CyberDefenders: Malware Traffic Analysis 3 blueteam challenge.

Malware Traffic Analysis 3

SHA1SUM	d4bd3ffc582c51aa18664230a93815b736aa9c25
Published	Sept. 16, 2020
Author	Brad Duncan
Size	2.6 MB
Tags	Wireshark PCAP Malware Traffic Analysis Network

Instructions	Uncompress the challenge (pass: cyberdefenders.org) Load suricatarunner.exe and suricataupdater.exe in BrimSecurity from settings Uncompress suricata.zip from description and move suircata.rules to ".\var\lib\suricata\rules" inside suricatarunner directory

Your progress

0% Completed0/17 Questions

Your score

0/1900

Digital Forensics

Last solve

3 days ago by feitan

The attached PCAP belongs to an Exploitation Kit infection. Analyze it using your favorite tool and answer the challenge questions.

Tools:

#	Question	Weight	Solved
#1	What is the IP address of the infected Windows host?	50	561
Hint Report an issue

#2	What is the Exploit kit (EK) name? (two words)	100	467
Hint Report an issue

#3	What is the FQDN that delivered the exploit kit?	50	513
Hint Report an issue

#4	What is the redirect URL that points to the exploit kit landing page?	100	473
Hint Report an issue

#5	What is the FQDN of the compromised website?	50	504
Hint Report an issue

#6	Which TCP stream shows the malware payload being delivered? Provide stream number	100	429
Hint Report an issue

#7	What is the IP address of the C&C server?	100	426
Hint Report an issue

#8	What is the expiration date of the SSL certificate?	100	379
Hint Report an issue

#9	The malicious domain served a ZIP archive. What is the name of the DLL file included in this archive?	200	363
Hint Report an issue

#10	Extract the malware payload, deobfuscate it, and remove the shellcode at the beginning. This should give you the actual payload (a DLL file) used for the infection. What's the MD5 hash of the payload?	200	226
Hint Report an issue

#11	What were the two protection methods enabled during the compilation of the PE file? (comma-separated)	150	213
Hint Report an issue

#12	When was the DLL file compiled?	150	217
Hint Report an issue

#13	A Flash file was used in conjunction with the redirect URL. What URL was used to retrieve this flash file?	150	334
Hint Report an issue

#14	What is the CVE of the exploited vulnerability?	100	270
Hint Report an issue

#15	What was the web browser version used by the infected host?	100	328
Hint Report an issue

#16	What is the DNS query that had the highest RTT?	100	317
Hint Report an issue

#17	What the name of the SSL certificate issuer that appeared the most? (one word)	100	313
Hint Report an issue

Submit Writeup