CyberDefenders: Malware Traffic Analysis 1 blueteam challenge.

Malware Traffic Analysis 1

SHA1SUM	8c99d51484ce26fe39719a25afde3e00749c75a0
Published	Aug. 18, 2020
Author	Brad Duncan
Size	2.0 MB
Tags	Wireshark Suricata PCAP Malware Traffic Analysis Exploit Kit IOCs

Instructions	Uncompress the challenge (pass: cyberdefenders.org) Load suricatarunner.exe and suricataupdater.exe in BrimSecurity from settings Uncompress suricata.zip from description and move suircata.rules to ".\var\lib\suricata\rules" inside suricatarunner directory

Your progress

0% Completed0/13 Questions

Your score

Last solve

The attached PCAP belongs to an Exploitation Kit infection. Analyze it using your favorite tool and answer the challenge questions.

Tools:

#	Question	Weight	Solved
#1	What is the IP address of the Windows VM that gets infected?	50	999
Hint Report an issue

#2	What is the hostname of the Windows VM that gets infected?	50	908
Hint Report an issue

#3	What is the MAC address of the infected VM?	50	952
Hint Report an issue

#4	What is the IP address of the compromised web site?	50	892
Hint Report an issue

#5	What is the FQDN of the compromised website?	50	880
Hint Report an issue

#6	What is the IP address of the server that delivered the exploit kit and malware?	50	827
Hint Report an issue

#7	What is the FQDN that delivered the exploit kit and malware?	50	821
Hint Report an issue

#8	What is the redirect URL that points to the exploit kit (EK) landing page?	100	746
Hint Report an issue

#9	Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with "J". Provide the full application name.	100	562
Hint Report an issue

#10	How many times was the payload delivered?	100	697
Hint Report an issue

#12	The compromised website has a malicious script with a URL. What is this URL?	150	592
Hint Report an issue

#13	Extract the two exploit files. What are the MD5 file hashes? (comma-separated )	150	480
Hint Report an issue

#14	VirusTotal doesn't show how many times a specific rule was fired under the "Suricata alerts" section for the pcap analysis. Run the pcap file against your local Suricata (Emerging Threats Open ruleset) and provide the rule number that was fired the most.	150	337
Hint Report an issue