Unzip the challenge (pass: cyberdefenders.org), analyze the pcap and answer the questions.
A network trace with attack data is provided. Please note that the IP address of the victim has been changed to hide the true location.
Multiple systems were targeted. Provide the IP address of the highest one.
What protocol do you think the attack was carried over?
What was the URL for the page used to serve malicious executables (don't include URL parameters)?
What is the number of the packet that includes a redirect to the french version of Google and probably is an indicator for Geo-based targeting?
What was the CMS used to generate the page 'shop.honeynet.sg/catalog/'? (Three words, space in between)
What is the number of the packet that indicates that 'show.php' will not try to infect the same host twice?
One of the exploits being served targets a vulnerability in "msdds.dll". Provide the corresponding CVE number.
What is the name of the executable being served via 'http://sploitme.com.cn/fg/load.php?e=8' ?
One of the malicious files was first submitted for analysis on VirusTotal at 2010-02-17 11:02:35 and has an MD5 hash ending with '78873f791'. Provide the full MD5 hash.
What is the name of the function that hosted the shellcode relevant to 'http://sploitme.com.cn/fg/load.php?e=3'?
Deobfuscate the JS at 'shop.honeynet.sg/catalog/' and provide the value of the 'click' parameter in the resulted URL.
Deobfuscate the JS at 'rapidshare.com.eyu32.ru/login.php' and provide the value of the 'click' parameter in the resulted URL.
What was the version of 'mingw-gcc' that compiled the malware?
The shellcode used a native function inside 'urlmon.dll' to download files from the internet to the compromised host. What is the name of the function?