Analysis Report
Packet:
LAN SEGMENT properties:
the IP range: 10.1.75.0/24 (10.1.75.0 to 10.1.75.255)
Gateway IP: 10.1.75.1
broadcast IP: 10.1.75.255
domain controller (DC): PixelShine-DC, 10.1.75.4
domain: pixelshine .net
demand:
Description Time and date of this infection.
Determine the IP address of the infected Windows clients.
Determine the host name of the infected Windows clients.
Determined by the MAC address of the infected Windows clients.
Determined by the Windows user account name on infected Windows clients to use.
SHA256 hash value to determine the victims downloadable Word document.
SHA256 hash value is determined to send the infected Windows clients first malware binaries.
Determining at the domain controller 10.1.75.4 (DC) time of infection.
SHA256 hash value is determined to send the infected Windows clients malware second binary file (with the same search radiance.png and table.png file).
What you can use Wireshark executable files retrieved from the SMB traffic for two file hash that?
Windows client to determine the types of malware infection.
Determining a DC infected with malware families.
Determine the public IP address of the infected Windows clients affected.
Use "protocol classification" under WireShark "statistics" to see traffic:
Use Section to view the agreement
Description Time and date of this infection.
### first document; that is, word file format to download a good time
Determine the IP address of the infected Windows clients.
IP address: 10.1.75.4
Determine the host name of the infected Windows clients.
Host Name: rigsby-win-pc $
determine the MAC address of the infected Windows clients.
MAC address: 84: 2B: 2B: D3 : 55: 73
Determined by the Windows user account name on infected Windows clients to use.
User account name: jubson.rigsby
SHA256 hash value to determine the victims downloadable Word document.
### export object, select HTTP, stored in the local
view files ### text check right
hash value: 1112203340b2d66f15b09046af6e776af6604343c1e733fe419fdf86f851caa3
SHA256 hash value is determined to send the infected Windows clients first malware binaries.
Use Section ### Click to view the protocol HTTP, find the resources obtained through the GET method
### returns WireShark, filter search http, find relevant information.
### steps above, export objects, save to local viewing hash value
hash value: 0d7a4650cdc13d9217edb05f5b5c2c5528f8984dbbe3fbc85f4a48ae51846cc3
Determining at the domain controller 10.1.75.4 (DC) time of infection.
Time: at 3:01 on October 2, 2018
SHA256 hash value is determined to send the infected Windows clients malware second binary file (with the same search radiance.png and table.png file).
Hash value: 28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e
what Wireshark can be used to retrieve the two files from SMB traffic executable file hash that?
## use WireShark by exporting objects, select SMB, view the file hash
hash value: 1) 28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e
2) cf99990bee6c378cbf56239b3cc88276eec348d82740f84e9d5c343751f82560
Windows client to determine the types of malware infection.
Acer class, wooden horse type
Determining a DC infected with malware families.
(Back door) wooden horse series
Determine the public IP address of the infected Windows clients affected.
Public IP Address: 109.238.74.213