This lab walkthrough focuses on analyzing a network traffic capture (PCAP) to investigate a malicious infection chain associated with an exploit kit attack. By examining HTTP requests, responses, and payload deliveries, we will uncover critical indicators of compromise (IOCs), including suspicious domains, exploit redirects, and malware payloads. The analysis will involve using tools such as Wireshark and NetworkMiner to extract relevant artifacts, trace attacker infrastructure, and understand the infection vector. The scenario involves a victim system interacting with multiple endpoints, initiating requests to potentially compromised websites, and retrieving files that may contain exploits or malicious payloads. Throughout this investigation, we will identify key elements such as the redirection mechanism leading to the exploit kit’s landing page, files delivered during the attack, and encryption or obfuscation techniques used by the malware. Additionally, the analysis will extend to uncovering potential command-and-control (C2) communication, allowing us to determine the infrastructure used by the attackers.
A part of this investigation will be reconstructing the downloaded payload to determine its nature. This will involve techniques such as XOR decryption, unpacking compressed archives, and extracting key malicious components. Throughout this walkthrough, we will apply network forensics methodologies to systematically analyze the captured traffic, connect the dots between different elements of the attack, and derive meaningful conclusions about the exploitation process. This hands-on investigation will provide a deeper understanding of exploit kit behavior, malware delivery