Quiz Instructions This is a quiz only in name. It is meant to guide you through your exploration of the files and there is no time limit. It can start and be resumed at any time (it autosaves) but...

Quiz Instructions
This is a quiz only in name. It is meant to guide you through your exploration of the files and there is no time limit. It can start and be resumed at any time (it autosaves) but once submitted scores will be final. Do NOT submit unless you are ready.
Once submitted, if you would like to see your answers stop by my office.
Wireshark is probably a familiar tool to you all and it is also the quickest tool to help you evaluate peculiar traffic as long as you have full packet capture data available. Often as an analyst this may not be the case since you may be monitoring systems containing sensitive data (e.g., medical records) but as long as you have PCAP data, you might as well use them.
This assignment is all about that golden scenario that PCAP data are available and you need to find what's in them. To make it more fun, this is a scavenger hunt of sorts in the sense that I am giving you the PCAP files and the only thing I am telling you is that each one, hides something bad.
The trick is for you to be smart about how you traverse through these records and to also use publicly available tools to save you some time. VirusTotal and PacketTotal are two tools that you could use for this:
· https:
www.virustotal.com/#/home/upload
 Links to an external site.
 https:
packettotal.com/
 Links to an external site.
 https:
w3techs.com/sites
· Links to an external site.
Then rebuild the story of each one of the traffic logs. Sidenote: no need to go too much in depth about non-interesting regular traffic (i.e., just say that there is some typical http and smtp traffic along with the suspicious one). Describe in depth the suspicious traffic/attack.
 PCAP files: Exercise PCAP dirty traffic.zip
Download Exercise PCAP dirty traffic.zip
 
Important
PCAP files can also be played against Bro, Suricata or Snort (or any other IDS for that matter). If you use tcpreplay to play back the PCAP file to a network interface make sure you are playing it on loopback or some other fake network adapter (otherwise lots of people may notice the malware coming out of your primary network adapter...bad bad)
 
What to use for the assignment
You can utilize VirtualBox (or some other VM) to build your testing machines. Lab computers may be more appropriate if you load demanding machines. Use primary secondary websites and Wireshark for this assignment.
 
Useful distros that you can further play around with but are not necessary to complete the assignment include:
· SELKS: https:
www.stamus-networks.com/open-source/#selks
 Links to an external site.
 SecurityOnion: https:
securityonion.net/
 Links to an external site.
 Kali: https:
www.kali.org/
· Links to an external site.
SO is by far the most demanding requiring a min of 8GB if ELK stack is utilized. With SELKS, you can get away with 3GB. Kali is useful for pentests but many of these you can initiate from your host computer. If you do not have sudo access in the host machine check this guide if you need to build several tools from source: Installing with no sudo access
Top of Form
 
Question 1 1 pts
ex1.pcap. What is the name of the Trojan that was used in the attack? Type just the main name (x) not the variants (x.A, x.N, etc.)
 
Question 2 1 pts
ex1.pcap.  Read more on the Trojan, Search the web and records on Common Vulnerabilities and Exposures (CVE). Then read bit further on: http:
oemhub.bitdefender.com/11-frequently-asked-questions-about-malware-botnets-%E2%80%93-answered
Bottom of Form
Links to an external site.
The outbound IP addresses that are the likely C&C for the trojan were: and
The countries of origin were: and
 
Question 3 1 pts
ex1.pcap. Why are there many DNS requests to seemingly random domain names?
Group of answer choices
The trojan utilizes a domain generation algorithm.
The trojan has the addresses hard-coded in its code.
There are just normal DNS requests by other programs on the computer.
It is an obfuscation tactic by the trojan to hide real traffic.
 
Question 4 1 pts
ex2.pcap. What is the name of the bot that we do observe? (enter just the base name)
 
Question 5 1 pts
ex2.pcap. What domain name did it come from? (enter only as example.com)
Check via Wireshark, there events happening moments before the appearance of Lokibot. This will indicate how that malware appeared in the victim's computer.
 
Question 6 1 pts
ex2.pcap. How did the user navigate to that domain? What service/software/activity were they using before that likely lead them to making the http request?
 
Question 7 1 pts
ex3.pcap. What domain did the bad redirect came from? (enter only as example.com)
 
Question 8 1 pts
ex3.pcap. Is the website were the redirect came from a malicious website? (This can be answered in several ways, using whois tools, blacklists and the waybackmachine.)
Group of answer choices
No
Yes
 
Question 9 1 pts
ex3.pcap What software framework was the website that issued the redirect running? [hint: I am NOT looking for a programming language]
 
Question 10 1 pts
ex3.pcap. What is the suspicious top domain? (You can answer this question if you do a bit of research on the domains without even looking at the pcap)
Group of answer choices
.tk
.com
.net
.gr
 
Question 11 1 pts
ex3.pcap. What is the attack all about?
Group of answer choices
Scam
Malware
Virus
Botnet
 

Question 12
ex4.pcap. What's the attack?
Group of answer choices
Ransomware
Botnet
Virus
Spyware
 
Question 13 1 pts
ex4.pcap. Where is the C&C for the ransomware?
Group of answer choices
.onion address
single IP address
domain generation algorithm
multiple IP addresses
 
Question 14 1 pts
ex5.pcap. You'll need to do a bit of research on the vulnerability alerts you will get through analyzing this pcap. It has several stages and you may get several alerts for each. Let's start with an easy one. What is the domain of the compromised website? It is the one that start the sequence of events. Hint: it runs a particular website framework. (enter as example.com)
 
Question 15 1 pts
ex5.pcap. What is the name of the executable that is downloaded?
 
Question 16 1 pts
ex5.pcap. What is the installed software, the end goal of the attack? ET PRO (Emerging Threats Pro) signatures (one of the websites supports these) will indicate the type of software that is observed. Type only the main name (single word). Hint: It is a legitimate software.
 
Question 17 1 pts
ex6.pcap. What is the name of the malware/trojan found on the pcap? Enter just its basic name (Michael) and no variants (Michael.x, michael/y)
 
Question 18 1 pts
ex6.pcap. Read more on the type of attack in regards to the infection chain. You will need to look around the time the infection happened (yes, trojan have multiple lifetimes). What was the likely infection chain?
Group of answer choices
Mail spam -> office macro -> download exe
Website scam -> download exe
Website scam -> redirect -> download exe
Network scan for 49759 tcp open port -> connect using tcp to service and execute remote exe code
Skeeyah.A!rfn