A network trace with attack data is provided. Please note that the IP address of the victim has been changed to hide the true location.

 

Supportive Tools:

  • wireshark
  • strings
  • libemu
  • diff
  • hexdump
  • virustotal
  • qemu
  • OllyDbg
  • python
  • p0f
# Question Weight Solved
1 What were the 4 IP addresses of the targeted systems (comma-separated)? 50 73

2 Which operating system was being targeted? 50 56

3 What protocol do you think the attack was carried over? 50 73

4 What was the URL for the page used to serve malicious executables (don't include URL parameters)? 100 68

5 What is the number of the packet that includes a redirect to the french version of Google and probably is an indicator for Geo-based targeting? 100 49

6 What was the CMS used to generate the page 'shop.honeynet.sg/catalog/' ? 100 42

7 What is the number of the packet that indicates that 'show.php' will not try to infect the same host twice? 150 40

8 One of the exploits being served targets a vulnerability in "msdds.dll". Provide the corresponding CVE number. 150 55

9 What is the name of the executable being served via 'http://sploitme.com.cn/fg/load.php?e=8' ? 150 36

10 One of the malicious files was first submitted for analysis on VirusTotal at 2010-02-17 11:02:35 and has an MD5 hash ending with '78873f791'. Provide the full MD5 hash. 150 41

11 What is the name of the function that hosted the shellcode relevant to 'http://sploitme.com.cn/fg/load.php?e=3' ? 200 26

12 Deobfuscate the JS at 'shop.honeynet.sg/catalog/' and provide the value of the 'click' parameter in the resulted URL. 200 34

13 Deobfuscate the JS at 'rapidshare.com.eyu32.ru/login.php' and provide the value of the 'click' parameter in the resulted URL. 200 35

14 What was the version of 'mingw-gcc' that compiled the malware? 200 38

15 The shellcode used a native function inside 'urlmon.dll' to download files from the internet to the compromised host. What is the name of the function? 300 25