Article Directory
A brief description
At work, I will continue to analyze some traffic data packets, but I always feel that what I have learned is still not in place, so I want to learn systematically. It happens that this website (www.malware-traffic-analysis.net) has some hands-on experience. Exercises can be used to analyze and study, and it can be regarded as a record of my learning process
pacp packet address
http://malware-traffic-analysis.net/2014/11/16/2014-11-16-traffic-analysis-exercise.pcap
Questions and answers
LEVEL 1 ANSWERS
- What is the IP address of the Windows VM that gets infected?
The first question of level 1 is to ask what is the ip of the infected virtual machine. Open the pacp package and use dhcp filtering to get the following information
According to the request in the info, it can be judged that the local ip is 172.16.165.165
-
What is the host name of the Windows VM that gets infected?
-
What is the MAC address of the infected VM?
According to the answer to question 1, the answers to question 2 and question 3 are K34EN6W3N-PC and f0:19:af:02:9b:f1
-
What is the IP address of the compromised web site?
-
What is the domain name of the compromised web site?
These two questions ask what is the ip and domain name of the compromised web site, you can use http.request to filter, as shown below
According to info, the ip and domain name of the compromised web site are 82.150.140.30 and www.ciniholland.nl respectively
-
What is the IP address and domain name that delivered the exploit kit and malware?
-
What is the domain name that delivered the exploit kit and malware?
These two questions are what are the ip and domain names that provide the vulnerability kit and malware, click File->Export Objects->HTTP
Find the type list, you can see that application/x-msdownload is a dll file, application/x-shockwave-flash is a swf file, and application/java-archive is a jar file
It can be seen that the ip and domain names that provide vulnerability kits and malware are 37.200.69.143 and stand.trustandprobaterealty.com respectively
LEVEL 2 ANSWERS
- What is the redirect URL that points to the exploit kit (EK) landing page?
This question asks which url is directed to the login page of the vulnerability kit. You can track the flow to view, and the answer is 24corp-shop.com
- Besided the landing page (which contains the CVE-2013-2551 IE exploit), what other exploit(s)
sent by the EK?
This question asks which vulnerabilities are used in addition to the CVE-2013-2551 IE exploit. CVE-2013-2551 is known to be generated in the VGX.DLL module, and the rest are application/x-shockwave-flash and application/java-archive , That is, flash vulnerabilities and java vulnerabilities
- How many times was the payload delivered?
Click File->Export Objects->HTTP, you can see that it was sent three times
- Submit the pcap to VirusTotal and find out what snort alerts triggered. What are the EK names are shown in the Suricata alerts?
Just upload it and watch it, I won’t do it
LEVEL 3 ANSWERS
- Checking my website, what have I (and others) been calling this exploit kit?
Rig EK
- What file or page from the compromised website has the malicious script with the URL for the redirect?
This question means which page of www.ciniholland.nl contains 24corp-shop.com
First use http.host == www.ciniholland.nl to filter, and then trace the streams one by one, and finally find that the first page contains 24corp-shop.com
- Extract the exploit file(s). What is(are) the md5 file hash(es)?
The first filter is to provide the domain name stand.trustandprobaterealty.com that provides vulnerability kits and malware
Trace flow, display and save as Hex Dump
The length of the flash response header and the flash header
The length of java response header and java header
Save the file according to the file header and corresponding size, and calculate the Hash