The attached PCAP belongs to an Exploitation Kit infection. Analyze it using your favourite tool and answer the challenge questions.
| # | Question | Weight | Solved | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | What is the IP address of the Windows VM that gets infected? | 50 | 694 | ||||||||||||
| 2 | What is the hostname of the Windows VM that gets infected? | 50 | 629 | ||||||||||||
| 3 | What is the MAC address of the infected VM? | 50 | 661 | ||||||||||||
| 4 | What is the IP address of the compromised web site? | 50 | 625 | ||||||||||||
| 5 | What is the domain name of the compromised web site? | 50 | 620 | ||||||||||||
| 6 | What is the IP address of the server that delivered the exploit kit and malware? | 50 | 589 | ||||||||||||
| 7 | What is the domain name that delivered the exploit kit and malware? | 50 | 585 | ||||||||||||
| 8 | What is the redirect URL that points to the exploit kit (EK) landing page? | 100 | 525 | ||||||||||||
| 9 | Other than CVE-2013-2551 IE exploit, what other exploit(s) sent by the EK? | 100 | 366 | ||||||||||||
| 10 | How many times was the payload delivered? | 100 | 486 | ||||||||||||
| 11 | What are the SIDs of the triggered Snort alerts? | 100 | 206 | ||||||||||||
| 12 | The compromised website has a malicious script with a URL. What is this URL? | 150 | 396 | ||||||||||||
| 13 | Extract the exploit file(s). What is (are) the MD5 file hash(es)? | 150 | 313 | ||||||||||||
| 14 | VirusTotal doesn't show how many times a specific rule was fired under the "Suricata alerts" section for the pcap analysis. Run the pcap file against your local Suricata (Emerging Threats Open ruleset) and provide the rule number that was fired the most. | 150 | 213 | ||||||||||||