2015 02 24: Traffic analysis exercise Helping out an inexperienced analyst - 0xd0s/Pcap-Analysis GitHub Wiki

2015-02-24: Traffic analysis exercise - Helping out an inexperienced analyst

  1. Date and time of the activity
    From 201502-24 0404 to 2015-02-24 0407.
  2. IP address of the associated desktop (or laptop) computer
    10.10.100.139
  3. Host name of the associated desktop (or laptop) computer
    STEPHANIE-PC
  4. MAC address of the associated desktop (or laptop) computer
    28:92:4A:3B:5F:CD
    Screen shot for questions 2, 3 and 4. image
  5. Brief summary of the activity
    In summary host, STEPHANIE-PC, visited mpzfprxfdn.serveftp[.]com and downloaded malicious files.

    In order to understand what is going on in this pcap I started by looking at the statistics in Wireshark. As you can see in the below image all traffic is IPv4 with 92% of the traffic being TCP. Of the TCP traffic HTTP accounted for 76.6% of all bytes. With this information HTTP traffic seems like a good place to start. image

    Filtering on HTTP we can see pretty quickly that someone visited mpzfprxfdn.serveftp[.]com with a GET request. image

    If we following the TCP stream we see a HTTP response with a content-type of "application/x-shockwave-flash" image

    Lets download the some of the files to verify the file type and to run the hashes through VirusTotal. In the screen shot below you can see that several files were downloaded. I am only interested in the java-archive, pdf and x-shockwave-flash files. image

    File information and hash can be seen below. Running the hash though VirusTotal we can see that they are heavily blacklisted. image

    Java Archive image

    PDF File image

    Shockwave image

⚠️ **GitHub.com Fallback** ⚠️