2019-06-22 - TRAFFIC ANALYSIS EXERCISE - PHENOMENOC

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2019-06-22-traffic-analysis-exercise.pcap.zip   4.1 MB (4,073,710 bytes)

• 2019-06-22-traffic-analysis-exercise.pcap   (4,694,048 bytes)

• Zip archive of the alerts:  2019-06-22-traffic-analysis-exercise-alerts.zip   377 kB (377,355 bytes)

• 2019-06-22-traffic-analysis-exercise-alerts.jpg   (450,132 bytes)
• 2019-06-22-traffic-analysis-exercise-alerts.txt   (5,227 bytes)

• Zip archive of malware retrieved from the infected Windows host:  2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe.zip   275 kB (274,642 bytes)

• 2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe   (584,192 bytes)

 

 

SCENARIO

LAN segment data:

• LAN segment range:  10.0.76[.]0/24 (10.0.76[.]0 through 10.0.76[.]255)
• Domain:  phenomenoc[.]com
• Domain controller:  10.0.76[.]6 - Phenomenoc-DC
• LAN segment gateway:  10.0.76[.]1
• LAN segment broadcast address:  10.0.76[.]255

 

YOUR TASK

Review the pcap, alerts, and the extracted malware sample to answer the following questions:

• What is the IP address, MAC address, and host name of the infected Windows host?
• What is the Windows user account name for the infected Windows host?
• What was the delivery method for the malware?
• What was the IP address used by the delivery method for this infection?
• What is the SHA256 hash of the EXE retrieved from the infected Windows host?
• Based on the alerts, what type of malware infected the Windows host?
• What is the IP address of the post-infection traffic?
• What is the domain name used for the post-infection traffic?

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.