Introduction

It's time for another ISC traffic analysis quiz!  Like previous quizzes, we have traffic and alerts from an infected Windows computer.  This month's quiz consists of:

  • a packet capture (pcap) of infection traffic
  • a image of the alerts shown in Squil
  • a text file listing the alerts with a few more details
  • a PDF document with answers to the questions below.

The alerts were created using Security Onion running Suricata using the EmergingThreats Pro ruleset, viewed through Sguil.

You can find the pcap, alerts, and answers here.  Don't peek at the answers just yet!

Environment and quiz questions

The environment where this infection takes place:

  • LAN segment range: 10.12.1.0/24 (10.12.1.0 thru 10.12.1.255)
  • Domain: mrnatural.info
  • Domain controller: 10.12.1.2 - MrNatural-DC
  • LAN segment gateway: 10.12.1.1
  • LAN segment broadcast address: 10.12.1.255

Here are questions to answer based on the pcap and the alerts:

  • What is the IP address of the infected Windows host?
  • What is the MAC address of the infected Windows host?
  • What is the host name of the infected Windows host?
  • What is the Windows user account name used on the the infected Windows host?
  • What is the date and time of this infection?
  • What is the SHA256 hash of the EXE or DLL that was downloaded from 5.44.43.72?
  • Which two IP addresses and associated domains have HTTPS traffic with "Internet Widgets Pty" as part of the certificate data?
  • Based on the alert for CnC (command and control) traffic, what type of malware caused this infection?

Requirements

This type of analysis requires Wireshark.  Wireshark is my tool of choice to review pcaps of infection activity.  However, default settings for Wireshark are not optimized for web-based malware traffic.  That's why I encourage people to customize Wireshark after installing it.  To help, I've written a series of tutorials.  The ones most helpful for this quiz are:

Furthermore, I  recommend using a non-Windows environment like BSD, Linux, or macOS to analyze malicious traffic.  This pcap contains HTTP traffic sending Windows-based malware.  If you're using a Windows host to review the pcap, your antivirus (or Windows Defender) may delete the pcap or malware.  Worst case scenario?  If you extract the malware from the pcap and accidentally run it, you might infect your Windows computer.

So beware, because there's actual malware involved for this exercise.

Final words

Again, files associated with this quiz (pcap, alerts, and answers) can be found here.

If you found this fun, we have previous traffic analysis quizzes:

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status