LEVEL 1 QUESTIONS:
1) What is the IP address of the Windows VM that gets infected?
To find an address OS, I usually check the User-agent section in the headers. Use the http filter and follow the stream.
Answer : 172.16..165.165
2) What is the host name of the Windows VM that gets infected?
To check for the host name , I use the nbns filter on the Windows VM.
Answer : K34EN6W3N-PC
3) What is the MAC address of the infected VM?
Statistics –> Conversations
Answer : f0:19:af:02:9b:f1
4) What is the IP address of the compromised web site?
Looks like the web site was compromised by a wordpress exploit.
Answer : 126.96.36.199
5) What is the domain name of the compromised web site?
Follow the GET request to find the domain name.
Answer : http://www.ciniholland.nl
6) What is the IP address and domain name that delivered the exploit kit and malware?
Follow the stream of the HTTP requests.
Answer : 188.8.131.52 & stand.trustandprobaterealty.com
7) What is the domain name that delivered the exploit kit and malware?
Answer : stand.trustandprobaterealty.com
Leave a Reply