2024-08-15 - TRAFFIC ANALYSIS EXERCISE: WARMCOOKIE

ASSOCIATED FILES:

• Zip archive of the pcap:  2024-08-15-traffic-analysis-exercise.pcap.zip   10.6 MB (10,557,978 bytes)
• Zip archive of the pcap:  2024-08-15-traffic-analysis-exercise-alerts.zip   444.9 kB (444,890 bytes)

NOTES:

• Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

 

Shown above:  Lures for WarmCookie take many forms.

 

BACKGROUND

A Windows host was infected, and it seems to be from WarmCookie malware.

 

SCENARIO

LAN segment details:

• LAN segment range:  10.8.15[.]0/24 (10.8.15[.]0 through 10.8.15[.]255)
• Domain:  lafontainebleu[.]org
• Active Directory (AD) domain controller:  10.8.15[.]4 - WIN-JEGJIX7Q9RS
• AD environment name:  LAFONTAINBLEU
• LAN segment gateway:  10.8.15[.]1
• LAN segment broadcast address:  10.8.15[.]255

 

TASK

• Write an incident report based on malicious network activity from the pcap and from the alerts.

• The incident report should contains 3 sections:

• Executive Summary: State in simple, direct terms what happened (when, who, what).
• Victim Details: Details of the victim (hostname, IP address, MAC address, Windows user account name).
• Indicators of Compromise (IOCs): IP addresses, domains and URLs associated with the activity.  SHA256 hashes if any malware binaries can be extracted from the pcap.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.