Malicious traffic exercises 2014-11-23-traffic-analysis-exercise

Others 2020-11-14 11:19:53 views: null

Article Directory

pacp packet address

https://www.malware-traffic-analysis.net/2014/11/23/2014-11-23-traffic-analysis-exercise.pcap.zip

Questions and answers

BASIC QUESTIONS

  1. What is the IP address of the Windows VM that gets infected?

  2. What is the MAC address of the infected VM?

Insert picture description here

From the above figure, we can see that the IP and mac addresses of the infected virtual machine are 172.16.165.132 and 00:0c:29:c5:b7:a1 respectively

  1. What is the IP address of the compromised web site?

According to the info information, the ip of the compromised site is 192.30.138.146

  1. What is the domain name of the compromised web site?

The domain name of the site is hijinksensue.com

  1. What is the IP address and domain name that delivered the exploit kit and malware?

  2. What is the domain name that delivered the exploit kit and malware?

Export http objects to find suspicious content types

Insert picture description here

Insert picture description here

Filter, trace the flow and find a pe file, dump it, SHA1: dac3d479ce4af6d2ffd5314191e768543acfe32d

After a rough analysis, it is a Qbot banking Trojan

Therefore, it can be judged that the ip and domain name of the malware are 37.143.15.180 and g.trinketking.com:51439, h.trinketking.com:51439, respectively.

MORE ADVANCED QUESTIONS

  1. What is the exploit kit (EK) that delivers the malware?

Insert picture description here

Get hash to find in vt, provided by Sweet Orange

  1. What is the redirect URL that points to the exploit kit (EK) landing page?

static.charlotteretirementcommunities.com/k?tstmp=3701802802

  1. What is the IP address of the redirect URL that points to the exploit kit (EK) landing page?

50.87.149.90

I looked through these two questions one by one and found out what I found. I read the answer given on the official website. It is the following page, but I didn’t find anything. I always feel that something is missing. I also hope that someone who sees it can answer me. Doubts about this question

Insert picture description here

  1. Extract the malware payload from the pcap. What is the MD5 or SHA256 hash?

I have extracted the Qbot backdoor in the previous question. The specific information is as follows

File: malware.bin                                                                                                              
      SHA1: dac3d479ce4af6d2ffd5314191e768543acfe32d                                                                                        
    SHA256: cc185105946c202d9fd0ef18423b078cd8e064b1e2a87e93ed1b3d4f2cbdb65d                                                                
    SHA512: 6057bc6681616a154ee869fb575ed62c5330dc3f513058ab694997d65ce9a2a0a7c2b86158cb8d56e2d002d76b6e51b5d72cf8c4269b9dc509b18a14eee8927d
       MD5: 1408275c2e2c8fe5e83227ba371ac6b3

Guess you like

Origin blog.csdn.net/weixin_44001905/article/details/107817025
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com