2020-02-21 - TRAFFIC ANALYSIS EXERCISE - ONE-HOT-MESS
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- Zip archive of the pcap: 2020-02-21-traffic-analysis-exercise.pcap.zip 6.6 MB (6,611,115 bytes)
- 2020-02-21-traffic-analysis-exercise.pcap (7,642,342 bytes)
- Zip archive of the alerts: 2020-02-21-traffic-analysis-exercise-alerts.zip 2.7 MB (2,749,045 bytes)
- 2020-02-21-traffic-analysis-exercise-alerts-guidance.jpg (1,315,259 bytes)
- 2020-02-21-traffic-analysis-exercise-alerts.jpg (1,737,924 bytes)
- 2020-02-21-traffic-analysis-exercise-alerts.txt (4,698 bytes)
- Zip archive of malware/artifacts from the infected host: 2020-02-21-traffic-analysis-exercise-malware-and-artifacts.zip 2.0 MB (1,987,157 bytes)
- 2020-02-21-traffic-analysis-exercise-list-of-artifacts.txt (2,348 bytes)
- DecemberLogs/Caff54e1.exe (208,896 bytes)
- DecemberLogs/OliviaMatter.vbs (0 bytes)
- DecemberLogs/Restaraunt1.cmd (98 bytes)
- DecemberLogs/Restaraunt2.cmd (5,675 bytes)
- DecemberLogs/Restaraunt3.cmd (16 bytes)
- DecemberLogs/Restaraunt4.cmd (2,565 bytes)
- Jqssmf.txt (3,680 bytes)
- Kxbpbnmslyha.txt (704 bytes)
- Ps8EYw7cb1E/iexpress.exe (166,400 bytes)
- Ps8EYw7cb1E/VERSION.dll (802,816 bytes)
- Wiqzbgfwkifvvu.lnk.bin (1,240 bytes)
- inv_261804.doc (62,201 bytes)
- qHD3ZbNtI2b/sigverif.exe (75,264 bytes)
- qHD3ZbNtI2b/VERSION.dll (802,816 bytes)
- wRCV5/DUI70.dll (1,089,536 bytes)
- wRCV5/ WindowsActionDialog.exe (60,928 bytes)
SCENARIO
LAN segment data:
- LAN segment range: 172.17.8[.]0/24 (172.17.8[.]0 through 172.17.8[.]255)
- Domain: one-hot-mess[.]com
- Domain controller: 172.17.8[.]8 - One-Hot-Mess-DC
- LAN segment gateway: 172.17.8[.]1
- LAN segment broadcast address: 172.17.8[.]255
YOUR TASK
Write an incident report based on the pcap, associated alerts, and malware/artifacts from the infected Windows host.
ANSWERS
- Click here for the answers.
Click here to return to the main page.