Post

Malware Traffic Analysis-1 πŸ‘ΎπŸ’»β˜ οΈ

Posted
By Oaker Min (Bruce) 1 min read

Point: 950

Category

Forensics

Challenge Details

The attached PCAP belongs to an Exploitation Kit infection. Analyze it using your favorite tool and answer the challenge questions.

Solution

1 What is the IP address of the Windows VM that gets infected?

172.16.165.165

2 What is the hostname of the Windows VM that gets infected?

Filter dhcp in wireshark K34EN6W3N-PC

3 What is the MAC address of the infected VM?

f0:19:af:02:9b:f1

4 What is the IP address of the compromised web site?

http and ip.dst==82.150.140.30 82.150.140.30

5 What is the IP address of the compromised web site?

Check the full request URI in HTTP requests. ciniholland.nl

6 What is the IP address of the server that delivered the exploit kit and malware?

37.200.69.143

7 What is the FQDN that delivered the exploit kit and malware?

http and ip.src==37.200.69.143 stand.trustandprobaterealty.com

8 What is the redirect URL that points to the exploit kit (EK) landing page?

http://24corp-shop.com/

Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with β€œJ”. Provide the full application name. java

9 How many times was the payload delivered?

3

10 The compromised website has a malicious script with a URL. What is this URL?

http://24corp-shop.com/

10 Extract the two exploit files. What are the MD5 file hashes? (comma-separated )

7b3baa7d6bb3720f369219789e38d6ab,1e34fdebbf655cebea78b45e43520ddf

1
2
3
4
5

md5 index.php%3freq=swf\&num=809\&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg%7cZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
MD5 (index.php%3freq=swf&num=809&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg%7cZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM) = 7b3baa7d6bb3720f369219789e38d6ab

md5 index.php%3freq=jar\&num=3703\&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg%7CZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
MD5 (index.php%3freq=jar&num=3703&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg%7CZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM) = 1e34fdebbf655cebea78b45e43520ddf
CTF, Forensics
CTF DFIR Blue-team Incident-Response
This post is licensed under CC BY 4.0 by the author.