Article Directory
pacp packet address
https://www.malware-traffic-analysis.net/2014/12/15/2014-12-15-traffic-analysis-exercise.pcap.zip
Questions and answers
BASIC QUESTIONS
-
What are the host names of the 3 Windows hosts from the pcap?
-
What is(are) the IP address(es) of the Windows host(s) that hit an exploit kit?
-
What is(are) the MAC address(es) of the Windows host(s) that hit an exploit kit?
Filter dhcp to see the above hosts, and then filter and search
MYHUMPS-PC - 192.168.204.137 - 00:0c:29:9d:b8:6d
ROCKETMAN-PC - 192.168.204.139 - 00:0c:29:61:c1:89
WORKSTATION6 - 192.168.204.146 - 00:0c:29:fc:bc:2e
I visited epzqy.iphaeba.eu:22780 after tracing 192.168.204.137, and there was a swf file in it. The dump found that it was a swf exploit file, so it was judged that 192.168.204.137 was attacked, MYHUMPS-PC-192.168.204.137-00 :0c:29:9d:b8:6d
-
What is(are) the domain name(s) of the compromised web site(s)?
-
What is(are) the IP address(es) of the compromised web site(s)?
Judging by the info information, the domain name of the compromised website is www.theopen.be and the ip is 213.186.33.19
-
What is(are) the domain name(s) for the exploit kit(s)?
-
What is(are) the IP address(es) for the exploit kit(s)?
According to questions 2, 3 and the exported http object, the domain name and ip of the vulnerability tool are epzqy.iphaeba.eu:22780-and 168.235.69.48 respectively.
- Did any of these hosts get infected? If so, which host(s)?
MYHUMPS-PC is infected
EXTRA QUESTIONS
- What is(are) the exploit kit(s) noted in the pcap?
SWEET ORANGE EK
- What type of exploit was used by this(these) exploit kit(s)? (Flash, Java, IE, etc)
Found a vulnerability exploiting flash
Sha1 dumped: 965da0c6cdb44e29aedf8546884b509b7268912a
-
What URL(s) acted as a redirect between the compromised website(s) and the exploit kit?
-
What is(are) the IP address(es) of the redirect URL(s)?
The tracking flow search found that col.reganhosting.com/link contains the vulnerability attack URL, ip is 185.14.30.113