CyberDefenders: Malware Traffic Analysis 3 blueteam challenge.

Malware Traffic Analysis 3

SHA1SUM	d4bd3ffc582c51aa18664230a93815b736aa9c25
Published	Sept. 16, 2020
Author	Brad Duncan
Size	2.6 MB
Tags	Wireshark PCAP Malware Traffic Analysis Network

Instructions	Uncompress the challenge (pass: cyberdefenders.org) Load suricatarunner.exe and suricataupdater.exe in BrimSecurity from settings Uncompress suricata.zip from description and move suircata.rules to ".\var\lib\suricata\rules" inside suricatarunner directory

Your progress

0% Completed0/17 Questions

Your score

0/1900

Digital Forensics

Last solve

today by d3codex

The attached PCAP belongs to an Exploitation Kit infection. Analyze it using your favorite tool and answer the challenge questions.

Tools:

#	Question	Weight	Solved
#1	What is the IP address of the infected Windows host?	50	584
Hint Report an issue

#2	What is the Exploit kit (EK) name? (two words)	100	486
Hint Report an issue

#3	What is the FQDN that delivered the exploit kit?	50	532
Hint Report an issue

#4	What is the redirect URL that points to the exploit kit landing page?	100	492
Hint Report an issue

#5	What is the FQDN of the compromised website?	50	521
Hint Report an issue

#6	Which TCP stream shows the malware payload being delivered? Provide stream number	100	445
Hint Report an issue

#7	What is the IP address of the C&C server?	100	442
Hint Report an issue

#8	What is the expiration date of the SSL certificate?	100	392
Hint Report an issue

#9	The malicious domain served a ZIP archive. What is the name of the DLL file included in this archive?	200	375
Hint Report an issue

#10	Extract the malware payload, deobfuscate it, and remove the shellcode at the beginning. This should give you the actual payload (a DLL file) used for the infection. What's the MD5 hash of the payload?	200	234
Hint Report an issue

#11	What were the two protection methods enabled during the compilation of the PE file? (comma-separated)	150	220
Hint Report an issue

#12	When was the DLL file compiled?	150	224
Hint Report an issue

#13	A Flash file was used in conjunction with the redirect URL. What URL was used to retrieve this flash file?	150	344
Hint Report an issue

#14	What is the CVE of the exploited vulnerability?	100	278
Hint Report an issue

#15	What was the web browser version used by the infected host?	100	338
Hint Report an issue

#16	What is the DNS query that had the highest RTT?	100	327
Hint Report an issue

#17	What the name of the SSL certificate issuer that appeared the most? (one word)	100	322
Hint Report an issue

Submit Writeup