2014-11-16 TRAFFIC ANALYSIS EXERCISE - ANSWERS
PCAP is at: http://malware-traffic-analysis.net/2014/11/16/2014-11-16-traffic-analysis-exercise.pcap
Here's a tutorial for changing the column disply in Wireshark:
http://www.malware-traffic-analysis.net/tutorials/wireshark/index.html
LEVEL 1 ANSWERS:
1) What is the IP address of the Windows VM that gets infected?
172.16.165.165
2) What is the host name of the Windows VM that gets infected?
K34EN6W3N-PC
3) What is the MAC address of the infected VM?
f0:19:af:02:9b:f1
4) What is the IP address of the compromised web site?
82.150.140.30
5) What is the domain name of the compromised web site?
www.ciniholland.nl
6) What is the IP address and domain name that delivered the exploit kit and malware?
37.200.69.143
7) What is the domain name that delivered the exploit kit and malware?
stand.trustandprobaterealty.com
LEVEL 2 ANSWERS:
1) What is the redirect URL that points to the exploit kit (EK) landing page?
http://24corp-shop.com/
2) Besided the landing page (which contains the CVE-2013-2551 IE exploit), what other exploit(s)
sent by the EK?
a Flash exploit and a Java exploit
4) How many times was the payload delivered?
3
5) Submit the pcap to VirusTotal and find out what snort alerts triggered. What are the EK names
are shown in the Suricata alerts?
ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014
ET CURRENT_EVENTS RIG EK Landing URI Struct
ET CURRENT_EVENTS GoonEK encrypted binary (3)
Page 1 of 9
� LEVEL 3 ANSWERS:
1) Checking my website, what have I (and others) been calling this exploit kit?
Rig EK
2) What file or page from the compromised website has the malicious script with the URL for the
redirect?
The index page for www.ciniholland.nl had the URL for http://24corp-shop .com/
3) Extract the exploit file(s). What is(are) the md5 file hash(es)?
Flash exploit: 7b3baa7d6bb3720f369219789e38d6ab
Java exploit: 1e34fdebbf655cebea78b45e43520ddf
4) VirusTotal doesn't show all the VRT rules under the "Snort alerts" section for the pcap analysis. If
you run your own version of Snort with the VRT ruleset as a registered user (or a subscriber), what
VRT rules fire?
[1:30936:3] EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure
[1:30934:2] EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download
[1:25562:4] FILE-JAVA Oracle Java obfuscated jar file download attempt
[1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt
2014-11-16 TRAFFIC ANALYSIS EXERCISE - EXPLANATIONS
LEVEL 1 ANSWERS:
1) What is the IP address of the Windows VM that gets infected?
172.16.165.165
Easy enough to find this info... Just filter on http.request.
2) What is the host name of the Windows VM that gets infected?
K34EN6W3N-PC
Page 2 of 9
�You can find this through the NBNS or DHCP traffic.
Page 3 of 9
�3) What is the MAC address of the infected VM?
f0:19:af:02:9b:f1
4) What is the IP address of the compromised web site?
82.150.140.30
5) What is the domain name of the compromised web site?
www.ciniholland.nl
6) What is the IP address and domain name that delivered the exploit kit and malware?
37.200.69.143
7) What is the domain name that delivered the exploit kit and malware?
stand.trustandprobaterealty.com
LEVEL 2 ANSWERS:
1) What is the redirect URL that points to the exploit kit (EK) landing page?
http://24corp-shop.com/
Page 4 of 9
�You can see it here from the preview pane:
Or you can export the HTML object (File --> Export Object --> HTTP)
And find it in the extracted file:
Page 5 of 9
�2) Besided the landing page (which contains the CVE-2013-2551 IE exploit), what other exploit(s)
sent by the EK?
a Flash exploit and a Java exploit
Go to the export HTTP objects screen, and you can see this (File --> Export Object --> HTTP)
4) How many times was the payload delivered?
3 (the payload is encrypted, but it's makred as x-msdownload).
Page 6 of 9
�5) Submit the pcap to VirusTotal and find out what snort alerts triggered. What are the EK names
are shown in the Suricata alerts?
ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014
ET CURRENT_EVENTS RIG EK Landing URI Struct
ET CURRENT_EVENTS GoonEK encrypted binary (3)
https://www.virustotal.com/en/file/0e3fac547536f773bf1a21180a2294a10be97e956f091d24e168f147
ecf5fafd/analysis/
LEVEL 3 ANSWERS:
1) Checking my website, what have I (and others) been calling this exploit kit?
Rig EK
Rig is similar to Infinity EK (originally identified as Goon in the spring of 2014). Some good info on
Rig EK can be found at: http://www.kahusecurity.com/2014/rig-exploit-pack/
2) What file or page from the compromised website has the malicious script with the URL for the
redirect?
The index page for www.ciniholland.nl had the URL for http://24corp-shop .com/
Page 7 of 9
�Follow tcp.stream eq 0 for the www.ciniholland.nl index page...
Scroll down a bit, and you'll find it right before the end of the page header lines.
Page 8 of 9
�3) Extract the exploit file(s). What is(are) the md5 file hash(es)?
Flash exploit: 7b3baa7d6bb3720f369219789e38d6ab
Java exploit: 1e34fdebbf655cebea78b45e43520ddf
Export these HTTP objects (File --> Export Object --> HTTP)
You'll only need to do one for each exploit (Flash and Java). You can use a *nix command line tool
or submit the files to Virus Total.
Flash exploit:
https://www.virustotal.com/en/file/e2e33b802a0d939d07bd8291f23484c2f68ccc33dc0655eb4493e5
d3aebc0747/analysis/
Java exploit:
https://www.virustotal.com/en/file/178be0ed83a7a9020121dee1c305fd6ca3b74d15836835cfb1684d
a0b44190d3/analysis/
4) VirusTotal doesn't show all the VRT rules under the "Snort alerts" section for the pcap analysis. If
you run your own version of Snort with the VRT ruleset as a registered user (or a subscriber), what
VRT rules fire?
[1:30936:3] EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure
[1:30934:2] EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download
[1:25562:4] FILE-JAVA Oracle Java obfuscated jar file download attempt
[1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt
Your results will very, depending on how you have your Snort installation configured. If you haven't
tried to set up Snort on your own, check out some of the Snort Setup Guides at:
https://www.snort.org/documents
Page 9 of 9
