of-2.pcap.zip   2.4 MB (2,403,001 bytes)
• Zip archive of the two emails:  2017-12-15-traffic-analysis-exercise-emails.pcap.zip   280.7 kB (280,677 bytes)

 

SCENARIO

This exercise presents you with two pcaps and two emails with malicious attachments.  Your task is to determine what happened in each pcap.

Shown above:  It's a Homer Simpson situation for each pcap.

 

Shown above:  Homer, after he reads your incident report.

 

YOUR TASK

Draft an incident report for each pcap.  Use the emails to figure out the malware for each infection.  Each of your two incident reports should include:

• Date, start time, and end time of the malicious activity in UTC (GMT).
• IP address of the Windows host from in the pcap.
• Mac address of the Windows host in the pcap.
• Host name for the Windows host in the pcap.
• What type(s) of malicious activity were noted.
• Indicators of the malicious activity (IP addresses, domain names, file hashes, etc).
• A summary of what happened.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.