Persecure : my learning archive

2014-11-16 Traffic analysis exercise

https://www.malware-traffic-analysis.net/2014/11/16/index.html

LEVEL 1 QUESTIONS:

1) What is the IP address of the Windows VM that gets infected?

To find an address OS, I usually check the User-agent section in the headers. Use the http filter and follow the stream.

Answer : 172.16..165.165


2) What is the host name of the Windows VM that gets infected?

To check for the host name , I use the nbns filter on the Windows VM.

Answer : K34EN6W3N-PC

3) What is the MAC address of the infected VM?

Statistics –> Conversations

Answer : f0:19:af:02:9b:f1

4) What is the IP address of the compromised web site?

Looks like the web site was compromised by a wordpress exploit.

Answer : 82.150.140.30

5) What is the domain name of the compromised web site?

Follow the GET request to find the domain name.

Answer : http://www.ciniholland.nl

6) What is the IP address and domain name that delivered the exploit kit and malware?

Follow the stream of the HTTP requests.

Answer : 37.200.69.143 & stand.trustandprobaterealty.com

7) What is the domain name that delivered the exploit kit and malware?

Answer : stand.trustandprobaterealty.com

Create a website or blog at WordPress.com