Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Project #1 will begin by introducing you to the process of malware traffic analy

ID: 3914340 • Letter: P

Question

Project #1 will begin by introducing you to the process of malware traffic analysis. Review the following situations utilizing Wireshark: Situation: Traffic Analysis Exercise Download this PCAP source file Review the sample analysisPreview the document discussing these questions: What was the date and time of the infection? What is the MAC address of the infected Windows computer? What is the IP address of the infected Windows computer? What is the host name of the infected Windows computer? What type of malware was the computer infected with? What is the name of the malware that infected the user's computer? What exploit kit was used to infect the user's computer? What compromised website kicked off the infection chain of events? Before the Windows computer was infected, what did the user search for on Bing? Which campaign(s) used the exploit kit noted in the pcap? What are the indicators of compromise (IOCs) from the pcap?

Link :http://www.malware-traffic-analysis.net/2017/01/28/index.html

Explanation / Answer

BASIC QUESTIONS:
*************************

A1: The computer was infected on 2017-01-27 around 22:54 UTC
A2: 5c:26:0a:02:a8:e4 (Dell_02:a8:e4)
A3: 172.16.4.193
A4: Stewie-PC
A5: Ransomware

ADVANCED QUESTIONS:
********************************

A1: Cerber ransomware
A2: Rig exploit kit
A3: www.homeimprovement.com

MORE ADVANCED ANSWERS:
******************************************

A1: home improvement remodeling your kitchen.
A2: Both the Afraidgate and pseudoDarkleech campaigns.

The following are some indicators of compromise I found after reviewing the pcap:
• 104.28.18.74 port 80 - www.homeimprovement.com - compromised website
• 139.59.160.143 port 80 - retrotip.visionurbana.com.ve - Afraidgate redirect
• 194.87.234.129 port 80 - tyu.benme.com - Rig EK
• 5.188.223.104 port 80 - spotsbill.com - Godzilla Loader callback
• 198.105.121.50 port 80 - p27dokhpz2n7nvgr.1jw2lx.top - Cerber ransomware
decryptor page
• 90.2.1.0 to 90.2.1.31 (90.2.1.0/27) port 6892 - Cerber post-infection UDP traffic
• 90.3.1.0 to 90.3.1.31 (90.3.1.0/27) port 6892 - Cerber post-infection UDP traffic
• 91.239.24.0 to 91.239.25.255 (91.239.24.0/23) port 6892 - Cerber post-infection
UDP traffic

Thanks

Related Questions

Programming with Arrays Write a short program to calculate the second derivative
Question #3800621
Programming with C# The purpose of this assignment is simply to get you going in
Question #3863247
Programming with Exceptions In this part of the lab, you will write a program th
Question #3909217
Programming with Lists and Tuples Develop a Python program that will calculate a
Question #3846724
Programming with MARS IDE Array The purpose of this lab is to introduce you to t
Question #667117
Programming with Microsoft Visual Basic 2015 Chapter 7 Lesson B #2 In this exerc
Question #3677739
Programming with Microsoft Visual Basics Create an application that displays the
Question #3667483
Programming with Microsoft visual basic 2015 7th edition. Diane Zak. Chapter 11,
Question #3781904

Navigate

Previous
Project #1 Name: Book Inventory The program will have the following private attr
Next
Project #2 Instructions: This is an individual assignment. Answers should be you

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.