2019-07-19 - TRAFFIC ANALYSIS EXERCISE - SO HOT RIGHT NOW

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2019-07-19-traffic-analysis-exercise.pcap.zip   21 MB (20,969,562 bytes)

• 2019-07-19-traffic-analysis-exercise.pcap   (26,347,323 bytes)

• Zip archive of the alerts:  2019-07-19-traffic-analysis-exercise-alerts.zip   293 kB (293,288 bytes)

• 2019-07-19-traffic-analysis-exercise-alerts.jpg   (356,074 bytes)
• 2019-07-19-traffic-analysis-exercise-alerts.txt   (4,161 bytes)

• Zip archive of malware from the infected Windows host:  2019-07-19-traffic-analysis-exercise-malware.zip   8 MB (7,957,698 bytes)

• 2019-07-19-traffic-analysis-exercise-malware-notes.txt   (557 bytes)
• EIMOCFXM373.txt   (2,218,593 bytes)
• Firefox.exe   (3,978,269 bytes)
• HTCTL32.DLL   (328,056 bytes)
• NSM.LIC   (257 bytes)
• NSM.ini   (6,458 bytes)
• PCICHEK.DLL   (18,808 bytes)
• PCICL32.DLL   (3,735,416 bytes)
• TCCTL32.DLL   (396,664 bytes)
• client32.ini   (596 bytes)
• msvcr100.dll   (7739,68 bytes)
• nskbfltr.inf   (328 bytes)
• pcicapi.dll   (33,144 bytes)
• remcmdstub.exe   (63,864 bytes)
• shost.exe   (105,848 bytes)

 

 

SCENARIO

LAN segment data:

• LAN segment range:  172.16.4[.]0/24 (172.16.4[.]0 through 172.16.4[.]255)
• Domain:  mind-hammer[.]net
• Domain controller:  172.16.4[.]4  (Mind-Hammer-DC)
• LAN segment gateway:  172.16.4[.]1
• LAN segment broadcast address:  172.16.4[.]255

 

YOUR TASK

Review the pcap and alerts to answer the following questions:

• What is the IP address, MAC address, and host name of the infected Windows host?
• What is the Windows user account name for the infected Windows host?
• Based on the alerts what is the name of the campaign that delivered the malware?
• Based on the alerts, what is the final malware that infected the Windows host?
• What are the two IP addresses used in the actual infection traffic?
• What type of animal is in the desktop background of the infected Windows host?

NOTE: The malware archive is additional information and not neccesary to answer the questions for this exercise.  As usual, the malware archive contains malware designed to infect a Windows computer, so if you review the malware, do so at your own risk.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.