The attached PCAP belongs to an Exploitation Kit infection. Analyze it using your favourite tool and answer the challenge questions.

# Question Weight Solved
1 What is the IP address of the infected Windows host? 50 131

2 What is the domain name of the compromised website? 50 119

3 What is the domain name that delivered the exploit kit and malware payload? 50 113

4 What is the Exploit kit (EK) name? 100 90

5 What is the redirect URL that points to the exploit kit (EK) landing page? 100 94

6 Which TCP stream shows the malware payload being delivered? 100 88

7 What are the domain name and IP address of the HTTPS callback traffic caused by this malware infection? 100 84

8 What is the expiration date of the SSL certificate? 100 69

9 What is the MD5 of modulus N used to generate RSA public key in the previous SSL certificate? 150 23

10 The malicious domain served a ZIP archive. What is the name of the DLL file included in this archive? 200 59

11 Extract the malware payload, deobfuscate it, and remove the shellcode at the beginning. This should give you the actual payload (a DLL file) used for the infection. What's the MD5 hash of the payload? 200 18

12 What were the two protection methods enabled during the compilation of the present PE file? 150 24

13 When was the DLL file compiled? 150 24

14 A Flash file was used in conjunction with the redirect URL. What URL was used to retrieve this flash file? 150 70

15 What is the CVE of the exploited vulnerability? 100 50

16 What was the web browser used by the infected host and its exact version? 100 65

17 What is the DNS query that had the highest RTT? 100 61

18 What the name of the SSL certificate issuer that appeared the most? 100 63