The SOC team at SunshineClinic has detected abnormally high CPU usage on their production web server hosting sunshineclinic.com, a healthcare appointment booking platform running on Apache Tomcat 11.0.2. Initial triage revealed suspicious outbound connections to unknown external IP addresses that do not belong to any SunshineClinic infrastructure. A full network capture (PCAP) was taken from the affected server (local IP 172.31.45.14, public IP 18.195.127.226) and escalated for forensic investigation.
As the assigned DFIR analyst, your mission is to analyze this PCAP and reconstruct the full attack chain. The investigation will take you through 8 phases — from reconnaissance and exploitation of a critical Tomcat vulnerability (CVE-2025-24813), through Cobalt Strike C2 deployment and encrypted webshell operations, to data exfiltration of patient records and cryptominer deployment that explains the original CPU alert.
This walkthrough covers 21 questions with a detailed, step-by-step investigation methodology for each. Every Wireshark filter, Brim query, and decryption script is provided so you can reproduce The analysis is independent. For the best learning experience, try answering each question yourself before reading the solution. The tools used throughout are Wireshark, Zui (Brim), NetworkMiner, Python, PowerShell, and CobaltStrikeParser.