Traffic Analysis Quiz: Mr Natural
Last Updated: 2020-12-03 02:03:57 UTC
by Brad Duncan (Version: 1)
It's time for another ISC traffic analysis quiz! Like previous quizzes, we have traffic and alerts from an infected Windows computer. This month's quiz consists of:
- a packet capture (pcap) of infection traffic
- a image of the alerts shown in Squil
- a text file listing the alerts with a few more details
- a PDF document with answers to the questions below.
The alerts were created using Security Onion running Suricata using the EmergingThreats Pro ruleset, viewed through Sguil.
You can find the pcap, alerts, and answers here. Don't peek at the answers just yet!
Environment and quiz questions
The environment where this infection takes place:
- LAN segment range: 10.12.1.0/24 (10.12.1.0 thru 10.12.1.255)
- Domain: mrnatural.info
- Domain controller: 10.12.1.2 - MrNatural-DC
- LAN segment gateway: 10.12.1.1
- LAN segment broadcast address: 10.12.1.255
Here are questions to answer based on the pcap and the alerts:
- What is the IP address of the infected Windows host?
- What is the MAC address of the infected Windows host?
- What is the host name of the infected Windows host?
- What is the Windows user account name used on the the infected Windows host?
- What is the date and time of this infection?
- What is the SHA256 hash of the EXE or DLL that was downloaded from 220.127.116.11?
- Which two IP addresses and associated domains have HTTPS traffic with "Internet Widgets Pty" as part of the certificate data?
- Based on the alert for CnC (command and control) traffic, what type of malware caused this infection?
This type of analysis requires Wireshark. Wireshark is my tool of choice to review pcaps of infection activity. However, default settings for Wireshark are not optimized for web-based malware traffic. That's why I encourage people to customize Wireshark after installing it. To help, I've written a series of tutorials. The ones most helpful for this quiz are:
- Wireshark Tutorial: Changing Your Column Display
- Wireshark Tutorial: Display Filter Expressions
- Wireshark Tutorial: Identifying Hosts and Users
- Wireshark Tutorial: Exporting Objects from a Pcap
Furthermore, I recommend using a non-Windows environment like BSD, Linux, or macOS to analyze malicious traffic. This pcap contains HTTP traffic sending Windows-based malware. If you're using a Windows host to review the pcap, your antivirus (or Windows Defender) may delete the pcap or malware. Worst case scenario? If you extract the malware from the pcap and accidentally run it, you might infect your Windows computer.
So beware, because there's actual malware involved for this exercise.
Again, files associated with this quiz (pcap, alerts, and answers) can be found here.
If you found this fun, we have previous traffic analysis quizzes:
brad [at] malware-traffic-analysis.net