Article Directory
pacp packet address
https://www.malware-traffic-analysis.net/2015/01/18/2015-01-18-traffic-analysis-exercise-1-of-2.pcap.zip
https://www.malware-traffic-analysis.net/2015/01/18/2015-01-18-traffic-analysis-exercise-2-of-2.pcap.zip
Questions and answers
2015-01-18-traffic-analysis-exercise-1-of-2.pcap
- What is the date and time of the activity?
2015.1.9 07:51:21 - 07:52:04
- What is the IP address of the Windows host that gets infected?
Using http.request filtering, you can determine that the IP of the infected host is 192.168.139.158
- What is the domain name and IP address of the compromised web site?
ip:108.168.211.93
domain:www.subaruoutback.org
- What is the domain name and IP address that delivered the exploit kit (EK)?
ip:205.234.186.112
domain:atypefresh.in
- What is the name of the EK?
Uploaded to vt, we know that it is Fiesta EK
2015-01-18-traffic-analysis-exercise-1-of-2.pcap
- What is the date and time of the activity?
2015.1.14 23:27:20 - 23:34:18
- What is the IP address of the Windows host that gets infected?
As can be seen from the above figure, the infected windows host ip is 192.168.204.137
- What is the domain name and IP address of the compromised web site?
The tracking stream found that freeforsgames.com was redirected to 20.c368.464.75b43b.e3161.dec8.033da1.8c.hl39dj2plwle.lowamounts.in
Therefore, the IP and domain name of the compromised site are:
ip:188.227.165.20
domain:freeforsgames.com
- What is the domain name and IP address that delivered the exploit kit (EK)?
ip:5.196.214.27
domain:20.c368.464.75b43b.e3161.dec8.033da1.8c.hl39dj2plwle.lowamounts.in
- What is the name of the EK?
Upload data package to vt
The vulnerability kit is Magnitude