Malicious traffic exercises 2014-12-08-traffic-analysis-exercise

Others 2020-11-14 11:19:44 views: null

Article Directory

pacp packet address

http://www.malware-traffic-analysis.net/2014/12/08/2014-12-08-traffic-analysis-exercise.pcap.zip

Questions and answers

BASIC QUESTIONS

  1. What is the date and time of this activity?

2014.12.8

  1. What is the IP address of the Windows host that gets infected?

Insert picture description here

http.request filtering, basically all the source IP addresses accessed are 192.168.204.137, and it is judged that the IP of the infected host is 192.168.204.137

  1. What is the MAC address of the infected Windows host?

00: 0c: 29: 9d: b8: 6d

  1. What is the host name of the infected Windows host?

38NTRGDFQKR-PC

  1. What is the domain name of the compromised web site?

Pay attention to the info information and determine that the domain name of the compromised site is www.excelforum.com

Insert picture description here

  1. What is the IP address of the compromised web site?

69.167.155.134

  1. What is the domain name that delivered the exploit kit (EK) and malware payload?
  2. What is the IP address that delivered the EK and malware payload?

Export http objects to find suspicious content types

Insert picture description here

It can be seen that the domain name and ip of the vulnerability kit are digiwebname.in and 205.234.186.111 respectively

MORE ADVANCED QUESTIONS

  1. What snort events (either VRT or EmergingThreats) are generated by this pcap?

Upload vt, view details

Insert picture description here

  1. What EK is this (Angler, Nuclear, Neutrino, etc)?

Fiesta EK

  1. What is the redirect URL that points to the EK landing page?

Insert picture description here

First filter a wave, and then track the flow one by one

Insert picture description here

The known page is magggnitia.com/?Q2WP=p4VpeSdhe5ba&nw3=9n6MZfU9I_1Ydl8y&9M5to=_8w6t8 o4W_abrev&GgiMa=8Hfr8Tlcgkd0sfV&t6Mry=I6n2

  1. What is the IP address of the redirect URL that points to the EK landing page?

94.242.216.69

  1. How many times is the malware payload delivered? (It’s encrypted each time.)

Insert picture description here

Through the search, five encrypted malicious data streams were found

  1. Which HTTP request (GET or POST) is the post-infection traffic caused by the malware?

EXTRA QUESTIONS

  1. What browser was used by the infected Windows host?

IE 8.0

  1. What different exploits were sent by the EK during this infection?

Insert picture description here

Flash, PDF, Silverlight, Java

  1. What is the date of these exploits? (When were they created or modified?)

Insert picture description here

Insert picture description here

Trace to the java data flow, dump the jar package, unzip it and see that the time is 2014.12.8

Guess you like

Origin blog.csdn.net/weixin_44001905/article/details/107850779
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com