Article Directory
pacp packet address
https://www.malware-traffic-analysis.net/2014/11/23/2014-11-23-traffic-analysis-exercise.pcap.zip
Questions and answers
BASIC QUESTIONS
-
What is the IP address of the Windows VM that gets infected?
-
What is the MAC address of the infected VM?
From the above figure, we can see that the IP and mac addresses of the infected virtual machine are 172.16.165.132 and 00:0c:29:c5:b7:a1 respectively
- What is the IP address of the compromised web site?
According to the info information, the ip of the compromised site is 192.30.138.146
- What is the domain name of the compromised web site?
The domain name of the site is hijinksensue.com
-
What is the IP address and domain name that delivered the exploit kit and malware?
-
What is the domain name that delivered the exploit kit and malware?
Export http objects to find suspicious content types
Filter, trace the flow and find a pe file, dump it, SHA1: dac3d479ce4af6d2ffd5314191e768543acfe32d
After a rough analysis, it is a Qbot banking Trojan
Therefore, it can be judged that the ip and domain name of the malware are 37.143.15.180 and g.trinketking.com:51439, h.trinketking.com:51439, respectively.
MORE ADVANCED QUESTIONS
- What is the exploit kit (EK) that delivers the malware?
Get hash to find in vt, provided by Sweet Orange
- What is the redirect URL that points to the exploit kit (EK) landing page?
static.charlotteretirementcommunities.com/k?tstmp=3701802802
- What is the IP address of the redirect URL that points to the exploit kit (EK) landing page?
50.87.149.90
I looked through these two questions one by one and found out what I found. I read the answer given on the official website. It is the following page, but I didn’t find anything. I always feel that something is missing. I also hope that someone who sees it can answer me. Doubts about this question
- Extract the malware payload from the pcap. What is the MD5 or SHA256 hash?
I have extracted the Qbot backdoor in the previous question. The specific information is as follows
File: malware.bin
SHA1: dac3d479ce4af6d2ffd5314191e768543acfe32d
SHA256: cc185105946c202d9fd0ef18423b078cd8e064b1e2a87e93ed1b3d4f2cbdb65d
SHA512: 6057bc6681616a154ee869fb575ed62c5330dc3f513058ab694997d65ce9a2a0a7c2b86158cb8d56e2d002d76b6e51b5d72cf8c4269b9dc509b18a14eee8927d
MD5: 1408275c2e2c8fe5e83227ba371ac6b3